Immediate Vault Immediate Access

How to Manage Supplier Risk and Performance in an Uncertain Global Economy

Essentially every company that manufactures goods today depends on other companies to supply the raw or value-added materials that go into their finished products. Most companies recognize that good supplier relationships are more than simply arm’s length transactions between opposing parties. A better way of looking at those relationships is as partnerships—albeit ones that require management and alignment of objectives first and foremost, but ultimately mutually beneficial relationships. The job of procurement is to ensure performance is as promised, risk is low and business objectives are being met through collaboration. When suppliers are treated as partners, they can be a huge asset in times of trouble. Especially today, with some industries moving from a buyer’s market to a seller’s market, many suppliers can have their pick of customers, especially if some are easier to do business with, foster collaboration, listen to new innovative ideas and, most importantly, pay on time.

Well before the pandemic, leading organizations in every industry have that strong supplier relationships and a reliable supply chain are paramount. It is critical to have full visibility across all your suppliers and knowing everything about them matters, because this may be the difference between meeting customer demand and falling short of it. Suppliers are a source of growth, innovation and efficiency, but if they are not managed holistically, they can be a source of risk, poor performance and noncompliance.

Enterprise technologies are available to holistically manage your suppliers throughout their lifecycle and incorporate all the necessary elements around supplier information-gathering, collaboration, and risk and performance management. Platforms with these capabilities can help risk professionals to: improve visibility across the supply chain (including sub-tiers of suppliers); ensure compliance with regulatory requirements (particularly new ESG regulations around carbon emissions, cybersecurity or diversity reporting); assess supplier viability and risk profiles; and evaluate performance and target improvement areas. Implementing such a system requires considerable advance planning and strategic thought. But following a deliberate series of steps can help you structure a solid program:

  1. Figure out what you want to accomplish with your supplier management program. 
  2. Secure executive buy-in from procurement, supply chain and IT leadership.
  3. Structure a plan to gather complete information about all your suppliers.
  4. Segment your suppliers into relevant groups, identifying the standards and processes each group is required to meet, and potentially establishing processes for each segment.
  5. Communicate goals, objectives and policies to your suppliers, whether it is around a code of ethics or more specific goals per segment.
  6. Create a process to continuously gather information about suppliers using surveys or a supplier portal, including topics like information security practices, certificates, financial updates and generic information updates.
  7. Establish an onboarding process for new suppliers and use third-party data sources to assess them against requirements and goals.
  8. Implement a monitoring program to regularly track key aspects of the supplier’s risk and performance profile. 

Your criteria can evolve over time, so regular reassessments of those criteria and related mitigation measures are always appropriate, but having them well-defined at the start will be a tremendous help in establishing clear expectations. As in any relationship, clarity is key to reducing the friction that can result from misunderstandings.

At the same time, however, issues directly affecting the supplier are only part of a larger risk profile. As we have seen during the pandemic, the transportation of supplies from a vendor’s overseas site to your own facility is also fraught with risks. For example, there are shortages of active piers, forcing ships to anchor for days or weeks before they can unload. Additionally, higher levels of theft and shortages of truck drivers, shipping containers, warehouse space, cargo pallets and inspection officials can all compound delivery delays. Being aware of issues within the supply chain, having visibility of your suppliers’ suppliers, and understanding relationships and dependencies are all key to be able to respond adequately.

Spending Risks Shift as the Pandemic Continues

When Twitter offered permanent work-from-home status to all of its 4,600 employees in response to the COVID-19 pandemic, it did so with a $1,000 stipend per employee to furnish and set up functional home office spaces.

For many organizations, such a sweeping move would carry higher risk as more employees, especially those not trained in company spending policy, would be expensing items. During COVID-19, enterprises of all sizes contend with the changing financial implications of adjusting business practices.

Data scientists at Oversight—a global leader in spending management technology—saw out-of-pocket spending increase 17% from April to May and expected this number to rise further in June as more employees without a corporate card make COVID-related expenses. These findings are published in the company’s Spend Insights Report, which analyzed information derived from customer interviews, market observations and Oversight data.  

Several Oversight clients reported finding big-screen TVs and soundbars on expense reports for work-from-home setups. Any of these could ultimately be for personal use or resold for personal gain. One client found that one of its employees spent $7,000 in corporate funds to set up a new home office space.

