How governments can minimize risk in complex supplier ecosystems

To design supply chain resilience strategies properly, government organizations need a clear and holistic overview of their supply ecosystems' potential risks and vulnerabilities, identifying weaknesses in their immediate suppliers as well as in their suppliers' suppliers. They should also identify weaknesses in their suppliers' key customers – because losing a key customer can drive a supplier out of business.

Clearly, forming this view is a considerable undertaking. To help government organizations unpick the complexity, EY teams have identified six key dimensions of threat within business relationship ecosystems.

Business and financial risks

The potential impacts of the financial collapse of a key government contractor or supplier can be severe and far-reaching. It can cause major disruption to critical public services or infrastructure, and result in significant job losses and cost to the taxpayer. Bankruptcies in suppliers' own supply chains can also pose risks for governments. Every business collapse impacts multiple other businesses and can affect a provider's ability to deliver. The COVID-19 pandemic has significantly increased the risk of such failures. According to Atradius, the trade credit insurer, global corporate insolvencies are forecast to rise by 26% in 2020 and by 25% in 2021. In the US, a total of 630 companies declared bankruptcy in 2020, a 10-year record, according to analysis by S&P Global Market Intelligence.

It is not just corporate failure that has the potential to create difficulties for governments; weaknesses can also cause problems. In the current economic environment, the likelihood of mergers and acquisitions is heightened. In an economic downturn, more firms will be in financial difficulty, and large companies may struggle to invest in organic growth. Therefore, growth via acquisition becomes more attractive, particularly as potential acquisitions are likely to be cheaper. The risk is that the acquiring company may not meet government procurement criteria (for example, ethical or environmental standards) even if the acquisition target, with which the government entity has the contract, does.

Thus, continual monitoring of critical suppliers' financial health and viability, using established financial metrics and indicators, is vital. For a robust, complete picture, monitoring the financial health of your suppliers' other large customers and markets can help provide early warnings. 

Worth remembering here is that engaging with suppliers solely or mostly dependent on public procurement is a potential risk in itself. Companies that have a large proportion of their business with governments face risks associated with government contract complexities. For example, one delayed or underperforming project could cause distress to other projects, jeopardizing service delivery. Here, government entities can mitigate the risk by having several suppliers or by considering a supplier's total exposure to government when monitoring and assessing suppliers.

 Technology and conversion risks

Access to innovation, new technologies and know-how are crucial reasons governments engage with the private sector. However, maintaining access to specific, and even unique, technologies can create supplier dependency and, therefore, risk. Again, this is multilayered. A supplier's reliance on particular technologies and associated issues (such as patent expiry) can also create business risk.

An associated area here is the ownership of the intellectual property (IP). Governments need to understand where the ownership of critical technologies or IP sits within the supplier ecosystem to protect access and avoid ownership disputes. This is growing in both importance and complexity – with an increase in partnering, joint ventures and collaboration, who owns the resultant IP is often far from clear.

Emerging technologies are a new battleground. Naturally, governments want to ensure that they (or the companies based within their borders) can build the technologies associated with the Fourth Industrial Revolution (which will merge the physical and digital worlds).

Technological sovereignty will become even more important as these advances gather pace and technologies such as artificial intelligence (AI), robotics and 5G become widespread. Tech-related risks in the supply chain can be mitigated by assessing suppliers' technological capabilities, their R&D rigor and their adaptability to emerging technologies.

Regulatory and compliance risks

There is usually a long list of regulatory and compliance requirements that companies must adhere to if they are government suppliers. Regulatory compliance also performs a secondary role – it is a good gauge of a business's overall behavior. Noncompliance is an indicator that a government may be taking on risk, particularly if the violations are frequent. Governments need to monitor regulatory and compliance practices throughout their supplier ecosystem as part of everyday supply chain risk management to minimize these risks. 

Regulatory compliance expectations in supply chains will continue to increase as society and the media demand better and more transparent corporate citizenship, which translates into legislation. For example, the Base Erosion and Profit Shifting Initiative (BEPS) and General Data Protection Regulation (GDPR) have implications for the global value chain. The former affects tax strategy, and the latter has increased data protection and privacy requirements.

Moreover, governments are increasingly promoting sustainable supplier ecosystems, which means that monitoring environmental and social performance will follow. For example, the European Union has undertaken preliminary steps toward requiring mandatory due diligence in human rights and the environment. In 2021, this could become part of the review of its Non-Financial Reporting Directive (NFRD).

