Category Archives: Risk Management

Risk – The More Things Change, The More They Stay the Same II -Environment

In our last post, we discussed the top societal risks facing your Supply Management organization that were chronicled in the World Economic Forum‘s 7th annual Global Risks report. Chronicling dozens of risk divided into five categories, this report did a tremendous job of covering the types of risk that an average Supply Management organization needs to prepare for. Today, SI is going to continue its coverage of the report by discussing the top three risks from an environmental perspective.

According to the report, the two top risks, which are essentially the same as last year, are:

Rising Greenhouse Gas Emissions and the Climate Change that will Result

Climate change may not seem like a big risk, but it can have drastic consequences on your operations. Not only can it increase the likelihood of (tropical) storms, floods, blizzards, and ice storms, which can destroy your factories, wash away your delivery trucks, trap your workers in the factory for a week, and take down entire power grids, but it can wreak havoc on your operations. For example, if you want to drill for oil in the oil sands, you need the ground partially frozen. If six months are required to extract a year’s worth of oil but by the time the ground freezes there will be less than four months of drilling time, problem. And if the risk of flooding is significantly increased, so are the chances of your supply chain being brought to a grinding halt.

Unprecedented Geophysical Destruction

This is likely to take the form of:

Earthquakes & Volcanic Eruptions

The 9.0 magnitude earthquake in Japan in March of 2011 demonstrated the devastation that earthquakes could have on global supply chains. The earthquake and resulting tsunamis not only damaged or destroyed thousands of homes and hundreds of factories, which resulted in almost 20,000 deaths, but also resulted in the immediate declaration of a state of emergency at a nuclear power plant when dangerous levels of radiation escaped the Fukushima No. 1 (Daiichi) plant. In addition, it triggered the immediate shut down of 15 of Japan’s nuclear power stations and a crisis at the Tokai No. 2 Power station was narrowly averted.

However, this earthquake is nothing compared to what a well placed major volcanic eruption can accomplish. Not only can a major eruption near the edge of a tectonic plate trigger an earthquake, but it could launch enough ash into the air to make air travel through a region impossible for months. The recent volcanic explosions in Iceland in 2011 are nothing compared to some of the eruptions that have happened in the last few thousands years. Not even the eruption of Mount St Helens in 1980 was very big. It only erupted 1 cubic km of lava. The largest eruption, in terms of java discharged, in the last 99 years was Pinatubo in the Philippines in 1991. A whole 10 cubic kms of lava was released. The 1912 eruption of Katmai in Alaska released 12 cubic kms. And this is nothing compared to the 1815 eruption of Tambora in Indonesia that released 100 cubic kms of lava. And students of history are aware of how Mount Vesuvius buried Pompei under 4 to 6 m of ash and pumice. The eruption of Krakatoa in 1883, which was heard across the world, released so much ash into the air that it caused a volcanic winter. Temperatures worldwide dropped an average of 1.2° C for the next 5 years as a result of ash that was ejected 20,000 ft high. If this happened today, air travel would be interrupted for at least six months in the region. The interruptions in air travel as a result of the Icelandic explosions would be minor in comparison.

Flooding

The floods in Thailand last year and the floods in Bangladesh and the Philippines this year are a perfect example of the significant impact that floods can have on global supply chains. Economic losses in 2011 due to the Thailand floods reached 46 Billion by the end of 2011 (Aon Benfield), more than doubling the insurance losses that were expected to reach 20 Billion (Insurance Insight). The reality is that a single flood can cause so much damage that it could literally bankrupt an operation. The automotive sectors and electronic sectors were impacted the hardest by the Thailand floods — more than 400 Japanese companies in these sectors suspended operations or lowered output as a result of the floods.

And with global warming, which is causing many of the ice flows in the arctic to break up, the risk of flooding is greatly increasing. Many of the worst floods in history were ice-jam floods resulting from “breakup jams” which force ponding upstream and a rapid release of water when the ice dams breach. This is what happened in (April) 1952 on the Missouri River in (Bismarck) North Dakota where an eroding ice dam resulted in flow increasing from about 2,100 m3/s to more than 14,000 m3/s in less than 24 hours. The river rose 5 feet in less than 2 hours and submerged nearly everything south of US Highway 10. Fortunately, this was not a densely populated area, otherwise, instead of 200 houses being destroyed, there would have been 20,000 houses destroyed and likely thousands of deaths. If this happened near your factory, it would be wiped out almost instantaneously.

Risk – The More Things Change, The More They Stay the Same I – Society

The World Economic Forum‘s 7th annual Global Risks report was recently. Again chronicling dozens of risk divided into five categories, this report did a tremendous job of covering the types of risk that an average Supply Management organization needs to prepare for. What’s interesting about this report is how the biggest risks in many of the categories haven’t changed at all since last year. Take Society for instance. While it chronicled seven major risks in this category, the top two dwarf the other five and they are the exact same as last year.

