Category Archives: Compliance

Source-to-Pay+ Part 9: Cyber

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), in Part 6 we addressed the first major supply chain risk: in-transport, followed by the second major supply chain risk: lack of multi-tier visibility in Part 7. In our last article, Part 8, we discussed the baseline Analytics that should be part of all of the different risk systems we covered in Parts 3 through 7, as well as a control centre.

Today, in Part 9, we move onto Cyber Risks. In today’s hyperconnected SaaS world, nearly half of an organization’s data breaches originate in the cloud (see this recent article by Illumio on Cyber Magazine, for example). So cyber security is important, but not just for your organization — for your entire supply chain.

Note that we are not going to dive deep, there are plenty of security firms that will do that for you. We’re just going to highlight key points of risk that must be covered in your cyber security plan.

Internal Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk	Description
E-mail	Plenty of risks come in through e-mail. The biggest one you are likely aware of is fraudlent requests for payment from fraudsters posing as fake suppliers / service providers / consultants or new employees in a remote office asking you to approve an emergency payment. However, since fraudsters blast these far and wide (as it takes less work to create them), the most common fraudulent emails are usually phishing/ransom attempts where you have to click an email and enter your system login information to retain access to your email account (or another system you use). (Then they use those credentials you freely gave them to login to your systems, lock you out of them, and demand payment to unlock your account.) Your email system needs to do more than identify an external sender. It, or the security plug in, needs to verify the originating domain of the email (since most fraudsters can’t mask the domain they send from), to identify the domain and location of the first intermediate server the message hits (since that can’t be masked unless they’ve hacked that) as well as if it matches the locale of the domain the email purports to come from, and to identify the domain of each embedded link and the company it belongs to (as fraudsters are great at registering domains just ONE letter of an actual domain and cloning the contents of the faked domain; e.g. chaEse.com vs chase.com … one is your bank, one will soon be scooped up by a fraudster who will skim account logins for a day during a “maintenance window”, then drain all the accounts dry (or at least to the transfer limits) the next day and wire the money to a foreign account in a jurisdiction with no extradition or banking treaties with the US, then empty the account the day after that, and then disappear never to be seen again …
Hacking	Hackers will constantly be trying to penetrate your firewalls, the web servers and underlying operating systems of machines in the DMZ, the applications you are running, and the underlying security systems you use for monitoring and detection (but these are likely the most secure, especially if you are having them maintained and monitored by a professional, big name, IT security firm); You need to be monitoring for unusual activity, (D)DoS attacks, repeated login failures or access abandonments at particular ports or in particular application logs, and so on; You also need a few attractive honeypots that emulate the systems the hackers would want to access most, and if you don’t understand this, or why, talk to your security guru.
Ransomeware	Hackers want to access your systems for two reasons, to steal money and IP or lock you out of them (if they can’t access any IP worth stealing or you don’t use any finance systems capable of [authorizing] payments) so you will pay them to get back into your systems. You need to be very careful to not only detect hacking attempts, but the installation of new software that is unrecognized / not authorized by security. This is because you could be totally screwed and have no choice but to pay the ransomware even if you do complete, incremental, daily backups across all systems because smart hackers will install the ransomware, let it sit for a few weeks or so, and then activate when you can’t roll back to a backup because you’d lose weeks or months of data (as you’d have to roll back to just before the ransomware was installed because the majority of backup systems would not be able to identify the actual file changes and there’s no way you could do a restore and not restore the ransomeware after the ransomware was discretely installed).
Infected Websites	Your users love to surf, surf, surf the web and go where the hidden links take them. You can’t expect they will all keep their browsers up to date, keep the underlying OS up to date, and, simply put, not be careless. You need to enforce security software on their machine, and check for it, before that machine accesses your network and that the security software is up to date because if they visit the right infected website (from a fraudster’s point of view), it can be an instant hack and/or backdoor for the automatic installation of ransomware on their machine and/or your network.

External Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk	Description
Compromised Supplier Site	If a supplier site or system is compromised, and you engage with that system in any way, then your system could be compromised. You need a system that monitors for supplier system/site/cloud risks as well as (known) supplier breaches.
Compromised Data	All of your systems run off of data. Compromised data is the easiest way to compromise a system. If an email gets intercepted and altered in-transit with a man in the middle account and the hacker changes bank account information, you’re paying a fraudster and not the supplier. If the third party risk metrics are adjusted, your system can be tricked to diverting all business to a single, new, supplier which, while a legal entity, was setup by the founder to take your money and run. And so on.
Compromised Identities	Identity theft is on the rise, and it’s often the easiest way for a fraudster to get funds from a business. You need to track all known cases of identify theft associated with all individuals associated with all businesses associated with your business as you will need to do extra verifications on requests from those individuals.
Web-Based Vulnerabilities	You need to be aware of where the biggest web-based vulnerabilities are in your suppliers and partners, make sure your suppliers and partners monitor and address those, and make sure you lock down your security to the max when you have to interact with their systems that are classified as high risk for vulnerability.