For reasons such as these, it’s crucial that governments have clear visibility of regulatory or compliance red flags across their entire supplier ecosystems, not just their direct suppliers.  

Supply chain complexity risks

To understand their own supplier networks' robustness, government agencies need visibility into potential vulnerabilities in their suppliers' ecosystems. A government entity may be at risk due to relationships and dependencies hidden deep within its supply chain. 

Thus, it is good practice to scan for potential vulnerabilities among sub-tier suppliers. These might be due to financial distress, geopolitical concerns, compliance issues or any number of other factors. Governments should also identify sole-source dependencies, vulnerabilities in their joint venture or alliance partners, risks within suppliers' key customers and risks within industries on which suppliers depend. 

Governments should also determine the risk management discipline they expect of their prime suppliers. They need to decide on the level of scrutiny appropriate for the whole value chain, especially for critical infrastructure suppliers such as defense and ICT. Significant risks with the potential to wreak havoc may lie deep within layers of sub-contractors. In complex value chains, risk management can be a considerable challenge. 

Cybersecurity risks

Whether they originate from individuals, groups or even state-sponsored actors, cyber attacks are a severe risk to governments. They can lead to the theft of sensitive data or IP and critical failures in ICT or infrastructure assets. Moreover, the accelerating digitalization of society and governments, an ever-more networked world and increasing dependence on third parties means this category of threat is growing fast. 

Government organizations know this – and invest significantly in protecting their data and systems. However, not all attacks come through the front door. Increasingly, cyber criminals seek to exploit weak links in the supply chain to gain access to government data and disrupt services. Small companies contracted by larger companies that supply governments are often targeted. They may have access to government data but a less robust approach to information security. 

To have confidence in their cybersecurity, government organizations must have visibility across their entire supply chain and require suppliers and their sub-contractors to uphold adequate standards. One way to do this is to have an agreed set of cybersecurity standards that anyone contracting with government, or handling government data, must follow. For example, the U.S. Department of Defense has worked with businesses to establish cybersecurity maturity model certification criteria. Government agencies can also assess suppliers and their partners' cyber robustness via external indicators such as reported incidents.

Geopolitical risks

The EY 2021 Geostrategic Outlook characterizes the present as a unique time in terms of geopolitics. In addition to the COVID-19 pandemic, there are trade pressures; political risks such as Brexit and US-China tensions; the ongoing risks posed by climate change; and the realignment of US priorities that the Biden Administration will bring. All will shape the global environment. Due to these factors, the likelihood of geopolitical risks impacting the performance of companies, markets or economies is at a post-World War II high. Dynamically monitoring political risks has never been more important.

Businesses are reassessing their risk strategies. According to the 2019 Global Business & Spending Outlook, 75% of companies have intensified their risk management due to political or economic turmoil, up from 65% in 2018. This number is likely to increase as the pandemic exacerbates existing political and trade tensions.

As companies build greater geopolitical resilience into their increasingly global supply ecosystems, public sector organizations need to do the same. This goes beyond crucial resources such as rare earth minerals, electronics, semiconductors and steel. In our increasingly interconnected world, even domestic suppliers of goods and services may be affected by geopolitical threats impacting a crucial business partner in another part of the world.

Therefore, governments need to assess risks associated with the countries with which suppliers and their partners do business, based on indicators of local, market and operating environment risks.

Knowing your suppliers and wider ecosystem is key to understanding risk – and ongoing monitoring of risk levels is crucial. As discussed previously, this includes the risks presented by individual suppliers and hazards across the entire ecosystem. Government procurement functions should also be monitoring at an industry-wide level. If the construction industry as a whole is experiencing a downturn, your construction partner may be at risk, even if their financial health currently looks good.

Having visibility of warning signs can allow government organizations to be more agile when responding to potential threats to their supply chain ecosystem. It means they can take mitigating actions more quickly and experience fewer adverse consequences as a result. A healthy supplier ecosystem is a must-have asset for government procurement. Many organizations, both public and private, now fully recognize these risks. In response to EY clients’ requests, we have developed a tool to make threats in government supply chains both visible and actionable.

Governments need to develop strong trust-based relationships with their suppliers and partners in order to deliver effective public services. To have confidence in these relationships and their ability to deliver, governments will want to take steps to ensure risks are mitigated. Here, a thorough, holistic understanding of the supplier ecosystem will be crucial. Monitoring the health of the supplier ecosystem should be part of every procurement strategy to maximize the impact of public spending and ensure the quality of service delivery.