Category Archives: Risk Management

MeRLIN Sourcing, A Platform With a Twist …

INTRODUCTION

When their founders were young men
they paced the fact’ry floors
from Vellore down to Chennai
they must have walked ’em all
cause they learned all of the problems
that plagued the Procurement side.
Those listen, look, and learn guys
sure made a lean platform.

The founders of MeRLIN, who started Rheinbrucke Consulting in 2013, started developing a stand-alone application for direct source-to-contract (and, for those who need it, source-to-pay) in 2018 using their decades of experience supporting direct manufacturing clients. MeRLIN was then frst released it to the market in 2022, after ensuring it actually solved the problems they were seeing and met the needs of the companies they were working with.

(While some companies might take it as a badge of honour to get a “minimally viable product” to market in a year, the reality is that when it comes to manufacturing enterprises, nothing you can develop in a year will actually solve more than a fraction of their problems, and unless what you deliver can integrate tightly into their existing enterprise software landscape, it won’t be adopted, or even bought. That’s why there are so many offerings in indirect [many of whom will succumb to the marketplace madness] and so few that offer true direct sourcing solutions, and fewer still that offer fully integrated source-to-contract / source-to-pay suites.)

PLATFORM SUMMARY

MeRLIN, which bills itself as a Source-to-Contract platform for Direct Material (primarily Discrete Manufacturing) Sourcing, is actually a Source-to-Pay platform where the Procure-to-Pay platform capabilities are baseline (and wouldn’t go head-to-head with best-in-class) and designed for the mid-market (and large enterprise) clients that don’t have a Procurement solution in place already (either through the ERP, AP, or a third party system). Since most larger enterprises have some form of decent P2P, MeRLIN decided to focus primarily on the critically underserved strategic sourcing marketplace in discrete manufacturing and direct sourcing and the capabilities all of the companies the founders worked with in manufacturing were universally missing.

MeRLIN was designed as a modular solution where

  • a client could license just the modules they wanted/needed,
  • common modules, and capabilities, were broken out into their own modules so their was no duplication of functionality, and
  • key modules could be augmented with additional value-added functionality not typically found in average products.

MeRLIN has all the standard modules you’d expect in a Source-to-Contract:

  • (Program &) BoM Management (Requirement for any Direct Solution)
  • Requisition Management (Intake)
  • Sourcing (Event) Management (Sourcing)
  • Supplier Management (SXM)
  • Contract Management & Contract Authoring (CLM)
  • Reports & Dashboard (Reporting & Analytics)

As well as basics for Procure-to-Pay:

  • Purchase Order Management
  • Invoice & Payment Management

But also has modules for:

  • Demand Management (Consolidation of Requirements from Requisitions, Manufacturing Programs, and MRPs)
  • Category Management (Part/BoM grouping & management)
  • Supply Chain Compliance (GSCA / LkSG)
  • Supply Management (Document & Shipment Management)

and the standard suite foundational modules of:

  • Master Data Management
  • Business Administration
  • Security Management
  • System Management

And even modules for:

  • Strategic Project Management (Project Management/Orchestration)
  • Finance Management (Budgets, Prices)

We’re not going to discuss all the modules and instead focus in on just the core Source-to-Contract modules, as they are the modules that are critical to direct sourcing and the modules that will allow you to understand the value, and potential, MeRLIN has for you.

Supplier Management

Supplier Management is designed to onboard, evaluate, approve, and manage suppliers, including their contacts, surveys, ratings, and documents. Qualification starts with a simple request based on supplier name, country, email, and unique (DUNS) identifier. Based on the supplier category, the next step will be to send the suppliers the qualification surveys and pull in the external risk information, send it to technical and risk reviewers, and if that passes, it will go off to compliance to ensure the supplier can comply with all necessary regulations the company is subject to and then, if that passes, the supplier will get a registration invite to provide all of the additional information necessary to do business with the company as well as details on additional products and services.

Supplier Management captures all of the core company information, locations, accounts, questionnaires, risk information and scores, compliance reviews, scorecards, and approvals. For each of these there are standard fields, and as many additional fields can be added by the customer organization as needed.

