that are caused by outsourcing, concentration on core competencies, or the reduc-tion of in-house producreduc-tion depths. Especially by concentrating on their strengths, many companies make themselves highly dependent on their suppliers. If these suppliers drop out all of a sudden, cost-intensive supply bottlenecks are only the tip of the iceberg as additional unplanned investments must be made for the subsequent identification and qualification of new partners. Furthermore, scheduling delays may compromise or even endanger planned projects and the market launch of new products.

In Purchasing, risk management has to tackle those points where the fundamen-tal targets of the procurement may be put at risk.⁶Purchasing risks in this context are dependent on many factors such as the company itself, the products to be procured, the procurement markets, or the country from which the respective product is procured. Purchasing risks, for that matter, are to be regarded as an aspect of the cross-company risk management.

Classical procurement risks such as shortfalls, poor quality, or price fluctuations in the context of globalised markets gain in complexity as risks often tend to occur at interfaces between the home company and the supplier.

Concrete measures concerning purchasing that are taken by the risk management are, amongst others, the systematic selection, development, and supervision of suppliers as well as the devising of courses of action with respect to possible risk situations.

6.2.1 Identifying Purchasing Risks

The identification of risks is the starting point of the risk management process and is often regarded as its most important stage. Only a risk that has been identified can be included and managed in this process. To commit the task of risk identification centrally to a risk manager organisationally assigned to the controlling is a measure that has proven successful. On the basis of previously defined risk areas, this risk manager regularly conducts interviews with the respective division managers who also act as persons responsible for risks that have been identified in their respective areas.

Therefore, the Head of Purchasing bears the overall responsibility for the risk management within his purchasing division. The main interest in this context must be to design and use the risk management system in a way that meets the requirements. Only by the lasting and consistent support of the head of each division will the risk management process gain the necessary dynamics and stabil-ity. The interviews on the risks can be conducted with the help of checklists.

To identify risks, FMEA analyses by which weaknesses in systems or organisations are detected can also be conducted. This method is often used in the quality assurance division because by this method apart from the weakness also its causes and repercussions can be identified and assessed.

In the next step, the compiled risk catalogue should be extensively scrutinised during workshops. By the critical examination of the compiled risks, the participants can identify relevant threat potentials and select particular risks.

These risks can normally be assigned to five risk groups:

Supplier risks comprise all risks resulting from failures of the delivery perfor-mance of the supplier, e.g. risks that arise if:

• Material supplies fail in the short run due to the bankruptcy of the supplier or material bottlenecks

• Deviances concerning date of delivery, quality, or volume occur

• Companies are highly dependent on the supplier

Product risks comprise all risks concerning quality and technology. These risks occur if:

• Materials are not delivered in the required quality or volumes

• Technologies are developed jointly with suppliers (know-how protection)

• Technologies are bought in (black-box situation)

Logistic risks comprise all risks concerning the transport as well as risks arising from failures of the supply chain. Risks of this group occur if:

• Supply chains are global, complex, and branched.

• Long replacement times compromise the predictability.

• Shipments get lost or damaged during transport.

• Demand volumes have been fixed unfavourably.

Market and country risks comprise the risks in the procurement markets. These risks occur if:

• Substitution possibilities are missing due to an oligopolistic or monopolistic competitive situation

• Economic, political, social, legal, or ecological changes occur in countries in which the material is procured

• Resource bottlenecks or gambling on the stock exchange (e.g. with regard to rare earths) cause high price volatility or product bottlenecks

• Currency fluctuations result in higher costs

Process risks are risks connected to processes or persons. This includes occur-ring if:

• Duties have been delimited ambiguously

• Middle-term schedules are not met

• Targets and duties of the divisions have not been optimally concerted

• Master data have not been fed in correctly

• Maverick buying (procurement activities bypassing the purchasing) occurs

• Compliance guidelines have not been defined and communicated explicitly Subsequently, these five risks groups can be filed in a central, software-based risk management system in order to be introduced in the cross-departmental business planning.

6.2.2 Evaluation of the Purchasing Risks

To initiate appropriate control measures, risks must be quantified. In order to do so, the purchasing risks are evaluated with regard to their detriments and occurrence probabilities. Detriments are evaluated according to a real figure in the form of a possible deviation from the operative result in Euros. Normally, the limits are based on the equity capital and should be adjusted by the administrative management yearly.

As exemplarily shown in Fig.6.1, risks with an effect from 0 to 150,000 EUR can be assigned a detriment value of “1”, while risks resulting in deviances form 4 MM to 40 MM EUR can be assigned the detriment value of “4”.

The evaluation of risks with regard to their occurrence probability can be effected with the aid of relative categories. The evaluation scale is subdivided into four evaluation degrees:

• Low¼ Occurrence of the risk highly improbable

• Middle¼ Occurrence of the risk improbable

• High¼ Occurrence of the risk probable

• Very high¼ Occurrence of the risk highly probable

Apart from future expectations, experiences from the past can also be included in the evaluation. Therefore, it is advised to record the results in a risk matrix (as indicated in Fig.6.2).

The resulting relevancy enables a simplifying aggregation of many risk aspects and is thus suitable for reducing complexities. The relevancy subsequently serves as a filter to distinguish important from irrelevant risks. This in turn is the prerequisite for the selection of action alternatives concerning the risk policy, the next step in the process.

relevance

base

10.000 from to from to

1 0 1,5% 0 150 Insignificant risks that wont cause discrepancies from the operating result.

