Supply Chain risks are on the rise, as are disruptive events, and an event anywhere in your supply chain, even four levels down, can bring your operations to a halt if you can’t detect it, respond quickly, and take active mitigations. To this end, as chronicled in Part X of our Source-to-Pay+ Series that discussed Supply Chain Risk, a number of vendors have cropped up in the last few years around Supply Chain risks, but not all players are equal.
One of the first of the new breed of integrated supplier and supply chain risk players, and one of the most differentiated, is Interos. Interos was founded in 2005 by Jennifer Bisceglie as a consultancy focussed on helping organizations map out, understand, and get a handle on supply chain risk. Jennifer realized near the end of last decade that, with supply chains becoming so long, so complex, and so interconnected across the digital, financial, and physical realms, that technology would be needed to support organizations in this effort.
The core team knew that in order to do this, they’d need a completely new type of technology, so they sought out a new team to build one of the first outside-in business relationship graphs using trade data, third-party data sources and artifacts (such as ownership data, executive data, etc.), and even press releases. Then, on top of this relationship data, they’d need to layer risk data to help an organization identify risks in the supply chain. This would involve capturing risk events as well in order to help them understand which clients may need to be notified and/or use the Interos platform to gauge the extent that a risk event may impact them. So that’s what they built — at a global scale.
Interos has built a business relationship (knowledge) graph that connects 11 Billion relationships across 410 Million companies. These companies are then risk scored against 230+ attributes across six (6) different categories of risk: Finance, Geo-political, Restrictions/Sanctions, ESG, Cyber, and Catastrophic, depending on the extent of information available. At a minimum, they track country/industry level risks and will use that when there is insufficient data to assess the specific company risk against a specific attribute. Based on the assessment of each risk, Interos will compute an overall i-ScoreTM from 1 to 999, with lower scores being higher risk. It will then scan your entire network, from sink to source, and identify all high risk suppliers for you.
The Interos Resilience platform, which processes tens of thousands of sources and over 3 Terrabytes of raw data daily, constantly monitors for new relationships, information, and (related) events that could pose a change in an entity’s risk status, as well as indicate the presence of a (potentially) catastrophic event, including a natural disaster or a cyber-attack. For each of the six risk domains, the platform scans for a number of factors, sub-factors, and individual attributes. We’ll cover the primary factors in this post, and if you have a particular area of interest, you can always drill in during a demo or discussion with Interos.
With respect to Finance, the platform looks for the following:
- Liquidity: Cash, Working Capital
- Solvency: Assets, Capital Efficiency, Credit Rating, Debt Coverage, & Leverage
- Profitability, Debt Coverage, & Valuation
With respect to Geo-Politcal risk, the platform looks at the following:
- Political Instability
- State Capacity
- Political Process
- Economic Rights
- Socio-Economic Development
With respect to Restrictions/Sanctions, the platform looks at the following:
- Sanctions (USA, UK, EU, etc.)
- Associated Sanctioned Individuals
- Import/Export Embargos
- Associated Regulations
With respect to ESG, the platform looks at the following:
- Environmental Performance
- Social Commitment
- Governance Strategy
With respect to Cyber, the platform looks at the following:
- System Attacks (compromised accounts, cyber-attacks, data spills, etc.)
- System Vulnerabilities
- Supply Chain Cyber Events
- Cyber Compliance
- Cyber Threat Activity
With respect to Catastrophic risk, the platform looks at the following:
- Localized Natural Hazard and Disaster Risk
- Communication Capacity
- Healthcare Capacity
- Infrastructure Capacity
- Burden of Disease Risk
Based on all of this, the platform is very useful for companies that need to perform
- Supplier due diligence
- Continuous related party monitoring
- Real-time catastrophic event detection
Interos is one of the most complete supply chain risk intelligence platforms for supplier due diligence. The ability to quickly screen a supplier on six highly relevant domains can give an organization confidence that the organization understands the risk profile of a supplier before onboarding it, which is not something you can get from a traditional credit score or an empty search on sanction lists.
Interos is one of the few platforms that can be counted on for continuous related party monitoring as it processes over 3 TB (Terrabytes) of data a day, constantly updates risk scores and related events for affected entities in the system, and can propagate updates through the business relationship graph in real time.
Interos is also one of the few platforms that can be used to do real-time catastrophic event detection where the event is not limited to a single event type, as the platform monitors for natural disasters, man-made disasters, bankruptcies, and cyber incidents — some of which Interos can detect before anything is reported due to a change in organizational behaviour — and it can immediately propagate news of events or risks to one of the 410M+ business entities it tracks to all impacted clients who can use their relationship explorer to identify all the links it has to the company.
For example, if there’s a fire in a raw material or component factory (which seems to happen in one of the few major RAM suppliers every decade — just do a few historical Google Searches if you don’t believe me) two (or three) tiers down the chain under your tier 1 supplier, you can immediately map out all of your tier 1 suppliers that trace down to that factory and make sure they have enough stock on hand to continue producing your products until you expect that factory to come back online (by either instructing them to immediately secure additional stock on your behalf or doing so for them) well before your competition realizes there’s going to be a disruption a week down the road when the plant is announced shut down and it finally trickles down to local news half a world away.
