Transcription
Supplier and service providerrisk managementAddressing food safety risksalong the supply chain
Supplier and service provider risk managementEvolution of thefood supply chainThe food industry’s supply chaincontinues to evolve and grow incomplexity. Supply chain participants areno longer limited to the first tier supplier,the manufacturer, and the distributor(see Figure 1). Today, participants includeeveryone involved from “farm to fork”in the growing, harvesting, processing,packaging, transporting, holding, andselling of a food product. A participantcan have multiple roles within the samesupply chain. And it’s more than likely oneor more ingredients or raw products aresourced from non-domestic entities. Risksto food safety exist along each step of thefarm-to-fork continuum.Many companies—from food and beveragemanufacturers to restaurants and foodretailers—find it difficult to documenttheir end-to-end supply chains. Yet it isessential to understand the supply chainto meet federal regulations, mitigate risks,and satisfy consumer demands for supplychain transparency. Lack of a holistic viewand understanding of potential risks canlead to food safety and quality failures,resulting in damage to a company’s—ormultiple companies’—brand reputation andbottom line. Companies must understandthe challenges they face, and the potentialsolutions available, to manage food safetyrisks in today’s complex supply chains.Internal and external driving forces affectFigure 1. Food industry supply chainFARMFORKAny part of the farm-to-fork value chain can be outsourced, creating a supplier relationship that should consider be managed.Commodities facturingoperationsOutboundlogisticsCustomers &consumers
Supplier and service provider risk managementChallengeshow companies manage their supply chains,and can directly or indirectly shape foodsafety programs. Through our experience,Deloitte Risk and Financial Advisory hasidentified several common challenges.Internal ChallengesCompany organization and governanceFood safety should be driven from theenterprise level to ensure it’s alignedto business objectives. However, manycompanies manage food safety at thefunctional level. And other businessfunctions may not perceive quality andfood safety as part of their responsibilities.Or they may not understand how theirdaily decisions can impact food safety. Forexample, procurement might engage a newspice supplier without the food safety team’sevaluation of the supplier’s mitigation of therisk for, say, Salmonella contamination.Supplier management programs are notalways responsive to an evolving supplychain, either. Companies often discoverthey don’t have adequate policies andprograms in place to identify and mitigatethe risks posed by the supply chain,especially food safety risks. For example,many consumers want gluten-free (orother allergen-free products), GMO-free,or antibiotic-free products. Companiesrely on accurate labeling to reflect productcontent or sourcing to meet theseexpectations; otherwise brand reputationmay be affected. Organizations mustensure changing consumer expectations orregulatory developments are communicatedacross the supply chain, and update relevantpolicies or procedures.Balance between cost reductionand risk mitigationMany food and beverage manufacturers,retailers, and restaurants focus on reducingcosts. Companies should understand theimplications of cost reduction initiativeson food safety and balance the risk/reward equation. The balancing act can bequite difficult if the organization does notconsider food safety to be a cornerstoneof the business. For example, procurementmay pursue reduced costs from a supplierwithout understanding that the suppliermay lower its focus on food safety to offsetreduced margins. If procurement reducesthe cost from a supplier, the company mayneed to increase its food safety controls,which may actually increase overall costs.Ignoring the risks should not be an option.Recall managementRecalls are at the forefront formanufacturers, retailers, and restaurants.Many large recalls occurred during the lastyear due to issues in the food supply chain.Companies continue to maintain paperdocumentation of food safety and qualitychecks, as well as supplier information,impacting the speed at which a recall can bedefined and executed. Identifying the rootcause and understanding the full extent ofaffected product may take several months.Downstream companies may not be notifiedfor several days, weeks, or even longer,and corrective actions can be delayed.Strategic use of technology solutions canbe a real benefit to decrease the timerequired to define and execute a recall. Thelonger it takes to conduct a recall, the moreexpensive it typically is, since the recalledproduct has moved further into the supplychain. (See Figure 2)033
