Why CPOs Must Make Risk a P&L Conversation

Michael van Keulen
Michael van Keulen
Chief Procurement Officer, Coupa

Michael van Keulen (aka “MVK”), Coupa's Chief Procurement Officer, has been in finance and procurement for 20+ years at high growth global companies where he managed procurement transformations and digitized the procurement process, driving significant stakeholder value.  Michael is a procurement fanatic, passionate about elevating the role of procurement by applying best in class practices and enabling business spend management through the power of digitization.

Read time: 7 mins
Why CPOs must make risk a P&L conversation

Today's supply chains are more complex and connected than ever before. Throughout my career, I have witnessed time and again how even minor disruptions can have significant ramifications that impact the entire enterprise's performance. Now more than ever, organizations must learn how to identify, quantify, and monitor risks across the supply chain to make the most optimal decisions and ensure business continuity.

If recent events have taught us anything, it's that supply chain disruption can happen at any time. As market conditions rapidly changed over the past year, many companies faced unexpected demand changes and sudden supply shortfalls. Those that had not adequately quantified the price of risk have faced interruptions, shortages, continuity challenges, and increased costs.

Identifying and measuring the price of risk

Even for risk-aware organizations, supply chain transparency can be hard to achieve or maintain. Many products in modern supply chains tie to hundreds, if not thousands, of suppliers across multiple tiers, all of which have dozens of their own risk factors. Organizations can't make the most optimal decisions without learning to fully quantify these risks.

For example, a CFO may be enticed with an option to save $5 million annually in raw materials by sourcing from a single factory to meet short-term financial objectives. But procurement needs to evaluate the costs of losses should that factory go down or struggle to deliver upon their volume commitments. While such a move might offer short term benefits on margins in the Profit & Loss (P&L) statement, it could pose tremendous business continuity risks when something unexpected happens.

I've seen CFOs focus exclusively on savings and cost reductions while failing to sufficiently acknowledge risk and prevent lost value. Unfortunately, high-cost supply chain disruptions only show up in the P&L statement when something unexpected happens. To truly understand, manage, and mitigate third-party risk, CFOs must identify and quantify the cost of risk. The CPO is responsible to provide the right level of insight and trade-offs to ultimately make the best business decision.

Although most CFOs understand the importance of supply chain diversity and visibility into Tier 1-3 suppliers, none of these financial or reputational risks ever show up in the profit and loss statement. Only when something goes horribly wrong, do they suddenly appreciate and focus on third-party risk management. By the time this happens, we often overreact and make quick, emotional, irrational, and costly decisions that can have long-term ramifications.

Start by making the identification of risk a priority

Organizations must know the risks they face because the reality is that most will experience supply chain disruption over the course of a year. Even before the pandemic, organizations started to re-evaluate their supply chains and question the risk of heavily-outsourced, concentrated, and interdependent networks. The growing uncertainty and risk from the pandemic have led to a greater focus on resilience and regional, nearshore, and onshore manufacturing.

While many areas of the business only think about risk in terms of cost, quality, and service, procurement must weigh-in whether it meets the strategic objectives and evaluate risks related to financials, governance, compliance, reputation, and cybersecurity. Supply chain risks can not only hurt the bottom line but can lead to brand and reputational damage, non-compliance with regulatory requirements, data breaches, and lost business.

In addition to known risks, organizations also face smaller and other unknown threats. One which is becoming increasingly common is single sourcing to maximize volume leverage. I remember when I worked at Lululemon (where I was previously CPO and a Coupa customer), we quickly discovered that our famous shopping bags were single-sourced at one factory in Cambodia. And to make matters worse, no one on the executive team was aware that these were the only bags this factory produced with a nine month lead time.

What if the factory has supply or quality issues due to a natural disaster or social unrest in Cambodia? What if the U.S. government decides to increase import duties on goods from Cambodia?  What happens to the workers at the factory (and their families) if Lululemon decided to change the specifications of the bag? What reputational damage could that cause? While this consolidation might have reduced cost or simplified the supply chain, we uncovered considerable risks that executives hadn't identified, evaluated, nor adequately quantified.