Compliance Management

Collects and manages the organizational policies, supplier policy statements, compliance surveys, audits, risks, scorecards, and complaints. It can accept all documents, support custom surveys, import third party data from financial and environmental (and other) risk providers, provide you with compliance scorecards, and automatically extract and centralize all “risks” from the surveys based on scores and/or responses in a risk management view.

Moreover, in full compliance with the German Supply Chain Act (GSCA, known as the LkSG within Germany), MeRLIN provides the buying organization, each of their suppliers, and their entire employee base, a unique portal where they can register complaints. They have upgraded their platform to fully support the GSCA and can also support other supply chain acts as well (and future releases will encode more out-of-the-box support, even though it can already be custom figured on a client-by-client basis to support the majority of acts out there).

Requisition

Requisitions can be used as traditional requisitions for purchase orders against existing contracts for goods and services normally used by the company or as intake requests for sourcing. When they are used as intake requests, they go to a central management screen where the buyer can group them by material, bill of material, and/or category to identify sourcing event requirements and then create a sourcing event off of a bundle of them.

Sourcing

Sourcing is primarily RFX based, but auctions are supported as well off of base RFQs. A sourcing event can be kicked off from one or more requisitions, a category, a BoM, or an event template, which can consist of one or more RFIs, questionnaires, and line-items with custom price breakdowns in the RFQ. Associated with the RFQ can be the suppliers, addendums, budgets, stakeholders, terms and conditions, contract template, event schedule, and ongoing Q&A.

In addition to being able to review bids by total cost per unit and evaluation score (by the relevant stakeholders), the application also supports automatic award recommendation by criteria which can include target award by supplier, range of suppliers to split the award between, minimum and maximum shares, and preferred supplier status.

Contract “Authoring” & Management

The platform is primarily “signature” and “execution” management, as authoring is simply the packing up of contract templates, terms and conditions, specifications, and associated addendums for agreement by electronic signature. The electronic signature capability is compliant with USA regulations and most European regulations for private enterprise contracts. Once the contract is signed, the platform can manage the project timeline, stakeholders, documents, events, milestones, and obligations. In addition, the user can define alerts against any event, milestone, document, obligation or other entity on status change or due date.

Reporting & Dashboards

Reporting and Analysis in MeRLIN is through widget-based dashboards that summarize any data of interest in the system. Right now there are hundreds to select from in the reporting library, with more being added as needed. For each of the built in reports and dashboards (on suppliers, spend, process, etc.), the user can apply multiple filter options and save the configuration to their liking. There is no Do-It-Yourself (DiY) widget report builder yet, but more DiY analytics enhancement is on the roadmap.

Strategic Project Management

This is MeRLIN‘s built in project management capability where a user can define and instantiate RFX templates, supplier onboarding workflows, contracting processes from award specifications, procurement processes, and even entire Source-to-Procure projects which collect all of the necessary templates and workflows together. In addition, leadership is provided with a high level overview of sourcing projects.

Master Data Management

All of the system master data templates can be altered by the user including, but not limited to, currencies and conversions, items, locations, plants, prices, suppliers, contract metadata and milestones, and other key items. The customer can control it’s master data and master data identifiers.

Business Administration

All of the templates in the system can be managed and customized in the business administration section including, but not limited to supplier onboarding, qualification, evaluation, and audit questionnaires, product and item templates, requisitions, RFQs, purchase orders, contract terms, contracts, statements of work, email, and workflow templates.

Bill of Materials Manager

A key aspect of Direct Sourcing is managing the Bill of Materials. In the Merlin platform, that can be done through the BOM Manager, which unlike basic direct sourcing platforms, can maintain as many versions of a Bill Of Materials as the organization wants to maintain (for correlation with historical sourcing and procurement and cost estimates during new product design and/or product modification).

These versions can be uploaded from the ERP (or your PLM of choice with custom integration) or created in the BOM Manager, and this creation can be from scratch or from a previous BoM version which can be copied and modified as needed.

