Canopy is a risk-based supplier management system. This means risk sits at the core of every Supplier Profile, and is a significant driver in how the supplier is managed.
In this article you will learn:
How risk is managed through Canopy
Types of risk managed through Canopy
How to interpret the risk outcome in Canopy
How risk is managed through Canopy
Canopy manages risk through 4 phases of activity:
- The presence of risk is identified through the Request process and supplier submission
- Suppliers are asked to provide supplementary information to aid in the mitigation of these risks
- The supplier's responses are reviewed and either approved or rejected
- Critical documentation and certification remains under surveillance throughout the supplier lifecycle
Where available, Canopy will pull data from third party sources, such as credit agencies and Health & Safety directories to supplement its risk assessment.
Types of risk managed through Canopy
Canopy can be used to assess any type of risk a supplier may pose your business.
By default, Canopy assessed 6 types of risk, as follows:
- Financial Risk
- Data Security & Privacy Risk
- Health & Safety Risk
- Anti Bribery & Corruption Risk
- Modern Slavery Risk
- Conflict of Interest Risk
These risk assessments have been fully built out in Canopy, both in terms of Canopy's ability to identify the presence of risk, and the evidence a supplier will need to provide to mitigate the risk.
You may wish to add to or amend these risk types within the individual configuration of your specific Canopy system.
Inherent vs Residual risk
Canopy is principally set up to identify Inherent Risk - i.e. the risk that is present in the supplier, before considering any mitigating circumstances.
Based on this Inherent Risk assessment, the supplier is asked to provide their mitigation.
The act of approving this mitigating information is an acknowledgement by the customer that they are satisfied with the mitigation offered and are prepared to accept the risks that may be present.
How to interpret the risk outcome in Canopy
Published suppliers are those that you, as the customer, have determined have met your risk requirements and you are willing to trade with.
- Where the supplier has been assessed against a comprehensive Standard (e.g. the Compliance Standard), you may infer that in order for the supplier to be Published, they will have met the necessary risk requirements.
- Where the Standard against which the supplier was assessed did not thoroughly due diligence the risks identified (e.g. the ERP Only Standard), if the supplier has been Published, the business is accepting the risk that may be present.