And more. There’s a lot of risk in cyberspace thanks to the fact that the information and financial worlds have merged, and your organization needs to be on top of it. Identify appropriate providers, or you will need very good luck to not fall victim to a significant cyber-based threat.

Visibility into Vizibl, The Collaboration Platform for True Supplier Innovation

It’s been a decade in the making, especially since it took years for Vizibl (founded in 2013) to find it’s focus, but what was once yet another SRM (Supplier Relationship Management) platform is now a truly leading Supplier Collaboration, Innovation, and Transformation platform.

Starting out with the vision of a better SRM, it took a while for Vizibl to find its niche and double down on it. In fact, it took years of working with clients with highly specific (customization/process) needs for them to realize that they were good at developing for and supporting specific, sometimes, complex processes and years more for them to sit back and identify the commonality, design standard project and service layers, and bring them to market. But they did, and they have, and we will discuss the first major project/service layer they are bringing to market later in this article.

The Vizibl platform has seven main components:

Supplier Information Management Foundation
Supplier Collaboration Workspace
Supplier Innovation Hub
Supplier Relationship Management Module
Dashboards, Analytics, and Reporting
Program Layer: (Foundation for) Specific Development/Improvement Programs that Cross-Cut the Entire Platform
(built on a virtual platform integration layer)
Supplier Sustainability Management

1. The Supplier Information Management Foundation is what you would expect from a leading SRM platform — it can track all of the core data and meta data you would expect on a supplier and can be extended as needed to track all of the data you require across all areas of supplier information, products, risks, compliance requirements, performance requirements, contracts, projects, initiatives, and activities you wish to manage.

Supplier Onboarding is straight forward as it’s quick and simple to create a new company record to begin the process, with only minimal data needed. New suppliers can be onboarded as standalone, children of an existing company, or related entities. The platform can maintain complex supplier tree relationships and the tree can be visualized along with a roll up of relevant metrics, project counts, and appropriate relationship data.

2. The Supplier Collaboration workspace is where the buyer can communicate with the supplier, spin off action plans and initiatives, store ideas and plans, pull in and push out data as needed, and put thought into action.

3. The Supplier Innovation Hub is where the core of the magic happens. This is where challenges can be issued, goals set, and projects planned. It’s where projects are defined to increase supplier performance, improve product designs or manufacturing, increase sustainability, or decrease CO₂/GHG emissions.

Projects have activities (or tasks), roadmaps that link them together, objectives (outcomes), value tracking metrics, integrated communications, and teams.

4. The Supplier Relationship Management Module is the glue that holds it all together. In addition to integrating all of the pieces, it also supports the creation of basic supplier action/account plans, the definition of strategic objectives, and integrated overview dashboards. It also allows for the definition of supplier teams (that it calls circles) that represent the different teams the organization will be working with, the management teams, and boards of relevance.

5. The Dashboards, Analytics, and Reporting capability is used to summarize and display the various types of data, metrics, and indicators tracked by the platform. These dashboards cannot only roll up metrics across the platform, but can also roll up metrics in, and across, projects by stages, as well as break them down by regions or supplier trees.

6. The Supplier Sustainability Management module is one of their latest modules focussed on tracking and managing an organization’s sustainability initiatives. It can track all of the emissions for each supplier, those that are reporting, the associated spend, and any other GHG data of relevance to the organization. It can also track all of the data associated with ESG surveys requested by the organization, which can be custom created and as broad or deep as required.

7A. The Program Layer is the toolkit that they use to build custom cross-platform program management capability that allows an organization to tackle new, and possibly exciting, initiatives that can transform their operations, product, and / or supply chains. Programs consist of suppliers, goals and targets, indicator metrics, associated data and reporting, summary dashboards, and scores.

7B: Decarbonization as a service is the first offering from Vizibl built on the program layer that integrates all of the platform capabilities to track scope 3 carbon across the supply chain by extending the sustainability management module to focus on the import and calculation of carbon emissions by supplier over time as well as best practices and learnings that can be shared with a supplier to help them reduce their emissions through leaner production, cleaner energy sources, new production processes, etc.

