I have a very simple view on risk management. The party that has the greatest ability to control and manage the risk should always be the one that should be responsible for the risk. When a company manages operations internally there will always be risks that they can manage, there will be risks they assume because of the cost to manage the risk, and there are risks they can't manage that they must assume if they want to conduct business.
When a company outsources they may want the outsource supplier to assume all risks. A smart outsource supplier will only assume those risks they can manage using their normal business practices and processes. If a customer wasn’t managing something on their own because of the cost, the supplier should pass any additional costs of managing that back to the buyer. Risks the outsource supplier can't manage are probably the same risks the buyer couldn't manage internally. Those risks should remain with the buyer. If the buyer demands the supplier assume those risks, the supplier should determine if they are prepared to accept those risks and what contingencies they need to build into the price to accept them or they need to decide to walk away.
If the buyer is smart they will know that the upside is if the risk occurs, they will be protected as the supplier has assumed the risk and any resulting cost. There is a huge downside in the fact that if the risk never occurs, the supplier makes that much more profit. An agreement to share in the risk makes the impact less extreme.
For any risk transfer or risk acceptance you always need to consider:
1) The ability to manage the risk.
2) The cost of managing that risk.
3) The probability of that risk, and
4) The potential cost impact should the risk materialize.
Many buyers want to transfer the risks and resulting costs to the supplier, but don’t want to pay the additional costs to manage the risk or the contingencies required to accept the risk. Many suppliers as part of negotiations want to transfer risk to the buyer. As a buyer before accepting a risk you always want to think about whether you have the ability to manage and control that risk. If you can’t manage or control it, don’t accept it.
Let’s consider the situation where you hire a contract manufacturer or CM to manufacture a product for you. In that situation you would need to consider things like:
1.Who designed the product? Product design has a number of potential impacts. It can impact manufacturability that can impact the quality of what’s produced. The design tolerances it was designed to can impact performance and reliability.
2.Who selected and specified the materials? Materials will be of different quality and reliability.
3.Who selected the material suppliers? Suppliers can impact quality, performance, product reliability, etc.
If the Buyer did all of these, can the CM manage all the risks associated? Will they be able to negotiate terms with the supplier that will protect them from the risks? Or can they only stand behind and be responsible for what they actually do which is to order the parts and manufacture the item?
The more control you want to retain over the process, the less the CM will be able to manage the risk and the more they will want the buyer to assume it. If you give control over these activities to the CM, the less control you have over managing the risk and the more you need the CM to assume and manage the risk.
In negotiations suppliers frequently want to have it both ways. They don’t want the buyer to have control over what they may do, and they want the buyer to assume certain risks. The problem is changes the supplier makes may also change the potential risk. My response to suppliers has always been simple. If you want flexibility that can create risks, you need to assume the responsibility for those risks. If you don’t want to accept the risk, then you need to agree to give me controls so I can manage the risk. Those are the only two choices. Otherwise you are asking me to assume a risk I can’t manage or control and I won’t do that.