I also remember when we relied on one single telecom carrier for both primary network communication and cellular backup lines. Although this simplified the management of the network and leveraged spend, it left us vulnerable to performance issues or if the network got compromised. What if there was a business conflict with the supplier, or their disaster recovery plan wasn't working properly? What if they filed for Chapter 11?

Before you calculate the price of risk, start by making risk identification a top priority.

5 example ways to quantify the price of risk

Once you have identified risk, now you can quantify its price tag. Although risk doesn't show up in the P&L statement unless it materializes into an actual business event, it is imperative to put a price tag on it. Here are five examples that quantify the price of risk:

  1. Provide transparency of cost differential between selecting 3 vs. 1 supplier, reducing business continuity risk
  2. Forgo volume rebates to improve reliability and/or quality of service
  3. Select a higher cost supplier(s) because of reputation, references, quality, global coverage, and/or financial health
  4. Agree to higher inventory commitments to guarantee supply, possibly negatively impacting working capital
  5. Negotiate early pay discounts to improve suppliers' cashflow position
     

The best way for procurement to get recognition for these various elements and support to invest in mitigating risk is by supplying multiple award scenarios to the business, including trade-offs, using pre-agreed selection criteria to avoid ambiguity during the award process. As noted earlier, cost reduction is just one criteria to an award scenario, and higher transparency leads to better business outcomes over the short-, mid-, and long term.

The challenge with current approaches

Many organizations have some level of effort to manage risk but often don't dig deep enough or have adequate resources/data to consider the full implications. Part of the challenge is how executives are incentivized and performance is measured. Evaluation of a supplier requires insight and visibility into Tier 2 and Tier 3 suppliers, and executives should be evaluated on how they manage supply chain risk as part of their success metrics.

I have heard time and again from companies that didn't realize most of their Tier 2 and Tier 3 suppliers were based in India. When India closed its borders in March to curb the spread of COVID-19, companies looked at their supply chain and assumed this did not impact their business (as their suppliers are all US-based) only to realize several weeks later that their suppliers sourced 100% of their raw materials from India. Similarly, I've also heard of companies that were significantly impacted because governments mandated manufacturers change their production lines to produce PPE-related materials, changing lead times, and service levels significantly.

The reality is that it's no longer good enough to only "ask the right questions" when onboarding new suppliers. Procurement teams need to step-up and support organizations to continuously monitor relationships with suppliers during their entire life-cycle.

Many organizations attempt to monitor their suppliers by leveraging third-party data and doing biannual or quarterly business reviews. Yet this approach falls short because risk profiles are constantly changing, and there are often smaller, unknown risks that aren't always apparent. Organizations that limit their monitoring to top suppliers and periodic reviews leave themselves vulnerable and exposed.

Over months and years, financial structures, ownerships, performances, credit ratings, reviews, legal checks, sentiment, and Tier 2 and 3 suppliers change. We can't afford to remain passive and/or reactive when it comes to managing any of these risks as the cost is simply too high!

So how do I start building a risk-aware culture?

Every company has its own dynamics, nuances, and value-drivers when it comes to risk. What they all have in common is that procurement has to build a real strategic partnership with the CFO (and the Board) that goes well beyond reducing cost and solving for short-term budget/forecast exposures (aka “procurement waves their magic wand and savings will appear”). Speaking the same language as the CFO is critical in creating rapport.

It is essential to look at supplier risk programmatically and holistically. This is not a once and done type of exercise but requires a methodical approach, constant monitoring and collaboration with various areas of the company such as global risk and compliance, finance, legal, and the business. Furthermore, it's essential to not only look at the top 10 suppliers but start with a full view of all suppliers in your ecosystem, then segment them by factors like spend, criticality, contractual terms, geography, and concentration.

Once that is all in place, procurement needs to clearly articulate why risk is an important conversation, align on standard metrics with shared accountability across the executive leadership team, and request resources to take accountability and responsibility.

Hey, I never said this was going to be easy, but if you wanted easy you would not be in procurement in the first place…….!