The best part of MeRLIN‘s BOM manager is its built-in ability to allow for easy should-cost analysis during NPD and BOM (re)design. Once a BOM has been uploaded or created, the user can click a button to “cost” and it will automatically find prices for every component in the BOM for which it has a price from a contract (first), catalog/commitment (second), or quote (third). Then, the user can push the remaining items to the Demand Management module for quick quote (or import into the internal catalog from a connected source) or simply create a place holder item (with an estimated cost). They can then return to the BOM Manager and re”cost” the BOM to get a complete cost estimate, which can be compared against the cost of all prior BoM versions (that were costed). This allows the organization to understand the costs associated with BOM changes over time (independent of supplier or distributor pricing changes). Gone are the days where you have to use a completely separate application to do BOM cost estimation.

Finally, the next update to the BOM Manager will allow for the user to enter a cost estimate directly in the BOM manager for materials/parts not yet quoted for even quicker price estimates, and those estimates will be clearly marked as internal estimates only.

Other Capabilities

We’re not going to discuss the procurement modules as they are not MeRLIN‘s focus (but we will assure you that they cover the foundations if you don’t have P2P and need it), demand management as you know what forecasting should do, category management (and category strategy management) as that is rather self explanatory, or finance management, as budget and price management is also straight forward.

The Full Picture

The platform is quite deep in all core areas and one could write pages about each module and its deep capabilities, but hopefully this is enough to convey the facts that

  • the MeRLIN platform was designed from the ground up to support direct and discrete sourcing,
  • has the capability to support these projects from inception to contract signing through the very last order against the award, and
  • goes beyond just raw sourcing capability to related capabilities of supplier risk, compliance, and execution (tracking the order to the delivery and qualification)

CONCLUSION

Given the relative lack of true direct and discrete sourcing platforms in the mid-market, MeRLIN is a platform you should definitely be aware of. If you’re in direct manufacturing, automotive, aerospace, and related industries, you might want to check them out today.


It’s for discrete wizards,
it’s a platform with a twist.
A discrete wizard
needs a tech assist …

The Sourcing Innovation Source-to-Pay+ Mega Map!

Now slightly less useless than every other logo map that clogs your feeds!

1. Every vendor verified to still be operating as of 4 days ago!
Compare that to the maps that often have vendors / solutions that haven’t been in business / operating as a standalone entity in months on the day of release! (Or “best-of” lists that sometimes have vendors that haven’t existed in 4 years! the doctor has seen both — this year!)

2. Every vendor logo is clickable!
the doctor doesn’t know about you, but he finds it incredibly useless when all you get is a strange symbol with no explanation or a font so small that you would need an electron microscope to read it. So, to fix that, every logo is clickable so you can go to the site and at least figure out who the vendor is.

3. Every vendor is mapped to the closest standard category/categories!
Furthermore, every category has the standard definitions used by Sourcing Innovation and Spend Matters!
the doctor can’t make sense of random categories like “specialists” or “collaborative” or “innovative“, despises when maps follow this new age analyst/consultancy award trend and give you labels you just can’t use, and gets red in the face when two very distinct categories (like e-Sourcing and Marketplaces or Expenses and AP are merged into one). Now, the doctor will also readily admit that this means that not all vendors in a category are necessarily comparable on an apples-to-apples basis, but that was never the case anyway as most solutions in a category break down into subcategories and, for example, in Supplier Management (SXM) alone, you have a CORNED QUIP mash of solutions that could be focused on just a small subset of the (at least) ten different (primary) capabilities. (See the link on the sidebar that takes you to a post that indexes 90+ Supplier Management vendors across 10 key capabilities.)

Secure Download the PDF!  (or, use HTTP) [HTML]
(5.3M; Note that the Free Adobe Reader might choke on it; Preview on Mac or a Pro PDF application on Windows will work just fine)

You Need a Plan to Mitigate Supply Chain Risks. But You Also Need a Platform.

A recent article over on Supply & Demand Chain Executive on Navigating a Supply Chain Management Toolkit noted that with a plan in place, organizations can quickly respond to any changes and help mitigate any supply chain risks.

Which is true, but how much of the risk they can mitigate is the question.