When it comes to the administration of the Vizibl platform, an administrator can configure, more-or-less, everything. First of all, they can configure the organizational tree as needed to match their organizational structure and include subsidiaries and use a variable number of levels for each organizational branch. So, the organization can have the global holding company; American, European and Asian holding company subsidiaries; individual (holding) companies for each country it operates in; and, if necessary, breakdown into individual locations or divisions if needed for management purposes. You can have five levels in Asia, four levels in Europe, and three levels in the Americas if that’s what’s necessary to exactly match the organizational structure. And of course, each company node in the organizational tree can have its unique settings, inheriting from the node above anything that does not need to be changed.

Similarly, because a company is a company in the system, full supplier organizational structures can also be modelled according to their company structure and modelled down to the individual (factory) location. This is particularly important since a diversity initiative may be global but improvement efforts might be restricted to one factory producing one particularly unique component for one product line.

Then, the organization can configure, for that company:

Account Plans: for each supplier, the company can define the strategic objectives, guiding principles, and target behaviours; these can be defined from scratch or added from a common library
Data Imports: to define regular / repeating file-based imports
Initiatives & Opportunities: the overarching initiatives and/or opportunities being sought, the plans and project stages, questionnaires, suppliers, etc.; the form builder is section based, supports all standard HTML objects, and all of the (numeric) data collected can be subjected to metrics and rules (to map to binary/integer) which can be defined on multiple choices
Performance: allows a user to define the performance metrics / KPIs, organized into categories, that are to be tracked, define what levels they are tracked at / rolled up to, and even customize the metric calculation in individual nodes
Permissions: define the user permissions (by role)
Projects: centralizes the organizational projects
Relationships: define the supplier relationships by mapping the supplier to the specific nodes in the organizational structure where the relationship exists as well as the segment (division/category) they are servicing
Reports: define and customize the reports
Statuses: define the project states for initiatives and opportunities, rejections, suppliers, etc. as needed to match the organizational process; can start with defaults
Surveys: encapsulates all of the surveys that can be reused across initiatives and opportunities
Tags: custom tags for tagging initiatives, opportunities, suppliers, etc. for quick search & filter
User Management: define the organizational users
Value Trackers: defines, and centralizes, the metrics that will be used in the innovations, opportunities, and performance tracking

In summary, the administration is very powerful … in fact, it’s one of the few solutions where the organizational structure for all companies (buying and supplying organizations) is extensively customizable, where initiatives can be tailored to the subset of relevant relationships and locations, where the inheritance for an initiative can be customized, and where you fully customize and localize all supplier interactions to just the organizations and teams that you need.

This is the first aspect of Vizibl that truly makes it stand out. The degree of customization of initiatives only to the relationships of relevance, teams of relevance, with metrics of relevance is far beyond what most of the traditional “Relationship” solutions actually offer.

The second aspect of Vizibl that makes it stand out is the new program layer they’ve built to support the creation of programs that tie together all of the relevant SXM capabilities needed to completely manage an organizational initiative across the supply base. In many platforms, the organization needs to manage the surveys, performance metrics, reports, projects, collaborations separately across the different modules of the platform that were built up over time.

The third aspect of Vizibl that makes it stand out is the new Decarbonation-as-a-Service offering built on this program layer that integrates all of the platform capabilities to track carbon down to scope 3 across the supply chain, provide insight into best practices and learnings to reduce emissions, allow for the creation of projects and initiatives to tackle the opportunities, track improvement over time, and essentially turn measurement into action into improvement. Carbon calculators are a dime-a-dozen from everyone and their dog, and can be built in 15 minutes in any good modern (spend) analytics platform, but few platforms do real monitoring, few platforms allow for the creation of supplier development projects, and fewer still provide real insight into what can be done to get results.

In other words, if you really care about the “R” in Supplier Relationship Management, and truly want to manage that relationship for true supplier development and improvement, you should definitely make sure Vizibl is on your short-list.

It’s Not Just Beds Burning Anymore, it’s the Planet. What Impact Are Your Efforts To Stop it Having?