Supplier and service provider risk management!Alert: Product A is being recalled after state health departments and the Center for Disease Control (CDC)linked it to 15 foodborne illness outbreaks.The implicated manufacturer conducted a risk assessment and attributed the suspected contamination to a supplier. That supplier isconducting an analysis to notify their affected customers. The notification process in the example below shows a process that takes from 34to 86 days to notify end consumers. Many parties are involved in the supply chain, and the time required to obtain documentation to tracethe ingredient can significantly impact the recall timeframe.Figure 2. Anatomy of a recallLegend5-30 daysState Health BoardManufacturerCDCRestaurantProduct IdentifiedRetailerSupplierDistributionCenter21 days5 days3-10 days3-10 days3-10 days5-30 daysExternal challengesDifficulty in defining supply chainsbeyond tier 1Assessing food safety and quality risksbeyond tier 1 of a company’s supply chainhas been difficult for several reasons. Many suppliers are reluctant to disclosetheir suppliers due to contractualobligations or competitive reasons. Manufacturers may find it difficult totrack ingredients by lot and supplier. Forexample, agricultural ingredients suchas milk or grain cannot be tracked to theexact farm or production lot when thesecommodities are handled through acooperative since multiple lots or batchescan be mixed. Products stored in tanks orsilos have no clear delineation betweenlots unless the tank or silo is emptiedand cleaned before the next load ofproduct is delivered.4 Resource constraints may make it difficultto manage and investigate suppliers forfood safety or quality risks beyond tier 1.Marketplace evolutionAs mentioned earlier, consumer demandscontinue to evolve and new laws andregulations continue to proliferate: Consumer sentiment – Consumers areredefining expectations for transparencyand traceability in farm-to-fork supplychains in addition to demanding localsourcing, antibiotic-free, non-GMO,cage-free, etc. Food and beveragemanufacturers, restaurants, and retailersshould ensure their business model cananticipate and adapt to these new foodsafety and quality expectations. Regulations – Under the Food SafetyModernization Act (FSMA), several rulesimpact how the industry assesses risksand implements mitigation strategies,including in their supply chains. Manycompanies are in the early phases ofunderstanding the complex FSMA rulesand their implications. And they mayhave unidentified risks in their supplychains. Key FSMA rules include thePreventive Control Rule for Human Food,Foreign Supplier Verification Programfor Importers of Food for Humans andAnimals, and the Sanitary Transportationof Human and Animal Food Rule, all ofwhich greatly impact how a companyinteracts with their supply chains.
Supplier and service provider risk managementSolution to managingsupplier food safety risksCompanies should consider addressing thechallenges outlined in this paper,incorporating the full supplier lifecycle intotheir business strategy, to allow them toproactively identify and respond to foodsafety and quality risks. Deloitte Risk andFinancial Advisory has developed a broadand integrated safe food supplier andservice provider (supplier) risk managementframework, which aligns companies withtheir business objectives using an end-toend approach. (See Figure 3.)Foundational requirementsAn effective supplier risk managementprogram rests on foundational elements. Anorganization should establish a food safetyand quality culture throughout the company,one that is demonstrated by leadership’sactions. Company culture is essential to setthe expectation that food safety is a priorityacross the enterprise and it supportsthe governance and oversight structure.Policies and standards that are aligned toand support the culture and governancestructure should define the suppliermanagement program.Supplier risk management lifecycleDeloitte Risk and Financial Advisory's safefood supplier risk management frameworkincludes five stages to manage supplierfood safety and quality risks. The graphicbelow highlights these five stages, along withfoundational and operational elements:A company’s supply chain organizationshould employ each of these stages toeffectively manage end-to-end foodsafety risks:Initiate. Companies should formallyevaluate and document the businesscase for a new supplier, service provider,or outsource manufacturer. Once thedecision has been made to enter into anew arrangement, the company shouldassign appropriate resources to managethe potential food safety risks that mayexist with the supplier, raw material, and/oringredient they are purchasing.Due diligence and selection. Two aspectsshould be considered when conductingdue diligence on prospective suppliers/providers: risks inherent in the ingredient/product/ service and risks with the specificsupplier/provider. Some ingredients or rawproducts present greater risks than others,such as dairy, raw meats, and produce.Thermally processed or otherwise treatedmaterials present less risk. Prospectivesuppliers should be assessed to determinetheir ability to provide the ingredient/product/service at the required level ofFigure 3. Supplier risk management frameworkFoundational requirements for supplier risk managementCompany cultureInitiateGovernance & oversightDue diligence andselectionProcesses & proceduresContract andon-boardPolicies & standardsOngoingMonitoringTools & technologyTerminate andoff-boardMetrics & reportingOperational requirements for effective supplier risk management5
