Category Archives: Governance, Risk & Compliance

Immediate Vault Immediate Access

How to Manage Supplier Risk and Performance in an Uncertain Global Economy

Posted on by

Essentially every company that manufactures goods today depends on other companies to supply the raw or value-added materials that go into their finished products. Most companies recognize that good supplier relationships are more than simply arm’s length transactions between opposing parties. A better way of looking at those relationships is as partnerships—albeit ones that require management and alignment of objectives first and foremost, but ultimately mutually beneficial relationships. The job of procurement is to ensure performance is as promised, risk is low and business objectives are being met through collaboration. When suppliers are treated as partners, they can be a huge asset in times of trouble. Especially today, with some industries moving from a buyer’s market to a seller’s market, many suppliers can have their pick of customers, especially if some are easier to do business with, foster collaboration, listen to new innovative ideas and, most importantly, pay on time.

Well before the pandemic, leading organizations in every industry have that strong supplier relationships and a reliable supply chain are paramount. It is critical to have full visibility across all your suppliers and knowing everything about them matters, because this may be the difference between meeting customer demand and falling short of it. Suppliers are a source of growth, innovation and efficiency, but if they are not managed holistically, they can be a source of risk, poor performance and noncompliance.

Enterprise technologies are available to holistically manage your suppliers throughout their lifecycle and incorporate all the necessary elements around supplier information-gathering, collaboration, and risk and performance management. Platforms with these capabilities can help risk professionals to: improve visibility across the supply chain (including sub-tiers of suppliers); ensure compliance with regulatory requirements (particularly new ESG regulations around carbon emissions, cybersecurity or diversity reporting); assess supplier viability and risk profiles; and evaluate performance and target improvement areas. Implementing such a system requires considerable advance planning and strategic thought. But following a deliberate series of steps can help you structure a solid program:

  1. Figure out what you want to accomplish with your supplier management program. 
  2. Secure executive buy-in from procurement, supply chain and IT leadership.
  3. Structure a plan to gather complete information about all your suppliers.
  4. Segment your suppliers into relevant groups, identifying the standards and processes each group is required to meet, and potentially establishing processes for each segment.
  5. Communicate goals, objectives and policies to your suppliers, whether it is around a code of ethics or more specific goals per segment.
  6. Create a process to continuously gather information about suppliers using surveys or a supplier portal, including topics like information security practices, certificates, financial updates and generic information updates.
  7. Establish an onboarding process for new suppliers and use third-party data sources to assess them against requirements and goals.
  8. Implement a monitoring program to regularly track key aspects of the supplier’s risk and performance profile. 

Your criteria can evolve over time, so regular reassessments of those criteria and related mitigation measures are always appropriate, but having them well-defined at the start will be a tremendous help in establishing clear expectations. As in any relationship, clarity is key to reducing the friction that can result from misunderstandings.

At the same time, however, issues directly affecting the supplier are only part of a larger risk profile. As we have seen during the pandemic, the transportation of supplies from a vendor’s overseas site to your own facility is also fraught with risks. For example, there are shortages of active piers, forcing ships to anchor for days or weeks before they can unload. Additionally, higher levels of theft and shortages of truck drivers, shipping containers, warehouse space, cargo pallets and inspection officials can all compound delivery delays. Being aware of issues within the supply chain, having visibility of your suppliers’ suppliers, and understanding relationships and dependencies are all key to be able to respond adequately.

A TechRisk/RiskTech Reading List from Risk Management Magazine

Posted on by

Last week, the RIMS TechRisk/RiskTech virtual event featured two days of education content on some of the biggest challenges and opportunities in modern risk management, focusing extensively on cyberrisk as well as risktech—the latest technology tools and techniques for managing risk. As the presentations made clear, technology introduces some of the greatest risks to organizations, but also some of the most promising innovations to introduce or enhance risk management.

“We all know that, ‘As fast as a business develops a strategy to protect their organization’s digital assets, cyber predators have already figured out their next move,’” said Patrick Sterling, vice president of legendary people and risk management at Texas Roadhouse Restaurants and 2022 president of RIMS. “So, risk professionals must do what risk professionals do best: We must adapt. And we must adapt quickly.”

“We can’t forget about the risks that preceded this pandemic, and top on that list stands technology,” Sterling added in his address during the event. “Cyber gets a bad rap—when we talk about risk, we must remember risk can lead to positive outcomes. While greater dependency on technology has opened the door to more threats, it also allows us to improve processes, keep employees safe, boost efficiencies and engage our customers in a whole new way.”

As a RIMS virtual event, the content from TechRisk/RiskTech will be available for attendees or new registrants to view on-demand for the next 60 days, and you can check out the sessions here.

Following the TechRisk/RiskTech event and last Friday’s international Data Privacy Day, risk professionals who want to learn more about cyberrisk and risktech topics can also check out a wealth of related articles from Risk Management Magazine. Whether you would like to keep up the education after attending TechRisk/Risktech or just want to catch up on topics like cyberrisk, ransomware, cyber insurance, risktech, artificial intelligence, the internet of things and connected devices, and other technology that can help manage risk, here’s a roundup of recent Risk Management articles on cyberrisk and risktech:

Tech Risk (Cyberrisk):

Risktech:

RIMS TechRisk/RiskTech: Emerging Risk AI Bias

Posted on by

On the second day of the RIMS virtual event TechRisk/RiskTech, CornerstoneAI founder and president Chantal Sathi and advisor Eric Barberio discussed the potential uses for artificial intelligence-based technologies and how risk managers can avoid the potential inherent biases in AI.