The months since COVID-19 forced employers everywhere to pivot their office strategies and open expensing capabilities to a broader subset of the employee base. As a result, the fundamental assumptions about spending and risk management in finance operations no longer apply.

New patterns of risk are emerging from these new transactions. However, finance operations teams that take the time to analyze these patterns can develop best practices.

Five key lessons enterprises should understand about spending risk in the 2020 business environment are:

1. Good and Bad Spending Have Reversed Roles

When the rapid shutdown of normal business operations forced the global workforce to shelter in place, travel discontinued abruptly. Airline and transportation activity plummeted in both March and April, as did hotel spending. But purchasing activity was higher than expected in the high-risk categories of mail/phone orders and miscellaneous stores (including merchants such as Amazon, Best Buy and Apple), while out-of-pocket expenditures in the name of business continuity increased dramatically. The result was a business scenario in which much of the historically “good” spending, like travel expenses, was suddenly deemed wasteful to the organization. In contrast, much of the traditionally categorized “bad spending” was now necessary.

2. The Pattern of Risk is Shifting, As is Mitigation Collaboration

Because the risk looks significantly different than it did before the pandemic, finance operations teams are applying more scrutiny to employee spending, and collaborating more. Operations teams are engaging more than ever with counterparts in forecasting, tax and audit to navigate the nuances of risk during the crisis, creating a new best practice that makes identifying and mitigating spending risk easier.

3. Rising Miscellaneous and Out-of-Pocket Costs Cause Payment Platform Risk

Third-party payments increased 40% year-over-year in April according to the Spend Insights Report, as the pandemic drove a significant increase in online shopping activity. That shift to online—as reflected in rising miscellaneous and out-of-pocket spending—was often processed using third-party payment platforms like PayPal and Stripe. When employees spend using these platforms, organizations are exposed to greater risk due to limited visibility into transaction and vendor data.

4. New People Spending is New Risk

Regardless of COVID-19’s impact on an organization, one good rule is that risk is a function of people. According to Oversight data, 70% of employees are good stewards of corporate funds. An additional 25% may make errors or act out-of-policy in certain circumstances, but these individuals are not intentionally involved in waste or fraud. The remaining 5% of employees could use opportunities like COVID-19 to spend maliciously or otherwise act outside of corporate compliance guidelines. Every organization’s goal should be to engender visibility into the 5% of bad actors, while simultaneously seeking to better inform the remaining 25% about the steps they can take to adhere to policy. 

5. Align your Teams and Tools to Ensure Visibility into Spending

By quickly understanding as an organization what employees are spending on today, and at what frequency, leaders will be better suited to manage and mitigate risk. While the profile may be different than before the pandemic, the same tools that guided visibility into spending and risk are available to help organizations understand and analyze spend in the new business climate.

The situation at most organizations is fluid. The essential take-away is to develop a framework and process for near-real-time awareness of employee spending and the associated risks. By recalibrating your sense of the necessary expenditures now, organizations can ultimately ensure continuous control over risks as they emerge.

Closing the Vendor Security Gap

What do organizations really know about their relationships with their vendors?

It’s a question that most companies can’t answer, and for many, that lack of knowledge could represent increased risk of a security breach. This year, Bomgar conducted research into vendor security on a global scale, and the findings underscore that much work remains to be done to shore up third-party security.

The 2016 Vendor Vulnerability Index report produced eye-opening results that should be a wake-up call for business leaders, CIOs and senior IT managers. The survey of more than 600 IT and security professionals explores the visibility, control, and management that organizations in the U.S. and Europe have over external parties accessing their IT networks. Some of the most surprising statistics are summarized below:

  • An average of 89 vendors are accessing a company’s network every week.
  • 92% of respondents reported they trusted their vendors completely or most of the time.
  • 69% said they definitely or possibly suffered a security breach resulting from vendor access in the past year.
  • In the U.S., just 46% of companies said they know the number of log-ins that could be attributed to vendors.
  • Only 51% enforce policies around third-party access.

It’s evident from these findings that third-party access is pervasive throughout most organizations. What’s more, this practice is likely to grow—75% of the respondents stated that more vendors access their systems today than did two years ago. An additional 71% believe this number will continue to increase for another two years.

Two-thirds of those polled admit they have a tendency to trust vendors too much—confidence that should be questioned based on the results of this report. The data revealed that, while most organizations place a high level of trust in their vendors, they still have a low level of visibility into how vendors are accessing their systems.

