Category Archives: Risk Management

Supply Chain Disaster Lessons

Share This on Linked In

Over on Supply Chain Digest, who recently updated their list of the “top supply chain disasters of all time”, you can find a short article chronicling some of their “lessons from supply chain disasters”. Simply put, the key lessons were as follows:

  • “Big Bang” Go-Lives are Risky Business
    Despite the fact that the risks of this approach are well documented, this approach is still taken all too often.
  • Pioneers Get Arrows in the Back
    Being the first increases your odds of failure dramatically … whether it’s a new technology, new methodology, or new market.
  • Do Not Ignore Early Warning Signs
    Just about every disaster post mortem uncovers dozens of indications of emerging problems that were ignored. These warnings are usually ignored or minimized because someone doesn’t want to fess up that things are not going as promised.
  • Avoid hard cut-offs/transitions
    Many project disasters are caused by hard deadlines. Hard deadlines, especially if the project schedule is too tight, are often the largest contributor to project failure.
  • Beware the ROI trap
    Many projects go south because they whittle away key elements for success just to make an (unrealistic) ROI expectation.

And they must be taken to heart. I’ve seen many projects, and companies, fail because they didn’t heed these lessons.

Organizational Versus Occupational Fraud

Share This on Linked In

Editor’s Note: This post is from regular contributor Norman Katz, Sourcing Innovation’s resident expert on supply chain fraud and supply chain risk. Catch up on his new column in the archives.

When do you draw the line between a person (or persons) being guilty of fraud versus the entire organization? The latter seems pretty sweeping, implying that every employee was guilty of perpetrating fraud; this is not the case, however.

Operational fraud — such as frauds that happen in the internal/external supply chain operations — can be divided into two basic classifications of fraud: organizational versus occupational.

When a person or persons commit occupational fraud, they have used their positions or roles to facilitate the perpetration of the fraud. A cashier who takes money from the till, an accounting person who falsifies deposits and pockets some cash, a buyer who accepts gifts, brides, or kickbacks for steering business to one supplier versus another, etc., are all examples of occupational fraud. Contractors and service providers can be guilty of occupational fraud, such as the attorney or technology consultant who submits bills for hours not worked. There is an implied trusted relationship that the person breaches in their less-than-trustworthy conduct.

When, at the highest levels of an organization, senior management (typically officers, but sometimes members of the board of directors) are guilty of perpetrating fraud via the use of the enterprise itself, in whole or in part, this is organizational fraud. What’s so unfortunate about organizational fraud is that many times honest employees in specific occupations are often left to suffer, such as when the organization folds. (Examples include Arthur Andersen, WorldCom, and Enron.)

Senior management and directors bear the burden of responsibility in their positions to set the right examples for the organization’s code of conduct. This is part of good governance for public companies as outlined in the COSO Sarbanes-Oxley compliance framework, but it is certainly applicable to private companies and government agencies alike.

The Sentencing Reform Act of 1984 provides guidelines for the penalties assigned to both individuals and organizations guilty of crimes. In brief, the penalties are assessed as follows:

(1) The greatest of the following:
(a) A base fine from an offense level table;
(b) The monetary gain to the organization;
(c) The loss suffered due to the intentional, knowingly reckless, behavior by the organization. (2) Application of a fine multiplier based on such factors as cooperation versus obstruction of justice, history of bad behavior, and whether the organization self-reported and accepted blame and responsibility.

In the tainted pet food scandal that hit the United States, melamine was added in China to the base ingredients to boost the tested protein levels and cover-up quality problems. A public official (an inspector) and an employee of the manufacturing company (a buyer, I believe) were both involved in the fraud: they used their occupations to perpetrate the fraud, which involved payoffs.

The pet food was then shipped from China to Canada where it was canned for distribution into the United States under various brand names. If, in the US or Canada, the corporate philosophy was to either not bother with quality assurance testing or not adequately fund quality assurance testingn (thus rendering it ineffective), in order to reduce cost-of-goods-sold and boost profits, this is, in my opinion, organizational fraud as perpetrated by the canning company in Canada and the US distributors.