Supplier and service provider risk managementquality, safety, cost, and timeliness. Factorsto consider include the supplier’s financialstability, reputation, operations, and locationand surrounding areas. Food safety on-siteaudits may be required to verify the validityand effectiveness of food safety programsand processes. Combining assessmentresults from both the ingredient/product/service and the supplier can provide insightsto guide selection of the preferred vendor.Contract and on-board. Contract termsand conditions should include food safetyand quality specifications (test methodology,limits, temperatures) in addition to otherservice-level agreements (SLAs) andactions taken if requirements are not met.Suppliers need to be properly on-boardedto ensure they clearly understand therequirements, corrective-action protocols,communications, and testing/monitoring tobe conducted during the life of the contract.Ongoing monitoring. Two dimensions ofthe supplier/service provider arrangementshould be monitored throughout the life ofthe contract. First, tracking performanceto contract terms and conditions providean indication of the supplier’s ability tocontinually meet requirements, and canprovide early indication of an impendingproblem. Second, periodically reassessingrisks presented by the supplier can detectdeveloping problems, such as financialinstability. The depth and frequency of eachdimension is determined by the level ofrisk presented.Termination and off-boarding. Companiesshould use a formal and consistent processto terminate and off-board suppliers,whether it be for cause or for normalcontract expiration. Terminated suppliersshould have their system access rightsrevoked and be removed from approvedsupplier lists. This is important to preventprocuring ingredients and materials fromunauthorized suppliers, which could lead topotential food safety and quality issues.6Figure 4. Analysis of a recallCompany A, a large food manufacturer,recalled 100,000 pounds of product due tocontaminated spice from Supplier X. Thefederal government, during an inspection ofSupplier X, discovered positive environmentalswabs for Salmonella and positive tests forSalmonella in finished product.Company A completed an initial due diligenceassessment on Supplier X prior to sourcing fromthem and incorporated the required quality andfood safety parameters into the contract. Over thecourse of their relationship, Company A did not,however, conduct ongoing monitoring to verify thatSupplier X continued to meet their standards andcontractual obligations.Imagine if Company A conducted ongoingmonitoring at a designated frequency. They mayhave been able to prevent their company’s productrecall and brand damage by identifying gaps that ledto failures in the supplier’s environmental monitoringprograms and food safety plans. Due diligence andongoing monitoring are necessary components ofa supplier risk management program and can helpprotect a company’s brand and bottom line—andpotentially customer lives.Food safety on-site audits may be required to verify thevalidity and effectiveness of food safety programs andprocesses. Combining assessment results from both theingredient/product/service and the supplier can provideinsights to guide selection of the preferred vendor.
Supplier and service provider risk managementOperational requirementsSeveral operational requirements areimportant to effectively and efficientlyimplement the supplier risk managementframework. Documented processes andprocedures should clearly define theaccountable parties and the actions tobe completed. An integrated informationmanagement system to house financial,supplier, and quality and food safety data isnecessary to analyze supplier performanceand relationships among suppliers. Keyperformance indicators such as on-timedelivery, product quality and safety, andcustomer service response time should bedefined, actively monitored, and reported toline staff and management.Due diligence and ongoingmonitoring are necessarycomponents of a supplier riskmanagement program andcan help protect a company’sbrand and bottom line—andpotentially customer lives.7
Marketplace lending 2.0 I Bringing on the new stage in lending8
Supplier and service provider risk managementHow to evaluatecurrent suppliersCompanies can use Deloitte Riskand Financial Advisory's supplier riskmanagement framework for existingsuppliers as well. Incorporating existingsuppliers into the framework may seemlike a monumental task. The following stepsoutline a risk-based approach to mitigatehigher risks in the near-term and effectivelyintegrate all suppliers over time: Develop a risk-ranking methodology,which may include previous audit scores,government warnings (e.g., FDA 483citations), supplier notifications, orrecent recalls. Apply the risk-ranking methodology tocurrent suppliers and identify those thatpose the greatest risk to your food safetyprogram and brand reputation. Conduct due diligence assessments onthe top 10 to 20 percent high-risk supplierarrangements and incorporate them in theongoing monitoring stage. Create a roadmap to incorporateremaining current suppliers, targeting anannual objective of 25 to 50 percent ofexisting suppliers.9
Supplier and service provider risk managementAdding business valueTechnologydsRisk sensinganalyticsate andoardtingDescriptionLeverage advanced risk analytics technology and human intelligence to deliver existingand emerging risk insights tailored to priority areas. Analytics can allow companies to identifyexisting and emerging food safety/supply chain risks through reliable public data sources and providesactionable recommendations specific for product types, risk domains, and geographic locations.FinancialAdvisoryhas deep experiencein helpingdefine the requirementsDeloitte RiskSupplierand FinancialAdvisoryDeloitteviews Risktheandsafefood riskmanagementframeworkas a clientstool companiescan use toofproactively improve operationsrisktechnology to automate and streamline a supplier risk management program which helps with riskwhile rganizationtorespondtofoodsafetyandquality