Immediate Vault Immediate Access

How to Manage Supplier Risk and Performance in an Uncertain Global Economy

Essentially every company that manufactures goods today depends on other companies to supply the raw or value-added materials that go into their finished products. Most companies recognize that good supplier relationships are more than simply arm’s length transactions between opposing parties. A better way of looking at those relationships is as partnerships—albeit ones that require management and alignment of objectives first and foremost, but ultimately mutually beneficial relationships. The job of procurement is to ensure performance is as promised, risk is low and business objectives are being met through collaboration. When suppliers are treated as partners, they can be a huge asset in times of trouble. Especially today, with some industries moving from a buyer’s market to a seller’s market, many suppliers can have their pick of customers, especially if some are easier to do business with, foster collaboration, listen to new innovative ideas and, most importantly, pay on time.

Well before the pandemic, leading organizations in every industry have that strong supplier relationships and a reliable supply chain are paramount. It is critical to have full visibility across all your suppliers and knowing everything about them matters, because this may be the difference between meeting customer demand and falling short of it. Suppliers are a source of growth, innovation and efficiency, but if they are not managed holistically, they can be a source of risk, poor performance and noncompliance.

Enterprise technologies are available to holistically manage your suppliers throughout their lifecycle and incorporate all the necessary elements around supplier information-gathering, collaboration, and risk and performance management. Platforms with these capabilities can help risk professionals to: improve visibility across the supply chain (including sub-tiers of suppliers); ensure compliance with regulatory requirements (particularly new ESG regulations around carbon emissions, cybersecurity or diversity reporting); assess supplier viability and risk profiles; and evaluate performance and target improvement areas. Implementing such a system requires considerable advance planning and strategic thought. But following a deliberate series of steps can help you structure a solid program:

  1. Figure out what you want to accomplish with your supplier management program. 
  2. Secure executive buy-in from procurement, supply chain and IT leadership.
  3. Structure a plan to gather complete information about all your suppliers.
  4. Segment your suppliers into relevant groups, identifying the standards and processes each group is required to meet, and potentially establishing processes for each segment.
  5. Communicate goals, objectives and policies to your suppliers, whether it is around a code of ethics or more specific goals per segment.
  6. Create a process to continuously gather information about suppliers using surveys or a supplier portal, including topics like information security practices, certificates, financial updates and generic information updates.
  7. Establish an onboarding process for new suppliers and use third-party data sources to assess them against requirements and goals.
  8. Implement a monitoring program to regularly track key aspects of the supplier’s risk and performance profile. 

Your criteria can evolve over time, so regular reassessments of those criteria and related mitigation measures are always appropriate, but having them well-defined at the start will be a tremendous help in establishing clear expectations. As in any relationship, clarity is key to reducing the friction that can result from misunderstandings.

At the same time, however, issues directly affecting the supplier are only part of a larger risk profile. As we have seen during the pandemic, the transportation of supplies from a vendor’s overseas site to your own facility is also fraught with risks. For example, there are shortages of active piers, forcing ships to anchor for days or weeks before they can unload. Additionally, higher levels of theft and shortages of truck drivers, shipping containers, warehouse space, cargo pallets and inspection officials can all compound delivery delays. Being aware of issues within the supply chain, having visibility of your suppliers’ suppliers, and understanding relationships and dependencies are all key to be able to respond adequately.

A TechRisk/RiskTech Reading List from Risk Management Magazine

Last week, the RIMS TechRisk/RiskTech virtual event featured two days of education content on some of the biggest challenges and opportunities in modern risk management, focusing extensively on cyberrisk as well as risktech—the latest technology tools and techniques for managing risk. As the presentations made clear, technology introduces some of the greatest risks to organizations, but also some of the most promising innovations to introduce or enhance risk management.

“We all know that, ‘As fast as a business develops a strategy to protect their organization’s digital assets, cyber predators have already figured out their next move,’” said Patrick Sterling, vice president of legendary people and risk management at Texas Roadhouse Restaurants and 2022 president of RIMS. “So, risk professionals must do what risk professionals do best: We must adapt. And we must adapt quickly.”

“We can’t forget about the risks that preceded this pandemic, and top on that list stands technology,” Sterling added in his address during the event. “Cyber gets a bad rap—when we talk about risk, we must remember risk can lead to positive outcomes. While greater dependency on technology has opened the door to more threats, it also allows us to improve processes, keep employees safe, boost efficiencies and engage our customers in a whole new way.”

As a RIMS virtual event, the content from TechRisk/RiskTech will be available for attendees or new registrants to view on-demand for the next 60 days, and you can check out the sessions here.

Following the TechRisk/RiskTech event and last Friday’s international Data Privacy Day, risk professionals who want to learn more about cyberrisk and risktech topics can also check out a wealth of related articles from Risk Management Magazine. Whether you would like to keep up the education after attending TechRisk/Risktech or just want to catch up on topics like cyberrisk, ransomware, cyber insurance, risktech, artificial intelligence, the internet of things and connected devices, and other technology that can help manage risk, here’s a roundup of recent Risk Management articles on cyberrisk and risktech:

Tech Risk (Cyberrisk):

Risktech:

RIMS TechRisk/RiskTech: Using Cyberrisk Analytics to Improve Your Cyber Insurance Program

As ransomware continues to spread and payment costs increase, cyber insurance rates have gone up exponentially. As a result, it is more important than ever for companies to understand their cyber vulnerabilities and exposures so they can ensure they are properly covered. One way to do this is through analytics.

online pharmacy mobic with best prices today in the USA

In a presentation at the RIMS TechRisk/RiskTech virtual event, Scott Stransky, managing director and head of the Cyber Risk Analytics Center at Marsh McLennan, outlined some of the key data that can help companies get a full view of their risk.