This contradiction is not something organizations should take lightly. As noted above, 69% of respondents admitted they had either definitely or possibly suffered a security breach resulting from vendor access. An additional 77% believe their company will experience a security issue within the next two years as a result of vendor activity on their networks.

As an organization’s network of vendors grows, so too does the risk of a potential breach. For most companies, it is essential that third-parties have access to sensitive systems as a course of doing business—the question centers on how to grant this access securely.

Historically, companies have used VPNs to provide network access to third-parties. While appropriate for the intended end-user—remote and/or traveling employees—issues arise when the scope of VPN is trusted to manage connections from external groups. If a system connected via VPN is exploited and used as a point of persistence for leap-frogging into the broader network, hackers can persist for days or months and move stealthily about the network. Companies have also seen malicious (or well-intentioned) insiders choosing to abuse their access to steal or leak sensitive information, as this is all made fairly trivial when leveraging open-ended VPN connectivity.

To balance the dual demands of access and security, companies need a solution that allows them to control, monitor and manage how external parties are accessing their systems. Rather than providing “the keys to the kingdom,” a modern secure access solution enables organizations to grant vendors and other third-parties access only to the specific systems and applications needed to do their jobs.

To ensure security, organizations should also select a secure access solution that provides video and text logs of all session activity. This allows companies to monitor how remote access is being used and, perhaps more importantly, by whom. With this technology, any suspicious activity can be immediately flagged for further investigation. In addition, these session forensics can help companies meet internal and external compliance requirements.

Another secure access best practice is to employ a password/credential vaulting solution. This enables organizations to mitigate the risk of credentials shared between privileged users, which are often the target of a threat actor. It also reduces the risk of what system administrators often think of as “the stickynote nightmare,” where a sensitive credential is written on a stickynote and stuck on someone’s monitor for all who walk by to see. Password vaulting technologies also help with the dangers posed by embedded system service accounts that have administrative privileges and are rarely rotated for fear of bringing critical business services down. A small, yet strong initiative to protect network security would include requiring every privileged user to access credentials required for elevated work via checking out of a password vault. This removes most of the challenges associated with sharing credentials as, once they are checked back in, those credentials can be immediately rotated and thus become unknown to the employee or the bad actor who may have stolen them. Incorporating multi-factor technology in order to access the password vault and other sensitive systems takes it a step further.

In today’s heightened environment, following these steps should be essential security best practices for any company allowing vendors or other third-parties to access their network.

The Vendor Vulnerability Index report suggests that companies are aware of the threats posed by ineffective management and poor visibility into vendor access. Yet, as the data shows, just slightly over half of the respondents are enforcing any policies around third-party access. In light of these findings, companies should also ensure that they are properly screening any third-parties with whom they share network access. For example, does the vendor provide security awareness training as part of their employee on-boarding process? Asking this and similar questions will give companies a clearer picture of the vendor’s security ethos, and help them to determine if the partnership is a good fit to begin with.

In order to combat this growing vulnerability, organizations need granular control over external access. Only with such a solution in place can companies feel confident that their vendors won’t unintentionally become their weakest security link.

Vendor Risks: Preventing Recalls with ERM

Recall
In 2016 alone, there have been dozens of recalls, by food companies, car manufacturers, and vitamin producers, among others. Not only do these recalls greatly impact a company’s bottom line, they can also affect the health and safety of consumers. With this in mind, what can organizations—both within the food industry and otherwise—do to improve their chances of uncovering suppliers operating in subpar conditions? How can they mitigate the risk of recalls?

Customers of CRF Frozen Foods, for example, a full-line, individually quick frozen processing plant that packages fruits and vegetables for a variety of customers, recently had big problems when it was linked to a widespread listeria outbreak. Contaminated foods affected big-name distributors like Trader Joe’s, Costco and Safeway, and some customers fell ill as a result.
buy tadalafil online https://royalcitydrugs.com/tadalafil.html no prescription

Even though a series of sanitation concerns and other facility issues at CRF had been exposed by regulators as early as 2014, the factory was allowed to continue operating and its customers weren’t notified.

Red flags raised by regulators aren’t always seen by the companies they’re most relevant to, however. The fact that these outbreaks occurred seems to demonstrate that customers’ vendor management practices either failed or simply weren’t robust enough to detect issues. It all comes down to effective enterprise risk management (ERM). ERM provides the tools and framework that allow any organization to standardize processes and effectively mitigate vendor risk.

