Research Updates

What’s the best supply risk management model?

The questions

We can define supply risk as a set of deviations in the characteristics of a supplier and its performance. Such deviations might be associated with variables that are endogenous (i.e. dependent on the supplier) or exogenous (i.e. related to the economic situation or the market context).


As far as the supply risk management process, all companies follow a series of steps before contracting with a supplier. First, when scouting and evaluating suppliers, they collect data on potential partners; then comes segmentation and classification based on how critical a given supplier would be for the company. Here economic-financial indicators are used, and in some cases specific clusters are created (critical suppliers, strategic suppliers, single-source suppliers).


Keeping this information up to date is a task may be taken on by other company departments, or some third party, or the supplier itself. Whatever the case may be, in today's business world, companies have to be extremely cautious when selecting and managing their pool of suppliers, and the Procurement Department plays an essential role here as far as data verification and analysis.


In fact, Procurement is responsible for profiling the supplier, constantly being on the alert for risk factors that could destabilize the supply relationship. This applies both when selecting new partners and when managing current ones.

The aim of our study was to collect and analyze data on supply risk management practices. We focus on risk measurement systems and mitigation measures implemented to reduce risk exposure and potential damage to the client company.  With this research, we also hope to share our insights on the general process of Supply Risk Management.


Here are the questions we tried to answer:

  • What are the risk factors companies face with regard to their suppliers?
  • What measures would allow companies to monitor these risks? What information sources and data collection systems can they use?
  • What solutions and practices can mitigate supply risk? How effective are redundancy and flexibility strategies? How much do they cost?
  • How do companies handle the supply risk management process in general?


  • The methodology we adopted consisted of a preliminary phase of literature analysis, followed by field work in which we interviewed the CPOs who are members of the Procurement Lab at SDA Bocconi, a research center dedicated to procurement and supply relationship management.


Then we did risk mapping with the help of a matrix, drawing connections between the likelihood and the severity of risk. This risk classification enabled us to pinpoint the most appropriate mitigation strategy.


In our study, we did not categorize various types of damage; instead we focused on assessing the magnitude of damage, in light of the fact that damage entails a cost that has economic-financial impact. This cost, a proxy of risk, will be the main determinant of the mitigation action the company decides to take.


We considered two mitigation strategies: flexibility and redundancy.


Both share the objective of limiting or neutralizing the negative effects of damage by allocating additional resources that can be used in case of any deviation or adverse effect. But the two strategies differ in essential ways:


  • A flexibility strategy is a proactive approach that calls for upstream intervention to lessen the likelihood of an adverse event and prevent the deviation it would trigger. In-depth knowledge of the phenomenon and continuous information exchange and transparency are essential with this approach. Compared to the redundancy strategy, implementation takes longer and operations management is more complex.
  • The redundancy strategy instead is a reactive approach involving direct intervention when the discontinuity occurs or containment of the resulting damage - a simpler solution which is faster to implement. This strategy is generally more expensive than other alternatives, and doesn't require any particular knowledge-sharing.


When potential damage is highly likely and very severe, we adopted a combination of the two strategies. We present risk mitigation solutions in clusters (typically two or three), highlighting: the managerial style, the risk mitigation measures deployed, and the pros and cons.


At the same time, for the risk mitigation strategies, we chose a similar framework with the variables: managerial style, redundancy or flexibility strategies, and usage scenarios.


Finally, we demonstrate the existence of a relationship between how companies measure risks and how they mitigate those risks.

Looking Ahead

The main risk factors that emerged during the research are: financial, economic, operational, innovation-related; ESG (Environment, Social, Governance), geopolitical, process-related, with some amplifiers: dependence and supply chain risk.


In our research project, rather than one approach predominating, several different ones emerged. What's more, we found that often the approach in question is determined by the risk context. The damage that emerges also differs, which may be due to the level of integration of the supply chain.


What we see in our study is that risk measurement approaches and mitigation strategies are contingent on a number of factors:




  • corporate culture and managerial approach (also depending on the sector);
  • vendor willingness to collaborate and share information and processes;
  • sensitivity to actual, explicit costs alone vs. sensitivity to the cost of potential damage as well;
  • short-term vision vs. medium-term vision;
  • the complexity of the solution and the skills in the organization.


We also found that our Lab partners integrate supply risk management within the framework of their Enterprise Risk Management (ERM) system, in most cases.


A few companies use systems to support risk management equipped with a comprehensive dashboard, tracking internal and external sources of risk. In contrast, several other companies adopt a structured view, one that is limited to economic-financial risks, or they task external providers with risk monitoring.


Finally, when critical issues arise, only a few companies activate a risk mitigation process semi-automatically (e.g. blocking payments, blacklisting etc.). Leading the mitigation process in most cases is the Procurement Department, which draws up an action plan and shares it with other business functions.


To sum up, our research highlights how companies achieve different results depending on the sector where they do business and their sensitivity to various aspects of risk. So, we conclude that there doesn't seem to be a single model that is best, but rather one that may be better aligned with a given context.