Category Archives: Risk Management

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part II

Hiperos provides a SaaS platform that allows an organization to manage the entire 3rd party lifecycle, which consists of registration, data collection, segmentation, control automation, assessment, management, and collaborative issue resolution.

Hiperos includes your standard SIM (Supplier Information Management) functionality that allows for supplier self-service registration and profile maintenance and data integration from third party sources. On top of that it implements a user-configurable rules-based workflow that allows third-parties to be segmented into different buckets that represent the different programs that they need to be subjected too – be it FCPA, REACH, WEE, HIPPA, or some other type of compliance or monitoring program. Each bucket has its associated monitoring rules that notify the third party when more information is needed and that automatically alerts the user when a violation is detected or when information is not provided by the third party in a timely fashion. Assessments are automatically run every time new data becomes available and can be run by a user at any time. The fact that all relevant third party information is available at all times allows users to pro-actively manage third parties, and associated risks, and then either work with third parties to mitigate risks, if the potential infraction can be corrected, or cut them loose if the risk of association is too great (because they showed up on a denied party list or use child labour in their supply chain).

The application, which loads the default user-defined dashboard, allows a user to manage third parties, engagements, relationships, products, and programs and to define programs, vendor communities, reports, and analytics.

The dashboard is multi-tabbed and allows a user to define relevant views on each of the application areas defined above, as well as a default dashboard that allows the user to see the information most relevant to him or her. At the top of the dashboard is a link to current action items that allows a user to quickly see what needs to be done in third party management, engagements, programs, etc. The dashboards can be configured using hundreds of pre-defined (reporting) widgets or the user can define their own widgets by defining appropriate reports in the reporting module. And the user can bring in real-time news and data feeds from sites of interest.

The application can track any compliance, performance, sustainability, or risk data elements of interest and, like any good SIM platform, is preconfigured to track hundreds of relevant data items, depending upon the programs you define as relevant for a given compliance, performance, or risk program (which minimizes the amount of configuration required to track custom fields). And not only is all relevant data available from any view that is program or user defined, but it’s all interlinked so a user can click on a third party included in a program, see the relevant report(s), and then dive into the third party data management screen to examine the raw data elements, and then run a report on just a data subset.

Program definition is flexible and allows for any type of compliance, risk, sustainability, or performance program you can think of. In addition, the fact that Hiperos also supports contract meta-data and third-party data feeds allows financial impact reports to be generated. That way, a user always knows what the impact of a third-party falling out of compliance is to the organization. Knowing that a tier-one supplier might be buying from a tier-two supplier that might be using child labour is one thing, but knowing that the organization is spending 20 Million across 5 categories on that tier-one supplier is something else. In the first case, the supplier is put on the “investigate” list and someone gets around to it when they get around to it. In the second case, the user knows that it is a high priority and an investigation has to be started immediately as the public backlash will be extremely damaging to the organization if it gets out that 20 Million is being spent on products and/or services that were partially produced by child labour.

Hiperos has also included extensive color-coded geo-mapping capabilities so that you can quickly see, for any program, where the highest risk areas are globally and dive in. While Hiperos is not the first company to do this, they have latched on to the fact that the visual representation of risk or non-compliance by region allows one to quickly see what regions have to be monitored. This allows resources to be properly applied, especially since proper monitoring will typically require subscriptions to appropriate data feeds for those regions.

The Market Intelligence capabilites are quite extensive too, and they have pre-configured watch-lists, diversity monitoring, parent-subsidiary monitoring, subcontractor monitoring, REACH/WEE monitoring, and dozens of other feeds of interest which can be enabled as required by the client.

And the analytics piece supports the full suite of slice-and-dice capabilities found in most sourcing products today, so that you can dive into the data and find out which suppliers, categories, or programs represent the highest risk to your organization.

There’s quite a bit of data, and the application can be quite busy at times, but Hiperos has one thing right, where compliance is concerned, it’s Hip to be Square.

