Managing risk in
supplier audits
demonstrates a useful risk management model for increasing the efficiency of supplier audits
An essential and often resource draining aspect of maintaining a compliant quality management system is linked to the supplier audit programme. Typically, for a company that is dependant on many suppliers for its business continuity, the audit programme entails:
- the employment of a trained auditor
- deliberation over an extensive list of suppliers that could be audited annually
- associated travel and subsistence costs
- downtime from other compliance activities due to audit preparation, time at the suppliers’ sites and report writing
It is, therefore, prudent to reduce the number of audits that are included on the annual programme. One simple means of doing this is to apply a risk management approach when preparing the auditing budget and annual schedule. Figure 1 outlines a simple process approach for risk managing a supplier audit programme.
Figure 1: A risk management model
Step 1: Risk identification
Address the question: 'What might go wrong?' A business must identify the suppliers that have the potential to impact on its business continuity if they do not operate in accordance with the contract.
Step 2: Risk analysis
Estimate the level of the identified risk using a tool such as risk ranking. For example, identify and categorize aspects of the supplier’s compliance history over the past year in terms of its potential to impact on business continuity in the forthcoming year (see table 1).
Table 1: Analysing the risk categories
* Where a score of 1 is the lowest risk and 4 is the highest risk to business continuity
Supplier performance indicator |
Risk ranking* |
|
A |
A deviation from approved procedure reported by the supplier |
1 |
B |
A supplier performance monitoring observation such as late delivery |
1 |
C |
An example of poor communication with the customer company |
2 |
D |
One or more major observations from the previous second-party audit |
2 |
E |
One customer complaint |
3 |
F |
A change in the scope of work or service provided by the supplier |
3 |
G |
A warning letter, critical observation or denial of certification from a third party |
4 |
H |
Significant change of business focus for the supplier’s company or takeover by another supplier company in the last 12 months |
4 |
Step 3: Risk evaluation
Express risk as a quantitative or qualitative estimation, be it numerical scoring (as used here) or a different labelling system (high, medium or low). You can then apply a risk-ranking score to each identified aspect of the suppliers’ performance history (see table 2).
Table 2: Evaluating suppliers' performance over the past 12 months
Performance Indicator |
Supplier 1 |
Supplier 2 |
Supplier 3 |
A |
0 |
0 |
0 |
B |
0 |
1 |
0 |
C |
0 |
0 |
0 |
D |
2 |
0 |
0 |
E |
3 |
0 |
3 |
F |
0 |
0 |
3 |
G |
0 |
0 |
0 |
H |
0 |
0 |
4 |
| Total score | 5 | 1 | 10 |
Step 4: Risk reduction
Implement actions to reduce the probability or severity of the harm associated with identified risks. For example, using table 2, only include those suppliers with a total score of seven or above on the annual programme and issue a supplier questionnaire to those suppliers scoring between 4-6.
Step 5: Risk acceptance
Make the decision to accept a quantifiable or qualitative amount of risk. This could involve justifying the decision not to audit a critical supplier annually following the results of a risk evaluation.
Step 6: Risk communication
Share the information about the accepted level of risk to appropriate stakeholders in the correct way. One method is to send a formal memo requesting that the company’s managing director approves the risk-based supplier audit programme for the forthcoming year.
Step 7: Risk review
As with every quality procedure, a review must be included to ensure the process is working. Organizations must continually monitor the compliance of suppliers and reapply the risk management process as required. If a supplier that is justifiably not included on the annual audit programme then displays poor performance midway through the year, the decision not to audit that particular supplier should be fed into the risk management process.
The application of such a simple risk management process to an annual supplier audit schedule has obvious benefits for any company dependent on its supply chain. This is particularly true in today’s financial climate where efficient use of resources is as paramount as the reliability of suppliers. This model also represents an intelligent, streamlined and cost-effective application of maintaining and improving compliance that can be easily applied to many other aspects of a company’s quality management system.
About the author
Sharon Shutler is quality systems manager at Protherics UK. She has worked in the pharmaceutical, healthcare and medical device industries for more than 20 years and is an IRCA Principal Auditor, a Chartered Quality Professional and a Fellow of the Chartered Quality Institute.
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
