Global Supply Risk Management
Today, outsourcing has become a mainstay of corporations. It is mainstream, it is global and it is rapidly changing. This dynamic has a huge impact on the competitiveness of global corporations. Yet, global sourcing is not what it was even a few years ago. Its complexity has risen manifold. It embraces multiple locations and multiple processes as companies seek, presumably, to optimize the gains from outsourcing and offshoring. This rise in use of outsourcing has been dramatic, exponentially raising the potential for outsourcing corporations and for nations seeking to provide the services. But it also has raised risks and brought on newer, and varied, risks, many of which are not fully assessed by risk managers. According to Gartner, the top 30 outsourcing destinations are emerging markets that bring varied and often high risks.
Over the past year, in particular, many of these risks have been brought to light by global events. Take the geo-political situation in Egypt that led to an unprecedented nine-day Internet shutdown; or the recent hurricane and floods in the USA that caused disruptions in operations from the south to the north-east. These two situations, in sharply contrasting locations – one, an emerging outsourcing hub and the other one of the world’s most industrialized nations – represent, probably, the worst nightmares of operations and outsourcing managers. But they are, by no means, the only possible doomsday scenarios. There are many other time bombs ticking away all the time, arising from the unique character of each country and city, endemic risks from financial turmoil such as the one in Greece and Portugal, policy-driven dynamics and even supplier-specific vulnerabilities.
Still, the higher risks are no reason for companies to turn the clock back on outsourcing or give up on further gains. The need of the hour, instead, is a proactive, and effective, risk-monitoring mechanism and strategy. This paper evaluates ways to monitor, predict and manage Global Sourcing & Outsourcing risks. In this paper, we assess the causes and the consequences of these risks, before presenting a model risk-management system that can monitor the risks, predict possible future occurrences of these risks and pro-actively manage them, ensuring buyers and suppliers can sustain, and even further, the gains from outsourcing and offshoring.
The new risks
A decade ago, global sourcing was relatively limited. This was true in more ways than one. At the turn of this century, fewer corporations outsourced, corporations outsourced fewer services and fewer countries or markets provided these services. Consequently, risks were limited, and tended to focus mostly on supplier quality and service-level issues. So much so, an outsourcing manager could conceivably run his entire program on a few Excel sheets, without losing too much sleep. Today, any manager who attempts anything like that is not fulfilling their fiduciary responsibility and placing their programs at great risk.
Today, offshoring is a business imperative. In fact, corporations are constantly evaluating different parts of their business that can be sliced and diced to be performed elsewhere, expectedly at lower cost while strengthening their competitive position in the marketplace. Consequently, companies have begun to farm out complex, and even critical, processes to multiple locations across the world because of the growing maturity of the outsourcing world, and the emerging capabilities and capacities.
To imagine this complexity, think of a corporation’s outsourcing operation as a giant jigsaw puzzle whose pieces are being ordered from different parts of the world, to be finally assembled, perhaps, at its headquarters. Each piece of the puzzle is important, and has to be ordered to precise specifications; and all the pieces then need to come back in good time, and to exact standards, for managers to put the puzzle together. In this situation, what would happen if one piece is lost because of a typhoon in Manila? Or another is delayed by a flood in Mumbai? Or another is caught up by expiring tax incentives in Brazil? Or suddenly one piece costs far more to produce on account of wage inflation in Bogota or policy U-turn in Russia? And, worse, what happens when multiple things go wrong? Would one be able to address these better if they had a fair warning?
Such is the complexity of global sourcing today. At any given time, hundreds of thousands of global corporations have numerous such jigsaw puzzles flung over 50+ countries across the world. Even if only a few go awry, there is a huge cost to pay. Companies just cannot afford to let anything go wrong. Yet many outsourcing managers do not fully assess the risks involved, or prepare for the worst, though the numbers of those using risk management tools are rising. Last year’s Excellence in Risk Management Survey found that the number of firms utilizing enterprise risk management programs had tripled from 2009!