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part I

When we last checked in with Hiperos, they had evolved from a Risk Management platform to an “Extended Enterprise Management” platform that integrated Contract Management, Compliance Management, Performance Management, and Sustainability Management into a 360° solution platform for an organization that wanted to get these various facets of risk under control.

However, as they have continued to roll-out their platform and work with clients in different verticals (beyond finance, which was their initial core strength and where they appear to be dominating the market), they have found that as enterprises get their internal(ly controlled) risks under control, their clients realize that typically the biggest risks they face are from their suppliers and vendors who provide then with all sorts of direct and indirect product and services. As a result, 3rd Party Management (3PM) has become critical to their operational success. How critical?

Consider these statistics. Forty-four percent of data breaches involve third parties, and the most expensive data breach has cost 35.3 Million dollars to resolve. And while this is atypically high, a data breach will cost an organization millions to resolve (as even the cheapest data breach cost $780,000). And if there turn out to be traces of blood money or drug money in your supply chain, it could cost you as much as $160 Million to settle the resulting probe. In short, 3rd Party Risk, if not properly managed, is likely to end up costing your organization millions. The only question is when.

And if you believe that preventative spending to manage risks that might not happen is unwise in this economy, consider this. Organizations that implemented Hiperos 3rd Party Management saw a 75% reduction in customer impact incidents due to sole sourcing. One organization was able to eliminate a seven-figure spend of 4 Million in annual subscription fees that it was paying just to insure that it wasn’t using blacklisted or banned suppliers (and that it wasn’t working with suppliers who were known to bribe and/or be involved in anti-corruption investigations) as the Hiperos 3rd Party Management solution contained all the functionality they needed. And, overall, Hiperos’ clients saw a 300% increase in the assessment of 3rd parties with a high-breach potential — allowing them to be vetted or eliminated before a costly incident occurred.

And this is jus a short-list of costly compliance and reputational risk facing an average organization that operates globally and has to deal with ISO, SAS 70, Anti-Bribery, Anti-Money Laundering, FCPA, SOX, OCC, CFPB, REACH, WEEE, OSHA, HIPPA, and W9 security and reporting obligations, just to name a few. A third party management solution tracks all of this, and more.

So what does Hiperos do to help you with your 3rd Party Management? Stay Tuned for Part II.

Technology Trials 2012 – Part VI

In Part V we outlined the most critical question that needed to be addressed after you decided that you needed a BoB or FuSS solution and what the critical features of that solution was, namely, what was required for globalization.

Now that we have outlined the high-level functional requirements from a multi-faceted view, we’re ready to go to market with a supplier RFI, and, in particular, an RFI that answers the following (set of) question(s):

(06) How will you support my solution requirements as a vendor?

And, more specifically:

  (06.1)Who are your references who are comparable in size, scope, and needs to us?
  (06.2)Does your solution support the functionality we absolutely require? Explain.
  (06.3)Do you currently have customers in the (majority of) countries we need to deploy in and do you support the (majority of) languages that we require? (If you don’t currently support all the languages we need, how long does it take to add another language into your solution?)
  (06.4)What is your organizational culture?
  (06.5)How many non-critical functions on our wish-list can you address?
  (06.6)How financially stable are you? Will you open your books to us or let us speak to a reputable third party that has seen your books?
  (06.7)What is the total end-to-end cost of your solution up-front and on an annual basis? Will you guarantee this in writing?
  (06.8)What third parties can we talk to who will verify your claims

  (06.1)Who are your references who are comparable in size, scope, and needs to us? And can we speak to them?
As they say, the best proof is in the pudding, and the best pudding that a vendor can give you is references who are comparable in size, scope, and needs that they are currently serving successfully. They don’t necessarily have to be in your industry, but the industry should be similar enough that you can feel confident that the vendor could handle you. For example, electronics and component manufacturing are similar, but finance and pharmaceuticals aren’t that close.