The platform monitors and tracks natural disasters globally down to a gird of 10 km squares, as well as potential paths of storms, waves, and fires, and can thus immediately identify each business entity that is likely to have been impacted as well as each business entity that is likely to be impacted if a natural disaster (such as a storm) continues its course. Thus, if a tsunami hits the coast of Japan, it can allow an organization’s incident response teams to immediately identify just those organizations in Japan in the area the wave hit and allow it to focus its efforts on just those suppliers, vs. having to reach out to and assess every supplier in Japan, of which it may have hundreds if it is in electronics when only ten were in the immediate area. The time savings alone is incalculable. (And, of course, if an earthquake hit a province in China, it would take an army of consultants months to figure out precisely what suppliers were close enough to the fault line to likely have suffered [significant] damage vs those far enough away to only feel minor shaking whereas the Interos platform will calculate all of this in just a few minutes.)
However, one of the most unique risk monitoring capabilities lies in its proprietary digital behavioural modelling that can often detect when an organization has experienced a potential cyber-attack, breach, or data theft and alert customers to that potential cyber-incursion days, or weeks, before the organization announces a breach and/or it makes the news. Using the business relationship graph, this immediately allows an organization to determine every first-tier supplier that relies on that organization. The organization then has to determine if any of those suppliers has access to the organization’s financial account information, personnel data, or confidential intellectual property. Those tier 1 suppliers that do need to be immediately approached and asked if any of that data was shared with, or accessible by, the sub-tier supplier that was breached, or affected by. If so, the organization can immediately start taking mitigation actions before they themselves are the target of a cyber attack.
The platform is very easy to use. When a user logs in, they see a summary of their full supply base and multiple sub-tier relationships (which for a multi-national with tens of thousands [10k+] of tier 1 suppliers can be hundreds of thousands of tier-3 suppliers). The user can see the number of suppliers by tier who are high risk, medium risk, low risk, and, possibly, unknown (as it’s a brand new supplier where there is little to no information on that supplier). Note that the number of “unknown” suppliers will typically be really small, and for most truly global companies with 500K global suppliers in their extended supply chain, the unknown will be significantly less than 5K (usually 0.5% or less).
(Note: If more than 1% of your extended supply chain falls into high risk, you have some serious problems. In a good supply chain, the vast majority of suppliers should be low risk (> 95%) with a small percentage medium risk, preferably no high risk, and preferably no unknown.)
You also see a breakdown of risk by
- each of the six (6) risk domains, which lets you see if there is a particular risk concentration,
- average risk by groups of interest (which could be country, product line based, strategic suppliers, etc.),
- a summary of natural hazards and disasters currently being tracked, both visually and textually (which shows the number of potential tier 1, 2, 3+ suppliers that are potentially impacted)
- a visual summary of the most relevant current events being reported on (with links to full articles in third party sources), and
- a quick link to the relationship explorer tool that will let you find all of your connections to an entity of interest
When you select a category of high-risk suppliers (overall or by category), it will bring up a list of companies with their individual i-Scores that you can select to to bring up their complete risk scorecard (if you have unlocked their scorecard; depending on your subscription level, you have so many credits that allows you to unlock that many scorecards; you can buy more if you need, but most since most companies don’t need to evaluate more than a small percentage of tier 2+ suppliers, their packages are usually sufficient). The scorecard summary will summarize the score in each of the six areas, and will allow you to drill down into the factors, sub-factors, and individual attributes that are known and scored (and contribute to the overall score), which include those discussed above.
The scorecard will also summarize company corporate data (industry registrations and codes, locations, etc.), its tier 2 and tier 3 relationships and risks, which can be filtered to all known relationships (in your extended supply chain), as well as all events (and related sources) that have been detected that are relevant to that supplier entity. If a risk score is low (or suddenly drops), you will have access to all of the data that contributed to that score to make your own judgement (and jump-start your investigation).
The platform also has a geographic view of natural disasters that is interactive and allows a user to drill into a region, filter on natural disaster type (earthquake, tropical storm, volcanic eruption, etc.), and even project a few days in the future (if the disaster is a tropical storm, cyclone, tsunami, etc. and there is forecast data available from Interos‘ 3rd party, or public, sources). In addition, it can be used to look at historical natural disaster and weather event data, which goes back between 50 and 200 years, depending on how much historical data is available for the region, as well as the risk of each natural disaster type (wildfire, drought, earthquake, flood, etc.) in the region base on all of this historical data.
And the relationship explorer is likely the most useful part of the platform because, if a risk event is detected, such as a natural disaster or a cyber breach, you can instantly trace all of your active relationships to that company, and immediately start the process to determine if these tier 1 (and tier 2) suppliers will be impacted, and, if so, the degree to which you’ll be impacted. Not only will you know about an event days, or weeks, sooner than you would know without this platform (and by then it may have been too late to find an alternate source of supply or protect your data), but you can limit your discovery and mitigation efforts only to suppliers that might be affected, versus doing massive surveys and reach-outs (that can take days or weeks) to find out who might be impacted in the first place.
Interos is a one of the most powerful, and complete, risk intelligence platforms out there and one that should definitely be on your shortlist if you’re looking to get 360-degree visibility into your supplier, and supply chain, risk.