Four decades ago, when sustainability was only a concern for the environmental extremists because, thanks to industrialization and burgeoning globalization, we had other disasters to deal with (hunger in Africa, aboriginals being forced from their land [sometimes with fire], the global AIDS epidemic, etc. — see Billy Joel’s We Didn’t Start the Fire, which took us through 1989 [the year, not the 2014 Taylor Swift release], and the doctor chronicled the next 20 years here in an unofficial Part II). And even though we still have all these disasters, and many more, the planet is in upheaval with every type of natural disaster occurring everywhere all the time. In fact, climate-related disasters have tripled in a mere 7 years. 7 years! We’ve gone from disasters increasing over the span of thousands of years during natural planetary cycles to disasters increasing in the span of mere years due to global warming thanks to the rapid increase in carbon and GHG emissions as a result of 150+ years of industrialization and rapid deforestation and wetland destruction. (Forests and wetlands have historically acted as carbon sinks for all of the carbon released by life, it’s historically primitive actions, and traditional disasters that resulted in the destruction of forests [and when trees die or get burned, all the carbon they captured is released]).

Now it’s true that, on average, even the largest of corporations on its own could only make a small dent when the depth of the problem is considered, but if even ten of the largest corporations in an industry teamed up, they could make quite an impact. (And if the largest retailers teamed up, think Amazon and Walmart and Target, and insisted on a maximum carbon footprint per product — think of the impact that would make.)

For details on the impact that can be made today, you should download the new Ecovadis Network Impact Report, 3rd Ed. which points out that Industry-level collaboration is one of the best levers available to companies looking to build more sustainable value chains and scale their positive impact. EcoVadis Sector Initiatives (SIs) are a highly effective vehicle for this. Six initiatives spanning a diverse range of sectors — from chemical manufacturing to health — are using the EcoVadis solution to share best practices and collectively address sector-specific challenges across their often highly interconnected supply chains. Our data shows that participation in an SI helps buyers improve their supplier engagement and enables rated companies to improve faster than their network peers.

More specifically, companies engaged in a Sector Initiative outperform the [Ecovadis] network average by 5.3 points — not only do companies that try to better than those that don’t, but companies that work with peers on the right objectives do better still.

But this is only one reason you should read the latest Ecovadis Network Impact Report, 3rd Ed.. Another reason is because, if you don’t, you won’t see how Ecovadis, which in 2022 officially became a “purpose-driven” company under French Law, has continued to grow at a rapid rate and how it is starting to make a global impact. When your customers represent 4.8 Trillion in global spend, you are starting to get somewhere. That’s 4.5% of GDP, and if Ecovadis could grow 30% year-over-year for nine years, that 4.5% could become 49%, close to the tipping point where we’d finally start making significant progress. (Which means if we can survive until 2032, we could start making real progress on sustainability and environmental stabilization. Not as fast as we need to, as parts of the planet will literally start burning by then, but Ecovadis and its peers may still save some of us.)

And, even if you don’t think Ecovadis is the answer for you (even though 945 organizations do and the number increases every year), the report will still educate you on the five key pillars of a sustainable procurement platform. And once you understand those pillars, you can assess, monitor, improve, report, and continue the wheel.

CSR, Procurement and North America: Creating a Market

In our previous article, we asked if you could solve the modern compliance challenge, and, more specifically if you could do it with Ecovadis. This is because compliance has morphed over the past few years from insuring you weren’t doing any illegal trading and simply satisfying the tax man (and import/export compliance is essentially just respecting the legality of the country you are trading with and satisfying its tax man) to having to comply and deal with a lot of regulations around financial reporting and global trade to having to respect the environment (pretty much everywhere but the US, with the exception of California) to having to take corporate social responsibility for the organization’s entire supply chain and ensure there is no violation of worker’s rights, child labour, or human trafficking — or face the consequences that can not only include bad press (at internet speed) and large fines but, in some countries, criminal charges against the officers of the corporation.

We also noted that solving the compliance challenge was tough because you needed environmental data, sustainability data, social compliance data, and even third party audits on your suppliers, and sources of this data (outside of internal surveys that were unverifiable without site audits) were few and far between. The few players with even remotely recognizable names that exist are in Europe, and Ecovadis is the largest. As a result, it likely has the best shot at championing a market in North America, especially with its increasing partner footprint, supplier database (with over 55K assessed companies), and global reach (as they cover suppliers across 155 countries).

But Ecovadis is not a household brand in North America. To become one, it really must drive material commercial traction outside of the EU and, most important, prove that the market for CSR ratings and compliance in North America is as central to supplier management as other supplier management initiatives (e.g., risk, EHS, etc.) to truly “go global”.

The case for an Ecovadis model is sound. Most major procurement departments at US F500s and larger mid-size companies are still focussed on cost-cutting. And using Ecovadis to get the sustainability data the organization needs is roughly 20% of the cost of trying to do it in house.