  (06.2)Does your solution support the functionality we absolutely require? Explain.
After you’ve divided your requirements into must-haves, should-haves, and nice-to-haves, ask the vendor to describe in detail how all of your must-have requirements will be met and briefly how they will meet each should-have that is on your list.

  (06.3)Do you currently have customers in the (majority of) countries we need to deploy in and do you support the (majority of) languages that we require? (If you don’t currently support all the languages we need, how long does it take to add another language into your solution?)
If you need to deploy your solution across 20 countries and the vendor has only deployed across two countries and both were English speaking, how likely is it that the vendor will be able to meet your needs? On the other hand, if you only need to deploy across 6 countries and the vendor has deployed across 30 countries in twice as many languages, you know that you’re covered now and likely will be covered for years to come.

  (06.4)What is your organizational culture?
When all is said and done, if you have three vendors who appear equal from every other perspective, the tie breaker will be the vendor’s organizational culture and how cleanly it meshes with yours. Even if you are IT and services savvy, you’re always going to need some help from the vendor. Maybe not that much compared to its other customers, but the vendor is typically the only expert in tweaking every last bit of value out of its solution.

  (06.5)How many non-critical functions on our wish-list can you address?
Even though the functions are non-critical and wish-list, they’re on the list because someone wants them, and every wish-list item put there by a stakeholder that can be met is one less reason for resistance that you won’t have to overcome.

  (06.6)How financially stable are you? Will you open your books to us or let us speak to a reputable third party that has seen your books?
Considering the effort that goes into solution selection, the last thing you want is to select a solution from a vendor that goes bankrupt in a year. Even if the code is under escrow, and you get complete rights to it, the value of the solution will decrease rapidly once the vendor stops improving it. That’s not a situation you want to find yourself in.

  (06.7)What is the total end-to-end cost of your solution up-front and on an annual basis? Will you guarantee this in writing?
Considering that there will likely be implementation costs, integration costs, and training costs in addition to up-front license costs and annual maintenance costs, and may be costs for third-party middleware, data feeds, and other solution components, it’s important that you know all of these costs up-front and account for them accordingly. Otherwise, that 500K solution with an expected ROI of 9X return might actually be a 1.5M solution with an expected ROI of 3X – which won’t impress the CFO at all come performance evaluation time.

  (06.8)What third parties can we talk to who will verify your claims
The vendor should be willing to give you names of investors, analysts, and bloggers who can verify their claims. If these do not exist, be wary. A good vendor is open about it’s capabilities and claims. It doesn’t hide behind NDAs and embargoes.

True Cost Reduction Doesn’t Increase Risk

While reading a recent article over on the Inbound Logistics site on Serving up the Perfect Meal, I came across the following quote from a general manager for C.H. Robinson that worried me:

One thing all restaurants are doing is managing labor farther up the supply chain, and pushing inventory levels back to suppliers to manage, thereby controlling costs, keeping inventory fresh, and allowing menu planning variability.

Can you see why? While managing labour considerations further up the supply chain is a great idea, as it forces you to have good supply chain visibility, and keeping inventory fresh will give you an edge in the food service industry, pushing inventory levels back to suppliers to manage is a disaster waiting to happen unless:

  • they are at least as competent as you in inventory management,
  • they have deep insight into your expected demand requirements over time (at least six months into the future), and
  • they have a basic understanding of the market volatility and the ability to handle unplanned demand surges.

If any one of these assumptions are false, at some point in time, your supplier is going to be out of inventory when you need it most, and you’re either going to have to spot-buy elsewhere, at considerably higher prices, or, even worse, go out of stock and have to slash profitable menu items for the duration of the shortage.

You should only let your supplier manage your inventory if you have deep visibility into the supply chain and collaborate with them to make sure they have all of the data they need to predict your needs as well as you can. And you need this visibility, given that quality, safety, and traceability are critical to a food service provider’s supply chain, especially given the recent introduction of the Food Safety Modernization Act.