The article, which is very good and definitely worth reading (so check out the link), noted that problems arose as a result of COVID and disruptions since because many organizations use just-in-time inventory management (which we’ve already noted should have ended by now along with seasonality). The article also noted that the problems were often exacerbated by the fact that order processes were often not documented effectively and, in general, most organizations don’t spend the time and resources to really manage their supply chain. All of this is correct, as is the observation that these challenges can be alleviated with wholly embracing the tried-and-true methods for effective supply chain management because effective processes, measurements and accountability are … key to a supply chain that works for an organization.

But, on their own, not the key. Today, you also need a platform that enables the organization to:

  • quickly detect a risk event has occurred
  • quickly analyze the impact
  • quickly initiate any pre-defined mitigation plan
  • quickly implement new decisions and processes where the mitigation plan isn’t sufficient and doesn’t exist
  • monitor the impact of the risk event and the response in near real time

Otherwise, your process could be too slow, your measurements inaccessible and/or unrecorded, and your accountability (under audit) non existent.

For example, the article indicates you should start by getting a better grip on inventory management (which is correct, no product, no business for most companies), and that involves a self-assessment, forecast accuracy review, and inventory segmentation. All correct. But that doesn’t help you when all of a sudden there’s a fire in the factory, a strike at the port, or a strait/border closing. What do you do then?

It also tells you that you should focus on better supplier relations, which is also extremely important, and focus on vetting suppliers before you onboard them and then measuring them and computing the total cost of ownership of keeping them, which is also very important as suppliers should improve over time and costs should not inch up faster than inflation. It also mentions the importance of proper strategic sourcing (matrices) to get the right products from the right suppliers. Another definite. But fails to tell you what you do when all of a sudden a key supplier can’t deliver or becomes unavailable.

The answer here is you use all of your good relationships and data to immediately identify the next best supplier. If you were splitting award, you try to shift to the other supplier (if they can handle the volume — if you were doing an 80/20 split and the 80% supplier suddenly became unavailable indefinitely, the 20% might not be able to support you, or at least not for very long, and you will have to add a new supplier to the mix. If you were doing proper sourcing, and proper supplier vetting before including them in an event, then you already have potential suppliers — the runners up from your last event. A good platform will let you immediately identify them and immediately start another sourcing event to onboard a new supplier as fast as possible.

If you have a good logistics (sourcing) platform, and your primary carrier / route becomes unavailable, you may be able to identify another carrier / route that will get you the products on time, or at least be able to accelerate an order from a secondary source of supply while you wait for the first source through a lengthier route.

The point is, while you need great processes, measurements (to indicate if something is taking too long, such as an order acknowledgement or a delivery, which can be a sign of a potential risk event materializing), and accountability (to show you made efforts to detect and mitigate risks in a reasonable time frame), you can’t measure, execute processes, or provide unquestionable audit trails of accountability without a proper platform. Never forget that. (And for help, you can see our Source-to-Pay series which helps you to identify where to start with your acquisitions and what vendors you might need to look at.)

And again, remember to read the article on Navigating a Supply Chain Management Toolkit as it will help you understand the basic processes you need to put in place.

Interrupt that Risk Event with Interos and Sustain Stable Supply Chains

Supply Chain risks are on the rise, as are disruptive events, and an event anywhere in your supply chain, even four levels down, can bring your operations to a halt if you can’t detect it, respond quickly, and take active mitigations. To this end, as chronicled in Part X of our Source-to-Pay+ Series that discussed Supply Chain Risk, a number of vendors have cropped up in the last few years around Supply Chain risks, but not all players are equal.

One of the first of the new breed of integrated supplier and supply chain risk players, and one of the most differentiated, is Interos. Interos was founded in 2005 by Jennifer Bisceglie as a consultancy focussed on helping organizations map out, understand, and get a handle on supply chain risk. Jennifer realized near the end of last decade that, with supply chains becoming so long, so complex, and so interconnected across the digital, financial, and physical realms, that technology would be needed to support organizations in this effort.

