The Board's Oversight of Supply Chain Risk

Protiviti Board Perspectives

The Board's Oversight of Supply Chain Risk


Every business, whether it handles financial contracts, natural resources, raw materials or components, is dependent upon a well-functioning, cost-effective supply chain. The board, therefore, should consider its oversight of supply chain risks.


Operational risk is the risk that one or more future events will impair the effectiveness or viability of the business model in achieving expected financial results and creating sustainable value for customers and stake-holders. It relates to various activities along the value chain within which the organization’s business model operates.

One important source of operational risk relates to the organizations, people, processes and resources that make up the supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) as organizations seek to cut costs while increasing capabilities and global reach.

Key Considerations

Every organization spends a significant percentage of its top line on third-party goods and services. Depending on the industry, this spending can range from 30 to 70 percent. From an opportunity standpoint, dollars saved from reducing costs and working capital drop directly to the bottom line. Improved quality and on-time delivery, as well as reduced lead times, can establish and sustain competitive advantage. As for risks, there are several, including loss of cash, reputation loss, supply disruption, substandard quality, poor delivery performance, process inefficiencies, legal and regulatory noncompliance, and even outright fraud.

No doubt, directors know that the supply chain is a big deal. Following are seven suggestions for boards to consider when supply chain topics arise:

  1. Strike the right balance when selecting a supplier.

There are at least four relevant factors — time, cost, quality and risk — a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others, as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements, nor should it lead to unnecessary risks (see the next suggestion).

  1. Make procurement decisions with an enterprisewide perspective.

Striving for functional excellence is a laudable goal, but it has its limits. During the 1990s, a major automotive manufacturer stockpiled palladium — a rare and precious metal used in catalytic converters that turn harmful emissions into less toxic pollutants. It incurred a US$1 billion loss when reliance on the expensive commodity was reduced due to changes in design by the company’s research and development (R&D) group, and prices dropped 60 percent. In instituting long-term supply contracts and building up actual or guaranteed supplies, the company’s purchasing function applied similar tactics used to procure standard commodities, such as steel and copper, that weren’t as exposed to significant price swings. The function did not seek the assistance of finance and treasury to devise hedging strategies that might have reduced price risk. Most notably, R&D and purchasing operated independently. As R&D found ways to decrease palladium usage, purchasing kept buying a supply of the metal up to and near the market peak. In providing oversight, boards should recognize that silo behavior in procurement can lead to unacceptable risks.[1] 

  1. Ensure the supplier agreement spells everything out.

The various risks — operational, legal, reputational or compliance — stemming from a particular supplier need to be understood and addressed before the supply contract is signed. When a well-written contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property (exclusive rights to know-how and trade secrets) and critical assets (e.g., proprietary molds and tools given to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs and business ethics may vary.

  1. Hold suppliers to the same level of accountability.

Whatever standards of conduct companies expect of employees, management and directors, they should also expect of their supplier network. In some industries — banking, for example — it is a regulatory imperative to manage third-party risk, and the board of directors should be privy to those requirements, especially when board oversight of the due diligence, management and monitoring directed to third-party relationships is expected. Simply stated, the rigor of company processes for identifying, sourcing, measuring, monitoring and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships.

There are some legislative and regulatory developments about requiring businesses to publicly disclose the actions they have voluntarily undertaken to remove labor abuses from their supply chains. Companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain “code of conduct” that establishes clear expectations for how suppliers must conduct their business — especially vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics, which details the principles and values by which the company operates, a code of conduct might address topics such as:

  • Human rights (including prohibitions against child labor, forced labor and human trafficking)
  • Health and safety standards (including safe and humane working conditions)
  • Environmental sustainability standards
  • Ethical and responsible business behavior (including conflicts of interest, self-dealing and bribery)
  • Cybersecurity standards
  1. Conduct periodic third-party audits.

A supply chain code of conduct is only as good as the intentions of vendors who sign it. That’s why a cost-effective third-party audit process is important. Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on selected internal controls (such as in the cybersecurity area), vendor performance against contract specifications, and compliance with laws and regulations. The audits may also be conducted before contract renewals.

  1. Monitor supplier risk and performance over the life of the contract.

The risk environment is not static over the life of the contract. Once the supply contract is consummated, supplier performance and risk exposure must be monitored continuously in a cost-effective manner. To that end, there should be a clear delineation of the ownership of the contract risks and management of the overall supplier relationship. It is not unusual for companies to spend an enormous amount of time and resources during the contracting phase yet still lack clear accountability as to who is managing the contract and relationship. No accountability usually means ineffective monitoring. When dealing with third-party suppliers that either provide technology services or have access to enterprise information, the potential for business disruption, litigation and other negative impacts on the business must be evaluated continuously due to ever increasing exposure to data security risks and access to sensitive information.