The unity and diversity of risks
Even given the complexity of modern corporations, and their sourcing processes, it must seem puzzling to comprehend why outsourcing risks have grown dramatically. The simple answer is: geography and scale. It is the unity that binds all outsourcing risks, while the diversity of the risks comes from the unique vulnerabilities of each location and the scale at which it is being performed. When companies first started outsourcing, most of the work was discrete and project based. Now, a significant majority of the work is management of ongoing projects and processes. In the past, any disruption in supplier operations delayed a project, while today, it can bring production lines to a stand-still, delay billing or collection – and thus impact revenues, and even delay financial filings.
A decade ago, there were far fewer countries to which corporations farmed out any work. Most tasks and processes were performed in-house. This was on account of several reasons. Technology, which magically enables offshoring, limited the tasks that could be outsourced; and fewer nations had the necessary skill sets and capacities to deliver. Today, both factors have dramatically changed and capitalism’s animal forces are discovering scores of nations ready to provide a variety of outsourced services.
Among other things, the rapid march of globalization over the past two decades spread knowledge. This helped create newer markets with an impressive array of skills and resources, not to mention an immense hunger for economic growth. Over the past decade, at least, outsourcing has been one of the biggest drivers of growth in emerging economies. Even giant nations such as China and India lean heavily on outsourcing to create jobs and to drive domestic growth. Consequently, almost all the so-called emerging nations fancy themselves as an emerging hub or spoke, for outsourced services.
Latin America is a large emerging outsourcing hub whose proximity to developed North American markets has proved a boon. Eastern European countries, especially after the financial re-alignment following the 2008 financial crisis, have the twin advantage of lower costs and affinity to developed European markets. Egypt, the gateway to Africa, had risen promisingly, and would remain an attractive market, if its internal strife is swiftly resolved. These ‘me-too’ nations, coupled with global corporations’ insatiable appetites for outsourcing, have succeeded beyond the most optimistic estimates. As a consequence, outsourcing has a global footprint that reaches far and wide, with over 50 countries providing some kind of services. This geographic sprawl along with scale is responsible for the higher risks.
Geographic risks, of course, don’t mean only natural disasters. They mean much more – geopolitics, regional politics, regional financial policy, local (city- or region-specific) culture and politics and several others. It might be useful to categorize the risks, along with the most relevant examples, as follows:
- Natural disasters:Japan tsunami-earthquake
- Seasonal (and predictable) natural disasters: Monsoon floods in Mumbai, typhoon season in Manila
- Terror attacks: Unpredictable but several countries could be vulnerable, with India and Pakistan near the top
- Industry inflation: Wage inflation in India, Brazil and Czech Republic
- City- or region-specific risks: Hyderabad on account of agitation for separate statehood for Telengana
- Financial risks: China for its currency risks; Greece for its bankrupt economy; Europe overall because of the euro’s vulnerability; and Bangalore for inflation and quality of life
- Legal/policy risks: Almost all emerging markets and some developed ones, too, on account of opposition to immigration and outsourcing
- Vendor risks: India’s fraud-hit Satyam Computers is the most egregious example of how a vendor’s collapse can ruin the best plans. But almost every vendor has a level of risk that needs to be assessed
A paradigm for risk-monitoring
Time was when outsourcers needed to consider mostly service-level risks. Can the vendor deliver? Can the vendor deliver on time? Is their quality adequate?
The good news is that these risks are now readily assessed with the Capability Maturity Model and the like. The bad news, as we saw above, is that there are far graver risks involved that eventually impact ongoing service delivery, even if a provider has the highest CMM rating. How is one to evaluate these ongoing risks? Could somebody, or a theoretical model, have seen the India software tax export regime expiring? Or provided a few days notice of weather? Could somebody have predicted the currency inflation or wage inflation?
None of these specific events could have been predicted with any accuracy. However, each of these could have been anticipated. Let’s see why.