The core team knew that in order to do this, they’d need a completely new type of technology, so they sought out a new team to build one of the first outside-in business relationship graphs using trade data, third-party data sources and artifacts (such as ownership data, executive data, etc.), and even press releases. Then, on top of this relationship data, they’d need to layer risk data to help an organization identify risks in the supply chain. This would involve capturing risk events as well in order to help them understand which clients may need to be notified and/or use the Interos platform to gauge the extent that a risk event may impact them. So that’s what they built — at a global scale.

Interos has built a business relationship (knowledge) graph that connects 11 Billion relationships across 410 Million companies. These companies are then risk scored against 230+ attributes across six (6) different categories of risk: Finance, Geo-political, Restrictions/Sanctions, ESG, Cyber, and Catastrophic, depending on the extent of information available. At a minimum, they track country/industry level risks and will use that when there is insufficient data to assess the specific company risk against a specific attribute. Based on the assessment of each risk, Interos will compute an overall i-ScoreTM from 1 to 999, with lower scores being higher risk. It will then scan your entire network, from sink to source, and identify all high risk suppliers for you.

The Interos Resilience platform, which processes tens of thousands of sources and over 3 Terrabytes of raw data daily, constantly monitors for new relationships, information, and (related) events that could pose a change in an entity’s risk status, as well as indicate the presence of a (potentially) catastrophic event, including a natural disaster or a cyber-attack. For each of the six risk domains, the platform scans for a number of factors, sub-factors, and individual attributes. We’ll cover the primary factors in this post, and if you have a particular area of interest, you can always drill in during a demo or discussion with Interos.

With respect to Finance, the platform looks for the following:

  • Liquidity: Cash, Working Capital
  • Solvency: Assets, Capital Efficiency, Credit Rating, Debt Coverage, & Leverage
  • Profitability, Debt Coverage, & Valuation

With respect to Geo-Politcal risk, the platform looks at the following:

  • Political Instability
  • State Capacity
  • Political Process
  • Economic Rights
  • Socio-Economic Development

With respect to Restrictions/Sanctions, the platform looks at the following:

  • Sanctions (USA, UK, EU, etc.)
  • Associated Sanctioned Individuals
  • Import/Export Embargos
  • Associated Regulations

With respect to ESG, the platform looks at the following:

  • Environmental Performance
  • Social Commitment
  • Governance Strategy

With respect to Cyber, the platform looks at the following:

  • System Attacks (compromised accounts, cyber-attacks, data spills, etc.)
  • System Vulnerabilities
  • Supply Chain Cyber Events
  • Cyber Compliance
  • Cyber Threat Activity

With respect to Catastrophic risk, the platform looks at the following:

  • Localized Natural Hazard and Disaster Risk
  • Communication Capacity
  • Healthcare Capacity
  • Infrastructure Capacity
  • Burden of Disease Risk

Based on all of this, the platform is very useful for companies that need to perform

  1. Supplier due diligence
  2. Continuous related party monitoring
  3. Real-time catastrophic event detection

Interos is one of the most complete supply chain risk intelligence platforms for supplier due diligence. The ability to quickly screen a supplier on six highly relevant domains can give an organization confidence that the organization understands the risk profile of a supplier before onboarding it, which is not something you can get from a traditional credit score or an empty search on sanction lists.

Interos is one of the few platforms that can be counted on for continuous related party monitoring as it processes over 3 TB (Terrabytes) of data a day, constantly updates risk scores and related events for affected entities in the system, and can propagate updates through the business relationship graph in real time.

Interos is also one of the few platforms that can be used to do real-time catastrophic event detection where the event is not limited to a single event type, as the platform monitors for natural disasters, man-made disasters, bankruptcies, and cyber incidents — some of which Interos can detect before anything is reported due to a change in organizational behaviour — and it can immediately propagate news of events or risks to one of the 410M+ business entities it tracks to all impacted clients who can use their relationship explorer to identify all the links it has to the company.

For example, if there’s a fire in a raw material or component factory (which seems to happen in one of the few major RAM suppliers every decade — just do a few historical Google Searches if you don’t believe me) two (or three) tiers down the chain under your tier 1 supplier, you can immediately map out all of your tier 1 suppliers that trace down to that factory and make sure they have enough stock on hand to continue producing your products until you expect that factory to come back online (by either instructing them to immediately secure additional stock on your behalf or doing so for them) well before your competition realizes there’s going to be a disruption a week down the road when the plant is announced shut down and it finally trickles down to local news half a world away.