risks in the supply chain. Figure 5managementmanagement and visibility. Deloitte also assists in the evaluation and selection of a preferred solutionhighlights thetechnologyvalue this can add toandyourorganization.in theimplementation of the platform.platformFigure 5. Potential business valueProactively manage risksThe safe food supplier and service provider riskmanagement framework allows companies to go onestep further and identify risks that may be unknownto them using Deloitte Risk and Financial Advisory'spredictive analytics technology. Identifying emergingrisks adds significantly to a company’s businessand can often give it an advantage over its competitorswho may be slower to identify and respond to risks.Resource allocationDeloitte Risk and Financial Advisory views leveraginga solid program to consistently, efficiently, andeffectively deal with risk as a significant value tobusinesses. Properly designed and implemented, asupplier risk management program will efficientlyand effectively manage risks with minimumresources. Overall business health is improved bymitigating potential risks and respondingappropriately to those that do occur, while reducingmanual and/or duplicated efforts.10Visibility into suppliermanagement programAs companies identify key performance indicatorsand implement ongoing monitoring of their suppliers,leadership will have visibility into supplierperformance and how the overall program isfunctioning. Leadership will be able to proactivelymanage supplier relationships and take correctiveaction or terminate those that may pose potentialfood safety issues.
Supplier and service provider risk managementSummaryThe internal and external food safetychallenges facing food and beveragemanufacturers, restaurants, and retailerswill continue to evolve and expand as thecomplexity of the supply chain increases,regulations continue to evolve, andconsumer demands increase. Companiesneed to understand what innovative anddisruptive solutions, such as the Internetof Things and Blockchain, are in the marketto help identify and manage food safetysupply chain risks. Deloitte Risk andFinancial Advisory's safe food supplierrisk management framework is designedto help companies proactively managethese challenges and protect their brandreputation and bottom line.11
Supplier and service provider risk managementWhy Deloitte Risk andFinancial Advisory?Deloitte Risk and Financial Advisory hassignificant depth and breadth of experienceworking with global agricultural entities, foodmanufacturers, retailers, and restaurantscovering the farm-to-fork continuum,including growing, harvesting, processing,distributing, selling, and serving of foodand food-related products. Our practice isstaffed with individuals who worked in thefood industry for much of their careers—including food safety and quality, regulatory,engineering, and supply chain—who arecapable of advising clients and helping themsolve operational challenges.Deloitte Risk and Financial Advisory bringsindustry-leading supply chain managementknowledge and experience. Deloittewas named a leader in supply chainrisk management consulting, based oncapabilities, by ALM Intelligence.1 Our teamprovides insights into operational risksand regulatory compliance requirementsto assist our clients in improving their foodsafety and supply chain risk managementprograms around the globe.1Source: ALM Intelligence; Supply Chain Risk Management Consulting 2016; ALM Intelligence estimates 2016ALM Media Properties, LLC. Reproduced under license12
Supplier and service provider risk managementContactsTom McGinnisPartner Deloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 313 396 3309tmcginnis@deloitte.comGlenn YauchPrincipal Deloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 312 486 4477glennyauch@deloitte.comJohn BrownManager Deloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 404 220 1602johnbrown@deloitte.comMeghan CoxSenior Consultant Deloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 312 486 1602mcox@deloitte.com13
Supplier and service provider risk management14
Marketplace lending 2.0 I Bringing on the new stage in lending15
About this publicationThis publication contains general information only and Deloitte is not, by meansof this publication, rendering accounting, business, financial, investment, legal,tax, or other professional advice or services. This publication is not a substitutefor such professional advice or services, nor should it be used as a basis for anydecision or action that may affect your business. Before making any decision ortaking any action that may affect your business, you should consult a qualifiedprofessional advisor. Deloitte shall not be responsible for any loss sustained byany person who relies on this publication.As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiaryof Deloitte LLP. Please see www.deloitte.com/us/about for a detailed descriptionof the legal structure of Deloitte LLP and its subsidiaries. Certain services maynot be available to attest clients under the rules and regulations ofpublic accounting. 2017 Deloitte Development LLC. All rights reserved.
Figure 3. Supplier risk management framework Supplier and service provider risk management. 5. Companies should consider addressing the challenges outlined in this paper, incorporating the full supplier lifecycle into their business strategy, to allow them to proactively identify and respond to food safety and quality risks. Deloitte Risk and