According to Stransky, there are five categories of data that are most important to determining your risk profile. Much of this data is in publicly available datasets that insurers already consult, so it is important that you have a handle on this information as well so you know how underwriters and other outsiders are viewing you:

  1. Firmographics: company demographics like revenue, employee count, industry, location, and company hierarchy
  2. Historical incidents: past breaches and insurance claims
  3. Technographics: a company’s external cybersecurity posture including the presence of firewalls, open ports, frequency of system patching, as well as internal cybersecurity practices like password management and data encryption
  4. Scoring: combines firmographics, historical incidents and technographics into a single number that designates the level of vulnerability
  5. Loss modeling: brings all elements together to predict the likelihood and cost of an event

Armed with this data, companies can take steps to make it easier to access optimal cyber insurance coverage and better insurance pricing. These could include improving your security and claims posture by addressing potential cybersecurity gaps, updating incident response plans, and identifying vendor partners to help improve security posture or respond to incidents. Companies can also explore policy structure options in terms of different program components (limits, attachment, coverage, risk retention, etc.

online pharmacy isofair with best prices today in the USA

) and consider alternative terms and conditions.
online pharmacy robaxin with best prices today in the USA

Finally, it is important to provide robust underwriting data by using assessment tools to minimize the need for supplemental applications, preparing for additional questions from underwriters, and highlighting significant cybersecurity updates and improvements over the past year.

In particular, companies should focus on what Stansky called the top 12 cybersecurity controls for risk mitigation, resilience and insurability:

  1. Multifactor authentication (MFA)
  2. Endpoint detection and response
  3. Secured, encrypted and tested backups
  4. Privileged access management
  5. Email filtering and web security
  6. Patch and vulnerability management
  7. Cyber incident response planning and testing
  8. Cybersecurity awareness training
  9. Hardening techniques, including remote desktop protocol mitigation
  10. Logging and monitoring/network protection
  11. End-of-life system replacement
  12. Vendor/digital supply chain risk management

For those that missed RIMS TechRisk/RiskTech, you can register and access the virtual event here. Sessions will be available on-demand for the next 60 days.

Detecting and Confronting Procurement Fraud

Accountancy firm Crowe and credit rating company Experian have said that large enterprises and governments experienced 59% of procurement fraud in the United Kingdom, costing them $120 billion (£89 billion) collectively. It is estimated that over $2 trillion (£1.6 trillion) total is lost each year due to procurement fraud, or 4-8% percent of an organization’s procurement spending. This figure dwarfs other areas such as corporate tax avoidance, where HMRC estimates that $94 billion (£70 billion) was avoided between 2011 and 2015.

The main difference is that procurement fraud is so varied that it makes it virtually impossible to detect. More importantly, procurement fraud is difficult to detect because it is often embedded in a genuine expense. For example, when a construction contractor submits an invoice for 100 hours of work in a week, eight of those hours may be fraudulent. This may seem negligible, but when you consider that every purchase in an organization can include an element of fraud, the scale of the problem becomes clear. It is not just about the financial loss; there are many reputational issues too.

Why Procurement Fraud? 

There are two main reasons: greed and opportunity. In terms of motive, we see both individuals and groups committing acts of fraud because they want something for themselves. They might be looking for personal gain, or trying to get away from someone else, or simply seeking revenge on a competitor.

Several studies have shown that around 50% of fraudsters are motivated by either monetary reward or benefits gained by committing a crime. For example, in 2018, a Massachusetts Bay Transportation Authority (MBTA) procurement official was indicted for receiving over $300,000 in illegal bribes and gratuities from a construction company that performed work for MBTA.

Individuals may also notice a weakness in a business process, as trivial as a broken approval process, that allows for invoices to be paid to existing suppliers without checking the outstanding purchase order amount. The problem is that weaknesses can surface at virtually every step of the procurement lifecycle, across the entire supply chain. Additionally, fraud often occurs when suppliers become close with an individual with authority inside an organization that can provide undetected access. Fraudsters see an opportunity to profit from weaknesses and begin exploiting them.

What Can Be Done?

Here are three ways to help your business become less vulnerable to fraudulent activity:

1. Use data analytics tools: Data analytics tools give you access to information about how well suppliers perform against agreed standards. You can use this information to identify potential risks early on, which could save your company millions in wasted spending.

2. Choose suppliers carefully: The larger and more complex your supply chain, the greater the risk for procurement fraud. If you buy goods and services from many suppliers, you should try to choose suppliers based on quality rather than price. Quality is not always reflected in the cost, but this means you need to be wary of the cheapest option. Using data to draw definitive conclusions about a supplier’s performance is a good way to remain objective when selecting.

3. Create a robust process: It is important that have a robust supply chain management process in place. You should be able to trace back how a supplier was added to your supply chain, the selection criteria for any awarded contracts, their ongoing financial standing, and the people involved in managing the relationship.