The platform monitors and tracks natural disasters globally down to a gird of 10 km squares, as well as potential paths of storms, waves, and fires, and can thus immediately identify each business entity that is likely to have been impacted as well as each business entity that is likely to be impacted if a natural disaster (such as a storm) continues its course. Thus, if a tsunami hits the coast of Japan, it can allow an organization’s incident response teams to immediately identify just those organizations in Japan in the area the wave hit and allow it to focus its efforts on just those suppliers, vs. having to reach out to and assess every supplier in Japan, of which it may have hundreds if it is in electronics when only ten were in the immediate area. The time savings alone is incalculable. (And, of course, if an earthquake hit a province in China, it would take an army of consultants months to figure out precisely what suppliers were close enough to the fault line to likely have suffered [significant] damage vs those far enough away to only feel minor shaking whereas the Interos platform will calculate all of this in just a few minutes.)

However, one of the most unique risk monitoring capabilities lies in its proprietary digital behavioural modelling that can often detect when an organization has experienced a potential cyber-attack, breach, or data theft and alert customers to that potential cyber-incursion days, or weeks, before the organization announces a breach and/or it makes the news. Using the business relationship graph, this immediately allows an organization to determine every first-tier supplier that relies on that organization. The organization then has to determine if any of those suppliers has access to the organization’s financial account information, personnel data, or confidential intellectual property. Those tier 1 suppliers that do need to be immediately approached and asked if any of that data was shared with, or accessible by, the sub-tier supplier that was breached, or affected by. If so, the organization can immediately start taking mitigation actions before they themselves are the target of a cyber attack.

The platform is very easy to use. When a user logs in, they see a summary of their full supply base and multiple sub-tier relationships (which for a multi-national with tens of thousands [10k+] of tier 1 suppliers can be hundreds of thousands of tier-3 suppliers). The user can see the number of suppliers by tier who are high risk, medium risk, low risk, and, possibly, unknown (as it’s a brand new supplier where there is little to no information on that supplier). Note that the number of “unknown” suppliers will typically be really small, and for most truly global companies with 500K global suppliers in their extended supply chain, the unknown will be significantly less than 5K (usually 0.5% or less).

(Note: If more than 1% of your extended supply chain falls into high risk, you have some serious problems. In a good supply chain, the vast majority of suppliers should be low risk (> 95%) with a small percentage medium risk, preferably no high risk, and preferably no unknown.)

You also see a breakdown of risk by

  • each of the six (6) risk domains, which lets you see if there is a particular risk concentration,
  • average risk by groups of interest (which could be country, product line based, strategic suppliers, etc.),
  • a summary of natural hazards and disasters currently being tracked, both visually and textually (which shows the number of potential tier 1, 2, 3+ suppliers that are potentially impacted)
  • a visual summary of the most relevant current events being reported on (with links to full articles in third party sources), and
  • a quick link to the relationship explorer tool that will let you find all of your connections to an entity of interest

When you select a category of high-risk suppliers (overall or by category), it will bring up a list of companies with their individual i-Scores that you can select to to bring up their complete risk scorecard (if you have unlocked their scorecard; depending on your subscription level, you have so many credits that allows you to unlock that many scorecards; you can buy more if you need, but most since most companies don’t need to evaluate more than a small percentage of tier 2+ suppliers, their packages are usually sufficient). The scorecard summary will summarize the score in each of the six areas, and will allow you to drill down into the factors, sub-factors, and individual attributes that are known and scored (and contribute to the overall score), which include those discussed above.

The scorecard will also summarize company corporate data (industry registrations and codes, locations, etc.), its tier 2 and tier 3 relationships and risks, which can be filtered to all known relationships (in your extended supply chain), as well as all events (and related sources) that have been detected that are relevant to that supplier entity. If a risk score is low (or suddenly drops), you will have access to all of the data that contributed to that score to make your own judgement (and jump-start your investigation).