Another good example is children’s toys in regards to the use of lead paint and design flaws which, even when manufactured to the specifications, represented a hazard.

The lesson here is very simple: You can outsource manufacturing, but you can’t outsource responsibility.

Norman Katz, Katzscan

Roll Out to Your Community with RollStream

Share This on Linked In

RollStream (acquired by GXS) is a new entrant to the emerging SIM-centric (Supplier Information Management – centric) subspace of Supply Chain Management that has taken a Web 2.0 inspired approach to its solution. At the core of its “Enterprise Community Management” solution is the belief that collaboration is the missing critical component in many of today’s supplier management solutions.

As a result, when it comes to ease of use and supplier on-boarding, it has developed one of the best, as well as one of the easiest to use, solutions for Supplier Information Management as many people today are familiar and comfortable with the Web 2.0 and social network like interfaces it has developed for supplier, partner, and contact profile management as well as for survey creation and information gathering. It’s scalability and ease of use has allowed one of its largest customers to on-board their roughly 13,000 suppliers and manage roughly 150,000 points of contact. The solution has assisted this customer in credentials capture, compliance, training and enablement, and new technology rollout.

But, as you know, SIM is only the first component of Enterprise Management, whether you call it Supplier Central (CVM Solutions), Extended Enterprise Management (Hiperos), or Enterprise Community Management. There’s also, depending upon your outlook, risk, performance, compliance, sustainability, diversity, dispute resolution, initiative management, and collaboration for innovation.

The RollStream solution addresses, in its own words, basic Supplier Information Management in the form of on-boarding and profile management, Dispute Resolution by way of on-line collaboration, Compliance and Risk Management by way of task-managed projects and web surveys, and Performance and Feedback Management by way of a workflow-based community dashboard and collaborative scorecarding process.

The Supplier Information Management component, which is what they started with, is mature, and as I said above, one of the best and easiest to use solutions that you’re going to find for SIM on the market today, used by a number of global Fortune 3000’s to manage supplier bases of over 10,000 suppliers and 100,000 contacts in a number of verticals. The collaboration components, with complete conversation and audit trails, simplify the online dispute resolution process and make it much friendlier than the alternatives.

The Performance and Feedback Management is good for simple surveys and on-line discussions, but don’t expect to be able to build any complex scorecards within the system at this point in time. If you have a solution that generates your scorecards as spreadsheets or PDFs, you can automate the retrieval and attachment of the scorecards within the platform and then create tasks around the discussion of the scorecards with the relevant individuals at each of your suppliers, which could be quite helpful, but you can’t yet build complex scorecards within the system or attach comments to individual sections. This should not be an issue for most companies in most verticals, but if you are very metric-focussed or use collaborative scorecarding and need to retrieve inputs as well as send them and integrate all of the scorecards into a common collaboration tool, you’ll need to evaluate the solution carefully.

This brings us to the last component — Compliance, Risk, and Sustainability Initiative Management. Their solution, which allows you to build as many virtual sub-communities as you want within the application, and then create as many task-managed projects around those communities as you want, is quite powerful in its simplicity when it comes to the management of these projects, but most projects will require data collection and the degree of data collection will determine its fit within your organization. If you primarily do indirect sourcing or simple commodity sourcing, the solution should be more than enough for your needs as most of the regulatory requirements can be captured in simple yes-no questions. But if you do direct manufacturing, where you have to deal with RoHS, REACH, and or WEEE, the simple survey-monkey style web-form survey capability isn’t going to cut it when you have to capture not only whether or not thousands of chemicals are present in your products, but to what extent they are present. Similarly, if you have adopted, or foresee the need to adopt, complex carbon measurement calculations which depend not only on if-then logic (which the forms support) but also complex built-in calculations, then you’ll find their solution is not ready for prime time.