All suppliers should be segmented based on factors such as risk, the level of spend, criticality and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through the contract’s duration. Ideally, all facets of contract and supplier risk are addressed through performance reporting. For example, an effective way to manage supplier risk is through exception management, with alerts and thresholds providing early warning before action is needed.

  1. Pay attention to business continuity risk.

There are many instances where a single-source supply strategy is the right business decision even when alternative options exist. Management’s decisions to decrease inventory levels, have a single-source strategic supplier, and adopt just-in-time manufacturing and delivery techniques versus accept higher inventory levels, multiple suppliers and other buffers in the process involve trade-offs where quality, time and cost considerations often win out over business continuity considerations. Supply chain disruptions are a reminder that these trade-offs are not without risk. If the focus on lean manufacturing leads to minimal buffers, disruption risk is further increased.

We’ve learned over the past decade that massive physical phenomena, terrorism or other catastrophic events can wipe out a region or area. For example, major Japanese automakers were forced to shut down production at multiple plants all over the world due to a cessation of production of relatively inexpensive but critical semiconductor components in the aftermath of a massive earthquake and tsunami in northeast Japan in the spring of 2011.[2] If that wasn’t enough, later that same year one of the automakers hit hardest by the tsunami had to cut North American production by 50 percent because of parts shortages due to severe monsoonal flooding in Thailand.[3]

Risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though the cause may be somewhat elusive. To that end, management should examine the supply chain and assess the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supply for an extended period. That includes exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. For example:

  • What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components? How long would we be able to operate?
  • What if there were temporary shortages in raw materials? Or serious defects in supplier raw materials and component parts?
  • What if there were significant disruptions in transportation?
  • What if one or more of the above events caused material volatility in prices?
  • Have our key suppliers performed their own risk assessments? Do they have effective plans for taking corrective action should an unforeseen disaster take out a key Tier 2 or Tier 3 supplier?[4] How do we know (e.g., does the supply contract require an assessment)

The board should be informed of the results of these assessments.

Directors should consider the suggestions above when supply chain topics are presented to the board.

Questions for Boards

Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:

  • For critical suppliers, does management monitor supplier cost, quality and time performance on an ongoing basis? Are performance expectations detailed sufficiently in supplier agreements? Have there been any significant misunderstandings with major suppliers and vendors?
  • Does management take an end-to-end view of the enterprise’s supply chain when evaluating disruption risks, from Tier 2 and Tier 3 suppliers through customer delivery or fulfillment of services? Does management’s risk assessment process consider what would happen to the organization’s operations if a key sole-source and/or single-source supplier were lost through an unexpected catastrophic event, loss of vital infrastructure or disruption of essential transportation and logistics? Are exposures to data security risks and access to sensitive information considered?

    How Protiviti Can Help

    Supply chains have become increasingly complex in today’s business environment. Continuous downward cost pressures and higher customer demands for quality, speed of delivery and overall performance require companies to continually identify opportunities to remain competitive. Organizations looking to improve business performance must address these supply chain challenges by designing and implementing capabilities that improve processes, reduce risk and optimize working capital.

    Protiviti’s supply chain experts help organizations address these growing challenges and complexities by working closely with key stakeholders to integrate industry best practices and tailor business solutions to meet the organization’s needs. Protiviti’s dynamic teams are uniquely structured to allow individualized approaches and tools to deliver sustainable supply chain practices and infrastructure regardless of company size, type or industry.


    [1] A Mismanaged Palladium Stockpile Was Catalyst for Ford’s Write-Off,” by Gregory L. White, The Wall Street Journal, Feb 6, 2002
    [2 ] Toyota and Honda Plants Shut Down After 8.9 Earthquake and Mega Tsunami Hit Japan,” Carscoops, March 11, 2011
    [3]Earthquake, Tsunami, Monsoon — What’s Next for Honda? Locusts?,” by Joann Muller, Forbes, Oct. 31, 2011
    [4] These suppliers are the Tier 2 (and lower) suppliers that provide products and services to the company’s Tier 1 strategic suppliers. Tiered supply chains are prevalent in the automotive, aerospace and computer industries.

    Board Risk Oversight Meter

    Board Perspectives: Risk Oversight Issue 93

    Click here to access all series