Today, Equality and appropriate conduct is a hot topic in the news and it is repeatedly surfacing across the board from Politics to the world of Entertainment, and rightly so! However, when it comes to governance, something you can’t manage equally is your suppliers and customers. Organisations don’t have the resources to treat everyone the same at this level, at least in terms of designated time or engagement; ultimately, there needs to be a way to differentiate this.

Current approach

Ultimately this commonly comes down to establishing and operating a Segmentation Model of which there are two standards used in Procurement – the Kraljic Matrix or Kenton Model. Both work of a two-axis calculation to force rank the customer or supplier landscape for you: the higher up they are, the closest attention and stronger the governance applied versus the lower they are applying the foundational or lite version!

The Kraljic Matrix (1983) and the variations developed over the years help management select the most appropriate purchasing strategies for different types of products and services, thereby optimising the trade-off between the amount spent and upstream risk.

The later Kenton Supply Model (1995) and the variations developed over the years help management select the most appropriate inventory strategies for different types of products and services, thereby optimising the trade-off between usage and downstream exposure.

The Challenge & Gap
The Kraljic method is probably the better-known of the two, however, both are effective and it is relatively straightforward in either model to determine the spend. In this circumstance, ‘spend’ is defined by the revenue generated by a customer-supplier. However, it neither helps address nor determine how to exactly handle the second axis on each model. Kraljic pinpoints Risk and Kenton Exposure. In my mind, Kenton is simply re-labelling Risk, which is most likely due to my background working in Risk. Although, I do not doubt that many will debate me on this. Regardless, the main point here is how can Risk / Exposure be calculated consistently and effectively.

The Process: Closing the Gap

There are two parts to closing the gap in consistently calculating Risk / Exposure; the first part is where Inherent Risk comes into play. However, I will begin by addressing Part 2 as it is essential for understanding Part 1.

Part 2, Due Diligence 

Most, if not all, organisations will conduct a level of due diligence against a customer or supplier pre-contract. Some may even refresh this view periodically (if you are from Financial Services working in Europe or the UK you must be in the ‘some’ group due to the EBA and PRA regulations you should already be complying with). The supplier side will usually focus on the financial solvency of a company, which largely centres around “are they likely to be able to pay us?” and “are they good payers?”, based on past performance and legal disputes. Whereas a Buyer will look to score the supplier on a basis of not only financial stability but; will they be able to fulfil the product and services that we will contract to them at an acceptable standard of expertise and in a sustainable manner; can I trust them with my data if they have access to it etc. In my opinion, all of these factors are the second step in calculating risk/exposure. Due diligence is really just a Risk Assessment exercise under the covers, which can vary in size; covering a few areas or covering lots of areas in depth. This relates to my earlier point, in that, we can’t simply apply a really rigorous Due Diligence (risk assessment) process to everyone, as we, unfortunately, lack the time. So, how do we know whether to make this a light or heavy process? Enter Part 1 – Inherent Risk.

Part 1, Calculating Inherent Risk

What’s riskier: in scenario 1, you are asked to simply get out of bed, or, in scenario 2, you are asked to climb Mount Everest. If I were to put your company through a heavy weight due diligence process in an uninformed manner for scenario 1, it would involve wasting your time by asking your company questions regarding your ability to climb, whether you have experience climbing at low oxygen etc. It sounds ridiculous when the task is only to get out of bed, right? Alternatively, in the second scenario, my due diligence questions for your company may be too light by not asking your company any questions remotely related to climbing. I know that this all sounds painfully obvious, but I have seen a lot of these scenarios in my career. The point is, that a company needs to first, rate what they believe is the level of risk that can be associated with the scenario or what you are undertaking for a customer or what the supplier is supplying you with at the time of award/selection.

Consideration

Things that are good to cover when considering due diligence are not about the customer or supplier, but more about what either party will be undertaking if the deal/contract progresses, the scenario or more likely the Products or Services being supplied;

1. Criticality – How critical is the product or service being supplied to your business
2. Complexity – How complex is the product or service being supplied
3. Deal Type – Product, Service, Combination or Functional Outsource
4. Brand Impact – If the product and/or service should fail would be noticed by the customer and possibly impact the over brand
5. Cost of Change – Is it a commoditised product or service that can be switched overnight like changing supermarkets for your groceries
6. Competition – Is it a highly competitive market with lots of customer or supplier demand
7. Sensitivity – What level of data with the product or service behandling, public, internal only, confidential, restricted?
8. Access – Will the customer or supplier have access to your facilities and will it be supervised or not
9. Customer  Contact – Will the customer or supplier have access to your other customers and will it be supervised or not
10. Privacy – Will the customer or supplier have access to your company’s Private Data (PII)
11. Processing or Controlling data – Will the customer or supplier process or control data on your organisation’s behalf
12. Delivery Model / Resource Location – What is the delivery model Nearshore refers to outsourcing to countries located in close proximity to similar time zones
13. Geographies – Do any of the geographies that these products or services are provided from and to those suffering from inclement weather patterns and are open to disruption. (Blackrock offer a great

    geopolitical Risk Dashboard that can help measure this or at least inform your process)

14. Competency – Is there a particular level of competency that is certificated by the industry body required by those operating products or services
15. Political – How political stable are the countries that are being supplied to or from and likely to be impacted by civil unrest or impacted by economic sanctions. (Blackrock provide a great geopolitical Risk Dashboard that can help measure this or at least inform your process)
16. Subcontracting or Outsourcing – how likely is the customer-supplier going to introduce other third parties directly to complete the scope of requirement meaning other organisations could add complexity and tier dependency on them