Egypt has been a dictatorship for decades, and the Egyptian Movement for Change, the fountainhead of protest against the Hosni Mubarak regime, was started in 2003. Besides, Egypt’s geographical location – situated in a region of harsh, Islamic dictatorships with Israel as neighbor – brought more than average risks. Meanwhile, India’s rising economy, its challenging poverty levels, coupled with populist actions and need for increased government revenues, indicated that there would be a move to extract more revenues from the thriving services exports sector. It is conceivable, therefore, that companies that sourced products and services to these regions should have been not only aware of the risks but also pro-actively monitored those closely to pick up early warning signals, and even set up appropriate redundancies.
The fact is: the worst of risks can be fully assessed well ahead of time, avoiding service disruptions, financial losses and potentially brand dilution. Using qualitative inputs, expert assessments and quantitative methods, we propose a comprehensive risk-monitoring model focusing on services outsourcing. The goal of the model is to help managers pro-actively respond to risks that could interrupt operations or increase the cost of ongoing operations.
To start with, we propose that risks be, broadly, categorized as
- Country Risks
- City Risks
- Supplier Risks
Country Model: We then identified risk segments and risk parameters that impact on operations risk. We have been able to build a model using 25 risk segments and 250+ risk parameters in eight categories (macro-economic, financial, business, infrastructure, geopolitics, legal, scalability and quality of life). Some of the parameters are:
- Fiscal deficit
- GDP growth
- Forex reserves
- Stock market performance
City Model: Similarly, for each city, it is possible to create a comparable risk model, using parameters that uniquely contribute to the strengths and weaknesses of the cities. Some criteria are:
- City budget deficit
- Rental rates
- Space availability
- Local taxes
- Lodging costs
- Industry size
- Pool of graduates
- Existing and planned SEZs
- Educational institutes
- Attrition rates
- Wage inflation
Supplier Model: Finally, we created a model to assess supplier risk, again using 250+ parameters across eight categories (financials, clients, people, alliances, services capability, corporate governance, infrastructure, thought leadership). Some important parameters are as follows:
- Operating model capability
- Onsite-offshore composition
- Human resources
- Quality certifications
- Profitability and key financial ratios
- Client composition
We then created a Web-based proprietary analytical engine that can continuously collect data and constantly monitor risks at the three levels (Country, City and Supplier) - individually and collectively - and deliver a holistic report to managers. This model dynamically evaluates 500+ criteria and delivers a rating that can be compared across 50+ countries, 100+ cities and 500+ suppliers, helping critical risk monitoring. The model also has a built-in predictive engine that picks up early warning signals, enabling prompt action to avert potential service disruptions and much more. Over the past two years, we have used this model in the real world with encouraging results. In one case, this model helped pick up early warning signals on a policy decision in India - termination of the Software Technology Parks of India (STPI) scheme, which offered tax breaks. Based on our recommendations, one of our clients, a leading semiconductor company proactively renegotiated, ahead of the policy announcement, a deal with a partner to locate in a SEZ, helping it realize an annual savings of approximately eleven percent.
Here are a few other examples of how the model’s real-time alerts on a variety of parameters performed:
In Q2 2010, this model picked up signs of likely escalating attrition levels in the subsequent two quarters in Shanghai. Following this alert, our client began a "proactive" employee retention strategy with suppliers, mitigating potential quality of service issues arising from higher attrition levels.
In Pune, India, the analytical engine seized on a growing number of violent attacks against women, following which companies were encouraged to beef up security for women employees working night shifts.
In another case, when a global supplier’s quarterly results indicated declining profitability, the model helped outsourcing managers pro-actively engage with the supplier on its cost-cutting measures and lower their impact on its own assigned team and operations.
Firms leveraging global services and offshore outsourcing need a risk management system to ensure stability of operations and avoid significant disruptions. While a lot of data is available publicly, it needs to be aggregated and analyzed on a regular basis to yield pro-active and rapid risk mitigation.
It is also important for the risk management system to not just be focused on supplier related risk but be focused on "Supply Risks". Supply risk management is a much broader concept that includes location-based risk in addition to supplier based risk. So, the levels that need to be included in a supply risk management program include Country, City and Supplier.
Supply risk monitoring is not an activity to be just undertaken during sourcing or at periodic intervals. Risks do not wait for monthly or quarterly governance meetings. A program like this, needs to be ongoing and real-time.