So what’s the verdict? I think many companies will find that the solution meets their SIM-Centric Enterprise Community Management needs, especially when you consider that even the best solution will take at least a year to roll-out to thousands of suppliers and get them proficient on the solution. In that timeframe, you’ll see more capability added to the Performance Management and Compliance, Risk, and Sustainability Management components as RollStream continues to implement their solution roadmap.

Panjiva Was Right — It is Doom and Gloom!

Share This on Linked In

If you’re been following Panjiva, namely their blog, their press releases (sign up at your own risk), or their twitter feed, you know that they’ve been preaching doom and gloom for months where global trade and supplier viability is concerned. Well, this has been backed up by a recent CPO Agenda survey, summarized in their recent article on “balancing the cost-risk equation”, that found that nearly half of the respondents have already experienced the bankruptcy of at least one key supplier since the year started and that over three quarters are (very) concerned about the prospect of other key suppliers going out of business before the year is over.

In plain English, if you haven’t lost a key supplier yet, it’s just a matter of time before you do. The only question is, will you know which one before the shipment fails to arrive and the line goes dead?

Beyond the Hack (Some Tips on Protecting Yourself from Inside Fraud)

Share This on Linked In

Editor’s Note: This is Norman Katz’s second post as a regular contributor on Sourcing Innovation. Norman, who has published dozens of articles on the subject, is a supply chain fraud and supply chain risk expert and will be covering these topics in his new column, which is indexed and archived.

Let’s start by taking a look at a real-life fraud story:

An accounting clerk who worked for Broward County (FL) workforce development agency perpetrated fraud that enabled her to walk away with $2.4M. Let’s learn a little bit about our fraudster:

  • She had worked at this government agency for over 10 years
  • She was hired with a criminal background (multiple convictions) but lied on her application
  • She did not have more than a high school education
  • She did not make more than $32,000 per year
  • She was living, with her property-manager husband, in an $840,000 house, and owned another house plus several apartments

I want to be very clear that this fraud was not perpetrated by hacking the agency’s network infrastructure; these breaches get lots of airplay in the media typically because they are associated with stolen credit card information. This fraud did not require the use of viruses or other network penetration hacking techniques. This fraud did not require extensive technical knowledge or programming skills of any kind. This fraud was perpetrated from inside and within: inside the organization (by an employee) and within the protected network infrastructure.

How was this fraud perpetrated? The fraudster wrote checks to herself. Yes, that’s it. The accounting clerk simply wrote herself checks. The check amounts varied from $12,000 to $20,000 during the course of approximately 6 years.

(The fraud was discovered by a bank teller; fortunately for the agency, the fraudster banked at the same financial institution as the agency did. The agency’s management admitted that a failure — or rather, lack — of internal controls and monitoring enabled this employee to perpetrate the fraud.)

In fairness, this fraud likely found its way into the news because it was done at a government agency; there are plenty of serious frauds that occur at private and public companies that never see the light of day due to the reputation damage they could cause. As such, too many fraudsters are not prosecuted to keep the organization’s name out of the news spotlight; these perpetrators are simply let go and can move on to other organizations to exploit their gaps.

While it’s very important to protect your network infrastructure, too many companies fail to address risks from the inside. Reasons given for top management’s unwillingness to take a serious look at internal risks range from an assumed trust in their employees to a lack of belief that it could happen at “my company”.

When users have extended or unrestricted rights within a business software application, especially when such broad authority permits bypassing or exceeding controls, there is a (greater) chance of fraud perpetration. Typically, such employees are performing multiple tasks that would better be separated across multiple employees.

A good starting point would be to review your employee handbook. Does the employee handbook contain sections that educate the employee as to what is and is not acceptable behavior? Are the penalties for breaches of conduct clearly stated? (And is the organization willing to back up words with action?) I’m pretty certain that even if the employee handbook had included such information, this agency employee would still have perpetrated the fraud. But this is just a starting point on what needs to be a continuous journey to bring integrity into the workplace for people, operations, and software applications.

Norman Katz, Katzscan