The platform also has a geographic view of natural disasters that is interactive and allows a user to drill into a region, filter on natural disaster type (earthquake, tropical storm, volcanic eruption, etc.), and even project a few days in the future (if the disaster is a tropical storm, cyclone, tsunami, etc. and there is forecast data available from Interos‘ 3rd party, or public, sources). In addition, it can be used to look at historical natural disaster and weather event data, which goes back between 50 and 200 years, depending on how much historical data is available for the region, as well as the risk of each natural disaster type (wildfire, drought, earthquake, flood, etc.) in the region base on all of this historical data.

And the relationship explorer is likely the most useful part of the platform because, if a risk event is detected, such as a natural disaster or a cyber breach, you can instantly trace all of your active relationships to that company, and immediately start the process to determine if these tier 1 (and tier 2) suppliers will be impacted, and, if so, the degree to which you’ll be impacted. Not only will you know about an event days, or weeks, sooner than you would know without this platform (and by then it may have been too late to find an alternate source of supply or protect your data), but you can limit your discovery and mitigation efforts only to suppliers that might be affected, versus doing massive surveys and reach-outs (that can take days or weeks) to find out who might be impacted in the first place.

Interos is a one of the most powerful, and complete, risk intelligence platforms out there and one that should definitely be on your shortlist if you’re looking to get 360-degree visibility into your supplier, and supply chain, risk.

The Supply Chain is Full of Hidden Risks

A recent article in the Supply Chain Management Review by Avetta provided Insights for Procurement Leaders on tackling hidden risks in the supply chain. As per the article, supply chains are full of:

  • Geographic Vulnerabilities
  • Cybersecurity Threats
  • Ethical and Compliance Issues
  • Financial Instability
  • Environmental Recklessness

… and all of this poses a major risk to your supply chain. Avetta‘s baker’s dozen of recommendations are to:

  • conduct due diligence on all level of suppliers
  • identify alternate sources
  • monitor geographical developments
  • prioritize cybersecurity measures
  • conduct regular risk assessments
  • foster a culture of cyber awareness
  • establish clear codes of conduct
  • regularly audit supply chain partners
  • prioritize transparency and accountability
  • rigourous financial due diligence
  • monitor key financial indicators
  • prioritize sustainability initiatives
  • establish robust contingency plans

And these are all good, but most of the risk results from one thing:

  • lack of timely, accurate data on
    • the physical supply chain (people, plants, product, vehicles, etc.)
    • the financial supply chain (the financial state of suppliers, contractors, employees, etc.)
    • the information supply chain (completeness, accuracy, security, etc.)

This says that if you really want to tackle the hidden risks, you need to start with the following as you can’t tackle anything you can’t identify:

  • supply chain visibility — map every entity in your supply chain
  • external risk monitoring — whenever a geographical, political, environmental, or cyber disruption happens anywhere, and is reported, you need to detect that, identify all entities that may be affected, confirm which entities in your supply chain are affected, and take an appropriate mitigating action
  • cyber network monitoring — you need to monitor your entire network, every server, every client (desktop, laptop, tablet, AND cell phone), every router, every API end point, and every wire … your weakest link is your effective security
  • cross-system and account financial monitoring — money disappears when there are holes for it to fall into; holes exist when you have disconnected P-Card, e-Procurement, and AP systems, especially across divisions and you aren’t correlating balances between transfers, bank accounts, and investments on at least a daily basis
  • activity monitoring — all waste, loss, and fraud is the result of a bad actor, whether or not the bad acting was intentional (hint: if the loss is significant, it usually is intentional; incompetence often only results in minor loss); but you can’t monitor everyone, even if you wholly operate in a jurisdiction where doing so is legal; but, when everything is digitized, you can monitor every action, whether or not is in accordance with policy, flag everything that isn’t, and escalate any actions that are against policy that should be investigated

As you detect issues and disruptions, you can start with standard mitigation actions, and as you identify patterns of commonality, you can identify additional contingency plans, which you should already have for every product or service that is critical to your operation.

Note that Sourcing Innovation has published a list of 55+ Supply Chain Risk Vendors that already have solutions that do a lot of this monitoring. There’s no excuse for your organization not to have at least an 80% solution in place today.