02: Food Security

People need to eat. As a result, they need access to safe, secure sources of staple foods at an affordable price point. If they don’t have access to safe, secure sources of staple foods at an affordable price point, they riot — as we have seen in Tunisia, Algeria, Bangladesh, Mogadishu, India, China, and even the UK and Canada this year. When people riot, property gets destroyed — property that could include your delivery trucks, your goods in your warehouses, and even your production plants. Try ensuring supply with no distribution mechanisms for raw materials, no working production lines, and no warehouses to store anything.

01: Water Security

Not only do people need water, but supply chains need water. First of all, supply chains need energy. Energy production requires water (as per the Water Energy Nexus). For example, in the USA, about 2 US gallons of water evaporates to create one kilowatt hour of energy. Steel, which is a component of many goods, requires 62,000 gallons of water for the production of a single ton. Semi-conductor fabrication plants often require up to 2,000 gallons of water per minute. No water, no goods, no components, and no energy. And if water gets too scarce, so is food. And a vicious downward societal cycle will begin.

It should be obvious by now that while the risks of pandemic, chronic disease, religious fanaticism, migration, and age aren’t going away, they aren’t going to matter much if we don’t have the food and water to sustain ourselves.

It’s About Time You Get a Grip on Risk!

Risk management is about more than just the disclosures the auditors make your accountants put in the fine print when you release your financial statements and annual reports. And it’s more than the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. For example, from a supply management point of view, risk management is modus operandi for supply assurity when there is an average of 250 supply chain disruptions for public companies every month. (Source) And from a profit point of view, it’s value. Less money dealing with the financial and brand fallout from a disruption is more money spent on innovation to meet customer demand.

And, as per this recent Ernst & Young post over on the Harvard Business Review blogs, it’s money in the bank. Their recent research fund that companies in the top 20% of risk (management) maturity generated three times the level of EBITDA as those in the bottom 20%. Wow!

So why is this? I think it’s due to the fact that less than 40% of companies are actively managing (supply) risk to the level they should be. In 2008, a Marsh survey found that only 35% of organizations self-reported that supply chain risk management was moderately effective at their companies. In other words, 65% of companies did not have a risk management program that was at least moderately effective. In 2011, researchers at Vlerick Leuven Gent Management School and Ghent University did a supply chain risk management study and found that 64% of the companies have no one responsible for managing supply chain risks! That’s essentially 0 improvement in the last three years! And while the initial introduction of a risk management program will require a significant investment of talent, it’s not that difficult, relatively speaking. As the post says, the critical factors are communication, openness, leadership, framework identification, formal methods, coordinated planning, standardized monitoring, and occasional (stress) testing of the different facets. With the right leadership and training, everyone will be able to do their part. And in the end, just like the Global 50 consumer products company highlighted, in the post, the organization will have

developed a governance structure that allows it think about risk proactively, and has aligned its risk profile and exposures more closely with its strategy. Its governance leadership group and supporting management clarified the company’s risk appetite, defined its risk universe, determined how to measure risk, and identified which technologies could best help the company manage its risks. Aligning risk to strategy, by identifying strategic risks and embedding risk management principles into business unit planning cycles, enabled the company to identify and document 80% of the risks that have an impact on performance. This alignment of risk awareness and management practices, from strategy to business operations, enabled the company to monitor risk developments more effectively. Managers could keep the organization within acceptable tolerance ranges, driving performance to plan.

So just do it. You’ll double your EBITDA in the process!

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part II

Hiperos provides a SaaS platform that allows an organization to manage the entire 3rd party lifecycle, which consists of registration, data collection, segmentation, control automation, assessment, management, and collaborative issue resolution.

Hiperos includes your standard SIM (Supplier Information Management) functionality that allows for supplier self-service registration and profile maintenance and data integration from third party sources. On top of that it implements a user-configurable rules-based workflow that allows third-parties to be segmented into different buckets that represent the different programs that they need to be subjected too – be it FCPA, REACH, WEE, HIPPA, or some other type of compliance or monitoring program. Each bucket has its associated monitoring rules that notify the third party when more information is needed and that automatically alerts the user when a violation is detected or when information is not provided by the third party in a timely fashion. Assessments are automatically run every time new data becomes available and can be run by a user at any time. The fact that all relevant third party information is available at all times allows users to pro-actively manage third parties, and associated risks, and then either work with third parties to mitigate risks, if the potential infraction can be corrected, or cut them loose if the risk of association is too great (because they showed up on a denied party list or use child labour in their supply chain).

The application, which loads the default user-defined dashboard, allows a user to manage third parties, engagements, relationships, products, and programs and to define programs, vendor communities, reports, and analytics.