Further:

Organizations that are embarking upon more strategic category management want deep supplier information before selecting potential strategic suppliers and the response rate to Ecovadis-initiated assessments is 90%
The average organization will struggle with a 70% response rate in such initiatives, especially when you consider the average supplier turn-over (as identified in a recent QIMA survey) is 27%
Once a supplier is in the Ecovadis network, the chances that their overall CSR rating will improve on their next (annual) assessment is 64%
For an average company, unless they initiate a supplier development program and work with the supplier, the chances the supplier will otherwise improve on their own is, as we all know, closer to 6.4% than 64%

Less money. Better results. You’d think it would be an instant buy, but it’s not. So why. Is it because it’s European?

Not necessarily — Jaggaer One+ and Jaggaer One Direct from Jaggaer, which is one of the S2P juggernauts, has good NA penetration, and those solutions (formerly BravoSolution and Pool4Tool) are European.

So that’s not it.

Is it because the space is new or unproven? Can’t be. Ecovadis has been around for 12 years and Sedex Global for 18. Plus, there are a number of other players in the space. Is it because the solution is not user friendly? No — it’s delivered via a simple SaaS platform and they even have public quotes from F500s to that effect. So what’s the problem?

North American companies.

First of all, with apologies to Spike Lee, many will “only do the right thing” when they are forced, and then only to the extent necessary (although this may be changing).

Second, they’d rather profit today than save tomorrow (even if the long term savings would be multiples of the short term profit gains). This means that for them to invest in a solution, they want to see a large, immediate, sometimes unreasonable ROI.

Third, they tend to only act when they’re scared (e.g., losing budget if they have extra).

This means that, unless something changes, for Ecovadis to create a true market in North America with a similar reasonable TAM for say, the compliance management side of supplier / contractor management, it will need to lead with evangelism and, perhaps, more.

All things are possible. But as Vincent Ngo speculated decades ago, it takes a superhero to change the mind of the corporate culture. Can Ecovadis be that superhero?

For the sake of procurement and a better world, we hope that they’ll do it — or someone else.

For more information on Ecovadis, check out Spend Matters’ recent post on Catching Up on a Provider to Know (which also includes links to a deep 3-Part Vendor snap-shot co-written by the doctor and the maverick).

Can You Solve the Modern Compliance Challenge? Can Ecovadis?

Compliance used to be easy. Collect the tax information. Make sure the other party is not on a denied party list. Don’t buy or sell a restricted material without the right permits and don’t buy or sell a banned substance. Done.

But then came globalization. Now you had to collect information for import / export requirements. Satisfy a new slew of tax regulations. Comply with additional inspection and security requirements. Track all of the restricted substances, denied materials, and denied parties of another country. And then as supply chains lengthened and ships made multiple port stops, multiply these requirements.

And that was manageable, but then came a new round of financial regulations, like SOX, in the wake of corporate meltdowns (like Enron) which made compliance more cumbersome. And that was somewhat doable. But with the global penetration of the internet, news spread faster and faster and the unsafe and sometimes inhumane working conditions that outsourced providers were comfortable with made the news regularly, the dangers of poor “recycling” efforts which just saw almost toxic waste dumped on mass to ill-equipped “recycling” centers, and the use of slave/child labour where it was not known before.

As a result, ethical countries started implementing laws on environmental protection, dangerous substances, especially around recycling and disposal, ethical and safe working conditions in the supply chain, and even anti-trafficking and anti-slavery laws — all of which the last link in the chain, the end buying organization, was responsible for.
This makes compliance a bit more tricky. There’s lots of data on financial performance and financial risk, certifications, import/export, and even public sector performance data, but when it comes to corporate social responsibility — environmental compliance, worker’s rights, anti-trafficking, and so on – where do you get that data. Not D&B. Not BvD.

This is where a new generation CSR player comes into play – one that tracks environmental data, sustainability data, social compliance data, and third party audits. But there aren’t many players here yet, and Ecovadis is the largest. But will they be able to take their European success and globalize? While there are a few other players in Europe (Sedex Global, FLO-CERT, e-Atestations, etc.), there are few, if any in North America.

Ecovadis likely has the best shot, especially with their ever-increasing partner footprint, but they need to be the first to scale and win over the hearts (and wallets) of global procurement organizations, especially those in North America, which generally are not as advanced around CSR tracking compared with their European counterparts. The road ahead will be interesting to watch.

M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Sourcing Innovation

Next Generation Supply Management Defined