Explaining the current state of AI and machine learning, Sathi noted that this is “emerging technology and is here to stay,” making it even more imperative to understand and account for the associated risks. The algorithms that make up these technologies feed off data sets, Sathi explained, and these data sets can contain inherent bias in how they are collected and used. While it is a misconception that all algorithms have or can produce bias, the fundamental challenge is determining whether the AI and machine learning systems that a risk manager’s company uses do contain bias.

The risks of not rooting out bias in your company’s technology include:

  • Loss of trust: If or when it is revealed that the company’s products and services are based on biased technology or data, customers and others will lose faith in the company.
  • Punitive damage: Countries around the world have implemented or are in the process of implementing regulations governing AI, attempting to ensure human control of such technologies. These regulations (such as GDPR in the European Union) can include punitive damages for violations.
  • Social harm: The widespread use of AI and machine learning includes applications in legal sentencing, medical decisions, job applications and other business functions that have major impact on people’s lives and society at large.

Sathi and Barberio outlined five steps to assess these technologies for fairness and address bias:

  1. Clearly and specifically defining the scope of what the product is supposed to do.
  2. Interpreting and pre-processing the data, which involves gathering and cleaning the data to determine if it adequately represents the full scope of ethnic backgrounds and other demographics.
  3. Most importantly, the company should employ a bias detection framework. This can include a data audit tool to determine whether any output demonstrates unjustified differential bias.
  4. Validating the results the product produces using correlation open source toolkits, such as IBM AI Fairness 360 or MS Fairlearn.
  5. Producing a final assessment report.

Following these steps, risk professionals can help ensure their companies use AI and machine learning without perpetuating its inherent bias.

The session “Emerging Risk AI Bias” and others from RIMS TechRisk/RiskTech will be available on-demand for the next 60 days, and you can access the virtual event here.

What Employers Need to Know About Federal COVID-19 Vaccine Mandates

Posted on by

In an effort to combat the COVID-19 virus and its subsequent variants, the Biden administration has instituted three important mandates that employers should be aware of as they may impact their business. First, the Emergency Temporary Standard (ETS), issued by the Occupational Health and Safety Administration (OSHA), requires that all employers with 100+ employees mandate vaccination or weekly testing. The second mandate involves federal workers and contractors and requires them to obtain a vaccination without any option for weekly testing. The final mandate was issued by the Centers for Medicare and Medicaid Services (CMS), and requires vaccination of all healthcare workers at CMS-covered facilities.

OSHA’s Emergency Temporary Standard

The mandate that has the most wide-ranging impact is Occupational Health and Safety Administration’s (OSHA) Emergency Temporary Standard (ETS) that calls for employers with 100 or more employees to either require employees to obtain a COVID-19 vaccination or to prove compliance with a weekly-testing program. This ETS is expected to affect over 80 million employees. 

On December 17, the Sixth Circuit Court of Appeals lifted the stay placed on OSHA’s ETS issued by the Fifth Circuit in November. The court held that OSHA does have statutory authority to mandate national vaccines and/or testing for employers with more than 100 employees. Specifically, it outlined that because COVID-19 is a virus that causes bodily harm, OSHA was well within its administrative authority to regulate the health and safety of employees. 

Since the Sixth Circuit’s decision to dissolve the stay, OSHA announced that it will not be issuing citations for noncompliance with the ETS requirements until January 10 and the testing requirements will not be enforced until February 9 with the caveat that the employer must make good faith efforts to come into compliance as soon as possible.

After this ruling by the Sixth Circuit, eight groups challenged the OSHA vaccine mandate and filed emergency applications with the U.S. Supreme Court asking it to stay the mandate again until the case can be heard in the highest court. On December 20, the Supreme Court requested a response from the federal government by December 30. And, on December 22, in an almost unprecedented move, the Supreme Court ordered oral argument on these emergency applications, which will take place on January 7.

Despite the fact that the validity of the ETS is now squarely before the Supreme Court, employers should still operate as if the ETS will go into immediate effect. OSHA has implemented new deadlines to reflect the current status of the ETS.

By January 10, employers should:

  • Track employee vaccination status
  • Create a database detailing vaccination information for each employee
  • Require unvaccinated employees to wear a mask
  • Provide paid time off for employees to get vaccinated and recover

As of February 9, 2022, employers must also require unvaccinated employees must start testing for COVID weekly. Self-administered or self-read tests would not comply. Employers must observe or use a proctor and have employees tested on site, or at a recognized testing facility.

The Mandate for Federal Employees and Contractors

The second mandate stems from President Biden’s executive order that requires most federal employees or contractors to get vaccinated. This mandate does not have a testing option.

On December 7, the U.S. District Court for the Southern Section of Georgia granted a preliminary injunction to temporarily halt the enforcement of the Biden’s administration’s vaccine mandate for federal contractors.The court found that the administration had overstepped the bounds of it authority under the Federal Property and Administrative Services Act 40 U.S.C. 101 et. seq. The injunction effectively prohibits enforcement of the federal contractor vaccine mandate in all 50 states and any territory of the United States. However, on December 17, the Eleventh Circuit, denied the government’s motion to stay. This effectively upheld the injunction. The court found that the government had failed to show that it “would be irreparably harmed absent a stay.”

The CMS Mandate

The third mandate is an interim file rule of the Centers for Medicare and Medicaid Services (CMS), which requires vaccination of all healthcare workers at CMS-covered facilities throughout the United States. The CMS mandate is currently enjoined by court order in 25 states and continues in full effect in 25 other states. After the ruling by the Fifth Circuit in November, however, CMS suspended implementation and enforcement of the mandate pending resolution of the challenges before the Supreme Court.