2 1,5% 10% 150 1.000 Medium-term risks that cause perceptible deviations from the operating result.

3 10% 40% 1.000 4.000 Significant risks that have a significant impact on the operating result or have a long-term impact.

4 40% 400% 4.000 40.000 Serious risks which lead to major deviations from the operating result and / or have a long-term impact.

5 400% - 40.000 - Critical risks that could jeopardize the company's continued existence.

characteristic deviation of operational result

in % in T€

Fig. 6.1 Evaluation of purchasing risks

low middle high very high

very high 2 3 4 5

high 2 2 3 4

middle 1 2 2 3

low 1 1 2 2

detriment

4

3 1

2

5

Fig. 6.2 Risk matrix as a result of the evaluation

6.2.3 Controlling the Purchasing Risks

After the risk evaluation, the organisation task of risk management starts with the subprocess of risk control. Risk control has the function of defining strategies suitable for the risks that have been identified and evaluated and deriving measures to confront these risks. The foremost target of risk control is to reduce the purchas-ing risks. The strategies for controllpurchas-ing the risks essentially consist of four aspects:

Risk Avoidance This happens when companies refrain from certain activities due to risks that are considered too high. This cause-related instrument is the most unmitigated form of risk response. The occurrence of the risk is completely prevented by reducing the occurrence probability to zero. However, with this decision the company concurrently forgoes the opportunities that are connected to the risks. This happens, e.g., if the business relations to a supplier are discontinued or a procurement market due to political instability is completely avoided.

Risk Reduction With regard to their causes, the occurrence probabilities of risky events are reduced to an acceptable level but not completely eliminated. However, risk reduction can also be achieved with regard to their effects by reducing the extent of damages. The cause-related risk reduction first and foremost aims at improving the level of information of the decision-maker as well as the pre-emptive mastering of potential threats. This can be achieved by early warning signs that will help to timely identify risks and confront their causes, e.g. by developing a second source of supply early in the case of a supplier with high risk potential or by establishing training programmes to counteract risks due to poor qualification of workers.

Transfer of Risks By transferring risks, the risks endure but are transferred to a third party by the use of preventive measures. To take out insurance is the most often used control instrument in this context⁷and enjoys highest priority in cases of existence-threatening risks. Examples in this context are indemnity or business interruption insurances. Risk transfer measures may also include the transfer of risks to the supplier, e.g. by supply or quality assurance agreements, by supplier managed inventories (SMI) in the form of a consignment warehouse, or by outsourcing of particular business tasks.

Risk Acceptance Risks with a low damage amount and low occurrence probabil-ity may be accepted and taken by the companies. In this case, measures are advised that will limit the economic consequences of the risk events. Furthermore, possible financial strains should be provided for by setting aside reserves.

7Cf. Wolke (2008, p. 85).

To control the identified and evaluated risk group in the purchasing division, a mix of all these strategies is used as not all risks can be handled with one and the same approach. Therefore, in the next step the existing as well as new measures and ideas for handling risks are compiled in order to confront the identified risks. The compiled measures and risks are then transformed into concrete measures, and for each measure a start and a finish date is fixed and the person responsible named.

The implementation and adequacy of the measures is tracked in the next process step, risk control.

6.2.4 Risk Control

Due to changes that will occur over time, one cannot assume that the measures concerning the risk policy that have been selected originally will still be the best solution under changed premises. Risk control has the task of tracking the develop-ment of the risks constantly and of assessing whether the impledevelop-mented measures and instruments do still conform to the defined targets. Furthermore, risk control must check whether new risks have arisen and whether an adjustment of the mix of measures has become necessary due to a changed interplay of single risks. At this point, there are strong connections to risk identification, a clear indication of the cyclical nature of the risk management process.⁸

Documentation is the basis of risk control. This can be achieved with the help of a risk management system (RMS). The RMS thus is the interface between the risk management in the purchasing division and in the company as a whole. All identified and evaluated risks and the respective measures are recorded in the RMS and updated regularly. Thus, all risks that are supervised can always be looked at. The relevant tasks are structured by diverse organisation levels (risk management, risk categories, risks, measures), and concrete responsibilities and deadlines are assigned to them. Through an integrated escalation and de-escalation mechanism, the next higher responsibility level will be informed by the RMS on deviances in the implementation of measures.

Risk control determines the organisational framework of the risk management, supplemented by risk communication. The following points must be taken care of in this context:

• All members of the company staff shall be prompted to handle risks responsibly as the RMS becomes more effective if not only the governing board but also the staff participate in it permanently. To realise this target, the communication within the company, even over hierarchical levels, must run smoothly. By a lasting and permanent process targeted at promoting risk awareness, risks can be identified and systematically attended to.

8Meierbeck (2010, p. 37).

• The risk management process must be subdivided into responsibilities and tasks.

Furthermore, in-house guidelines must be established to let employees below the company management level know what they have to do concretely if they come across risks that put the company in jeopardy.

• Control cycles must be defined in a uniform way. The intervals in which risks shall be discussed will depend on the type and importance of the respective risks.

There must also be a communication channel to inform on unexpected risks.

• From a defined threshold value, a risk reporting system comes into effect. The reporting channels, the dates, and persons responsible for them must be determined.