The dashboard is multi-tabbed and allows a user to define relevant views on each of the application areas defined above, as well as a default dashboard that allows the user to see the information most relevant to him or her. At the top of the dashboard is a link to current action items that allows a user to quickly see what needs to be done in third party management, engagements, programs, etc. The dashboards can be configured using hundreds of pre-defined (reporting) widgets or the user can define their own widgets by defining appropriate reports in the reporting module. And the user can bring in real-time news and data feeds from sites of interest.

The application can track any compliance, performance, sustainability, or risk data elements of interest and, like any good SIM platform, is preconfigured to track hundreds of relevant data items, depending upon the programs you define as relevant for a given compliance, performance, or risk program (which minimizes the amount of configuration required to track custom fields). And not only is all relevant data available from any view that is program or user defined, but it’s all interlinked so a user can click on a third party included in a program, see the relevant report(s), and then dive into the third party data management screen to examine the raw data elements, and then run a report on just a data subset.

Program definition is flexible and allows for any type of compliance, risk, sustainability, or performance program you can think of. In addition, the fact that Hiperos also supports contract meta-data and third-party data feeds allows financial impact reports to be generated. That way, a user always knows what the impact of a third-party falling out of compliance is to the organization. Knowing that a tier-one supplier might be buying from a tier-two supplier that might be using child labour is one thing, but knowing that the organization is spending 20 Million across 5 categories on that tier-one supplier is something else. In the first case, the supplier is put on the “investigate” list and someone gets around to it when they get around to it. In the second case, the user knows that it is a high priority and an investigation has to be started immediately as the public backlash will be extremely damaging to the organization if it gets out that 20 Million is being spent on products and/or services that were partially produced by child labour.

Hiperos has also included extensive color-coded geo-mapping capabilities so that you can quickly see, for any program, where the highest risk areas are globally and dive in. While Hiperos is not the first company to do this, they have latched on to the fact that the visual representation of risk or non-compliance by region allows one to quickly see what regions have to be monitored. This allows resources to be properly applied, especially since proper monitoring will typically require subscriptions to appropriate data feeds for those regions.

The Market Intelligence capabilites are quite extensive too, and they have pre-configured watch-lists, diversity monitoring, parent-subsidiary monitoring, subcontractor monitoring, REACH/WEE monitoring, and dozens of other feeds of interest which can be enabled as required by the client.

And the analytics piece supports the full suite of slice-and-dice capabilities found in most sourcing products today, so that you can dive into the data and find out which suppliers, categories, or programs represent the highest risk to your organization.

There’s quite a bit of data, and the application can be quite busy at times, but Hiperos has one thing right, where compliance is concerned, it’s Hip to be Square.

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part I

When we last checked in with Hiperos, they had evolved from a Risk Management platform to an “Extended Enterprise Management” platform that integrated Contract Management, Compliance Management, Performance Management, and Sustainability Management into a 360° solution platform for an organization that wanted to get these various facets of risk under control.

However, as they have continued to roll-out their platform and work with clients in different verticals (beyond finance, which was their initial core strength and where they appear to be dominating the market), they have found that as enterprises get their internal(ly controlled) risks under control, their clients realize that typically the biggest risks they face are from their suppliers and vendors who provide then with all sorts of direct and indirect product and services. As a result, 3rd Party Management (3PM) has become critical to their operational success. How critical?

Consider these statistics. Forty-four percent of data breaches involve third parties, and the most expensive data breach has cost 35.3 Million dollars to resolve. And while this is atypically high, a data breach will cost an organization millions to resolve (as even the cheapest data breach cost $780,000). And if there turn out to be traces of blood money or drug money in your supply chain, it could cost you as much as $160 Million to settle the resulting probe. In short, 3rd Party Risk, if not properly managed, is likely to end up costing your organization millions. The only question is when.

And if you believe that preventative spending to manage risks that might not happen is unwise in this economy, consider this. Organizations that implemented Hiperos 3rd Party Management saw a 75% reduction in customer impact incidents due to sole sourcing. One organization was able to eliminate a seven-figure spend of 4 Million in annual subscription fees that it was paying just to insure that it wasn’t using blacklisted or banned suppliers (and that it wasn’t working with suppliers who were known to bribe and/or be involved in anti-corruption investigations) as the Hiperos 3rd Party Management solution contained all the functionality they needed. And, overall, Hiperos’ clients saw a 300% increase in the assessment of 3rd parties with a high-breach potential — allowing them to be vetted or eliminated before a costly incident occurred.

And this is jus a short-list of costly compliance and reputational risk facing an average organization that operates globally and has to deal with ISO, SAS 70, Anti-Bribery, Anti-Money Laundering, FCPA, SOX, OCC, CFPB, REACH, WEEE, OSHA, HIPPA, and W9 security and reporting obligations, just to name a few. A third party management solution tracks all of this, and more.

So what does Hiperos do to help you with your 3rd Party Management? Stay Tuned for Part II.