An ERM approach is characterized by standard criteria, interdepartmental communication, and automatic alerts and notifications. It keeps everyone in the organization on the same page and ensures assessment results are always understandable and accessible. This eliminates redundancy in the risk management process. As a result, you can quickly and easily determine the last time your organization evaluated a supplier. Something as simple as a notification that regulators have published new requirements might save your organization from acquiring infected or defective products.

There are three general stages that apply to any successful risk management effort:

  1. Identify specific risks, followed by assessment and evaluation
  2. Implement tailored mitigation activities to address those risks
  3. Monitor those mitigations to ensure long-term effectiveness

The first step serves as the foundation for steps two and three. Without a proper understanding of what risks your organization faces, it is impossible to prioritize and mitigate them. Especially across multiple business departments or within supply chains—it is quite difficult to identify and account for every variable.

To keep up with vendors’ fluctuating conditions, teams need to systematically identify and assess risks, catching them as they crop up. Preventing assessments from becoming obsolete is the key to keeping a pulse on everything that may affect the business, therefore avoiding unwanted surprises.

Risk assessments also help determine the best way to allocate limited resources. Minimizing vendor-related risks needn’t be burdensome, however. It should be a streamlined process that, by enabling you to avoid harmful incidents, improves operational efficiency. Once your risk assessments reveal the areas of highest priority, you can determine exactly how to mitigate those concerns.

The Freedom of Information Act can be extremely helpful when it comes to your third-party risk management efforts. It grants all companies the right to ask vendors for specific information about plant processes, worker training, sanitation practices, and maintenance. Suppliers are required to be forthcoming with all information (when asked), and teams need to take advantage of this opportunity. It is an important part of the risk management equation and will help you understand your risks before disruptions occur.

Performing vendor risk assessments—in the form of inspections, questionnaires, and service level agreements—generates an enormous amount of data and information. This information is useful for mitigating risk, but only if it is up to date, consistent and distributed to the appropriate individuals. The Freedom of Information Act provides an opportunity to evaluate suppliers with robust risk assessments, and ERM provides the means to capitalize on that opportunity. Ad-hoc assessments of current and prospective vendors, without standardized processes, will only get your team so far.

Steps to Effective ERM

Capitalizing on your vendor assessment rights is only part of the equation. Without an appropriate means of processing, distributing, and making data actionable, you’re back at square one. To make sense of important data, follow these steps:

  1. Create a taxonomy: define relationships between risks, requirements, goals, resources and processes. If each area of the business uses its own system for identifying and classifying risk, the resulting information is subjective and unusable by other departments. There is also significant information overlap—and therefore waste. Use your existing information to create a standard for data collection with minimal work.
  1. Streamline with the standardized risk assessments identified in step one. Risk assessments can be conducted in many different formats and qualities. Use resources already in place and streamline the results using the standard from step one. The most effective way to collect risk data is by identifying the root cause, or why an incident occurred. Honing in on the root cause provides useful information about what triggers loss and your organization’s vulnerabilities. When you link a specific root cause to a specific business process, designing and implementing mitigations is simpler and more effective.
  1. Connect mitigation activities to each of the key risks in these processes. A risk taxonomy gives you a more holistic understanding of all the moving parts in your organization. This makes it easier to design mitigation activities.
  1. Connect incidents, complaints and metrics (for each business process) to mitigation activities. Typically, companies already dedicate many resources to monitoring business performance, collecting information about incidents, complaints and metrics. These processes are often inefficient and ineffective. Simply connecting them to mitigation activities, however, identifies the reason such incidents happen. You can then take straightforward corrective actions, meeting top priorities and allocating resources with forward-looking measures. Risk management, after all, is not about minimizing fallout after an incident, but preventing such an incident from happening in the first place.

To make this entire process effective, management must work to develop an enterprise-wide risk culture. ERM is not just an executive-level process, but should be pushed all the way to frontline managers, where everyday decisions are made and the risks are known—but resources are often absent.

Approach your vendor risk assessments as you would any other risk assessment—they should be reoccurring and standardized. Perform them regularly and evaluate the results with the same scale and criteria with which you evaluate all other risks. Finally, automate information collection and review so that reporting reveals cross-silo dependencies before these risks turn into scandals. The result will be increased vendor security and the prevention of surprises, at a fraction of the cost.