Daily Archives: November 16, 2023

Source-to-Pay+ part 3: Corporate Risk

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials use; and with the locales they operate in. These risks come in all shapes and sizes. And any single risk can sink the company.

Today we are going to talk about some of the internal corporate risks and outline the function specific baseline capabilities that such a solution will normally possess.

Capability Description
Reputation/Brand A significant risk to a company is its reputation/brand, especially if it’s primarily selling to consumers. And the problem with reputation/brand damage is that it can come from anywhere. Quality issue that leads to a defect that causes consumers harm. Raw materials that are harmful to human health and might cause cancer, or worse, if consumed, inhaled, or even touched. An offensive statement (to a group of people) by an executive. A targeted online misinformation campaign by a disgruntled customer. Environmentalists who claim the organization is doing unnecessary environmental damage. Forced and Slave Labour. The repercussions of continuing to buy cobalt and copper from the congo while turning a blind eye to rampant sexual violence and rape. (An average of 48 victims are treated per day by Medicins Sans Frontieres, that’s 17,520 per year. And this has been going on for over a decade.)

And in these difficult times, you also have to deal with

  • Sourcing from countries engaged in “special military exercises” that have effectively started wars with other countries and
  • Sourcing from countries whose response to terrorist attacks have resulted in 10X the number of casualties caused by the terrorists.

In these two situations, it might be the case that most of your consumer base doesn’t care, but some will praise you while staying the course and helping the side they think is right (or good) while others will go out of their way to aggressively attack your brand for helping the side they think is wrong (or evil). And so on.

As such, the platform needs to be able to monitor news sources and social media. It must look for stories that could blow up, sentiment that could propagate, and events associated with related entities that could propagate. It must tie into multi-tier manufacturing systems and monitor raw materials, quality control systems to monitor production quality, It must tie into CSR/EHG systems to make sure the company is being environmentally conscious. And so on.

Sanctioned Entities An organization that does business with organizations on sanctioned or denied lists can get in serious trouble. It can be prohibited from doing business with government entities, fined, and the executives (criminally) charged. But it’s not just entities, it’s individuals as well. And it’s not just potential employees or contractors, but (potential) investors as well.

Its critical that the system tie into all sanction and denied party lists of every country it does business in, all lists of organizations that have had lawsuits brought against them (and the results if the lawsuits have been concluded), and lists of individuals who have investments in related corporations.

Fraud Every organization that makes money is at risk of being defrauded. That fraud can come from employees, including top executives, suppliers, third parties, and cyber criminals.

Such a system should integrate into the Supplier/Vendor Master and ensure that all invoices are coming from valid entities, the purchase order system to ensure the invoices match purchase orders and the payment amounts are valid, the payment system to make sure the payments go to accounts known to be associated with the vendor who sent the invoice, and no payments made without an invoice or appropriate counter-signed / doubly approved payment approval.

Such a system should also look at connections. Connections between the individuals in the organization who cut the PO, claim the services were delivered, make the payment, and the individuals who sent the invoice, verified the delivery, and accepted the payment.

Such a system should also integrate with the cyber monitoring and internet security systems and look for unusual activity that could indicate potential fraud.

Employees Employees are the biggest internal risks. And not just those who are looking to commit fraud, which will, hopefully, be a very small percentage of employees. There are also those who (might) have a conflict of interest, which could sway them in their decision making. And then there are the rest of the employees, who are human and make mistakes. Small mistakes like accidentally approving an invoice for 5K from a vendor who didn’t actually deliver the services, and might never deliver the services, because there are no processes in place to verify the delivery from approved vendors who have delivered in the past. Big mistakes like not locking down a port that allows a hacker to get into the local payment systems and alter the bank account for the 500K payment going out tomorrow. And everything in between.

This system should not only integrate with background check systems for employees who have access to the payment systems, but those who have access to restricted/classified IP, sensitive systems that need specialized training, and so on.

It should also integrate with certification and training systems to track an employee’s certifications and training.

GHG/Carbon In today’s climate, it’s important for a large company to track it’s internal carbon usage, not just the supply chain.

It’s likely that the organization will have it’s own system for carbon tracking. Such an organization will need to make sure the system is configured to track internal emissions and chain emissions separately, assign internal emissions to the company and the outbound chain as appropriate, and export the summaries to the corporate risk tracking system.

GDPR/Privacy GDPR is here, it must be respected, and failure to do so can be costly. But it’s not just GDPR an organization needs to be concerned with as privacy regulations are cropping up all over the world, and many countries in which the organization does business as a buyer, a seller, or both.

An organization must identify the private data it maintains on its employees, contractors, representatives of third parties, and the public. It must ensure such data is secured, encrypted, accessible only by those with explicit authority, and tagged as data the organization is legally allowed, or required, to keep and data that does not fall under that category. The location of such data must be indexed and the data, as well as all backups thereof, must be easily erased if someone asks to be forgotten (with the exception of any data the organization is legally required to maintain), and that must include all backups.

Contract The organization has contractual risk, both in the contracts with its suppliers as well as the contracts with its customers, and with respects to the contracts it never signed, but implied when it made the first order or purchase from a supplier. These risks include the losses from failure to complete its obligations as well as risks from suppliers and customers failing to complete theirs as well as force majeure risks and lack of of assignment to third parties and/or lack of adequate insurance coverage.

It’s critical that the Corporate Risk System integrate with all of the contract systems used by the organization, track contracts by risk type, identify lack of key clauses, and identify areas where lack of contracts or insurance put the organization at significant risk.

Epidemics/Pandemics The pandemic was not the last epidemic/pandemic the organization is going to face. More are coming. The organization needs to identify which parts of the operation are most at risk, what can be done to prepare for it, and what is in place when the worst happens.

As to how the system should support the planning, monitoring for, detection, and response to an emerging epidemic/pandemic, that’s probably organization dependent. But any Corporate Risk system that doesn’t at least recognize the need is not meeting the full problem.

A corporate risk system will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are, or at least should be, common among multiple types of risk systems, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article describing a particular focus/type of risk application, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring near the end of this series.