Where to begin with supply chain risk assessment
Assessing the risks in your supply chain can feel like an overwhelming task. But taken in stages and using good quality information, it is possible to identify issues and focus on the most serious for follow up activities, whether through targeted audits, support for suppliers, or more in-depth human rights impact assessments.
No business wants to use factories that pollute local water supplies, or wants its products made by workers subject to poor working conditions. Yet in today’s complex and shifting supply chains, these problems can be all too real. This presents not just reputational risks, but, increasingly, regulatory hazards. For example, the US government has started blocking imports of products it considers produced by forced labour.
So how can companies identify the risks they face in complicated and extended supply chains? Visiting all suppliers is an unrealistic an option and third-party auditing is more effective when auditors know what issues they should look especially closely for.
A structured approach to supply chain risk assessment helps a business to identify risks, prioritise the most serious ones and focus resources on reducing and preventing them. The Sedex Guide to Risk Assessment in Supply Chains sets out such an approach, complemented by Sedex’s Radar risk assessment tool.
What’s the first challenge?
The initial challenge is that risks come in many forms and vary from country to country and sector to sector. For example, an electronics factory in Thailand using migrant labour from Myanmar will have a very different risk profile to a chemical plant in Switzerland.
A step-by-step approach looking at the various factors that drive risk – country, sector, types of workers, manufacturing processes – can help to make sense of the many potential issues across hundreds of suppliers.
The key stages of risk assessment
Stage 1: Mapping your supply chain
The first stage is to build a picture of where suppliers are located and what they do – a supply chain map. This should be by tier of supplier and where they operate. It should also include outsourced contractors and labour providers as these can be the source of high risk issues.
While this should be as comprehensive as possible, it isn’t necessary to have a complete picture before taking the next steps to understand the risks present. Supplier information can be stored on a single data platform, like the Sedex platform, to add to over the years.
Stage 2: Recognising high-level risk factors
The next step is to look at contextual or high level factors that contribute to risk levels in certain countries or sectors. At a country level, risk factors may include poor legal systems, endemic discrimination against certain groups, and high levels of poverty or corruption. There may also be regional factors such as security issues or proximity to migration corridors. Within different sectors, risks may relate to how land is used or to energy intensiveness, or the types of worker typically employed (e.g. seasonal, predominantly female, unskilled).
Information on these risk drivers is available from a range of sources, such as UN agencies or specialist research agencies. Sedex’s Radar tool brings together many of these data sources to provide contextual country and sectoral risk scores which can then be applied across a supply chain.
Stage 3: Understanding specific suppliers’ risk profiles
The next step is to drill down to understand more about each supplier’s specific risk profile. For example, while a supplier may be considered high risk due to contextual risk factors that indicate vulnerable migrant workers in its particular country and sector, in practice the supplier in question may in fact not employ any migrant workers at all – or it may have robust processes for recruiting and supporting migrant workers. So it’s important to understand more about the supplier’s workforce, its production patterns, and its specific location and practices.
Information on the supplier’s situation may be available from a number of sources. These could include previous audits, information from the Sedex SAQ, other data collected directly from the supplier, feedback directly from workers or feedback from colleagues who have visited the supplier.
Stage 4: Prioritising risks
No company has unlimited resources. Prioritising risks is important for identifying the most serious potential impacts on rights holders, and also for using resources most effectively.
The above steps will likely produce a long list of potentially problematic issues and suppliers. It is vital to narrow the focus on the most serious ones to tackle these first.
The UN Guiding Principles on Business and Human Rights (UNGPs) suggest that prioritisation should be based on ‘saliency’ – a concept that ranks risks according to their seriousness. This involves thinking about issues such as:
- How grave or serious the impact would be on an impacted community or individual
- How widespread the impact would be (or how many people affected)
- How hard it would be to put right, or whether the impact can be reversed
- How likely is it that the issue may occur.
Using a tool like Radar, which produces a scores by risk type, will produce a ranking of risks which may be sufficient as the basis for determining priority. This can be a resource-efficient way to arrive at a risk assessment.
Next step: Addressing these risks
Of course, risk assessment is not an end in itself. The purpose is to spot issues and take action to fix them. Looking at the ‘root causes’ of the issue provides valuable insights into the possible ways of addressing it. Some of these causes may be within a brand’s power to fix, but others may require a joint approach based on collaboration with other brands, governments, impacted communities, and workers.