Category Archives: Risk Management

Roll Out to Your Community with RollStream

Share This on Linked In

RollStream (acquired by GXS) is a new entrant to the emerging SIM-centric (Supplier Information Management – centric) subspace of Supply Chain Management that has taken a Web 2.0 inspired approach to its solution. At the core of its “Enterprise Community Management” solution is the belief that collaboration is the missing critical component in many of today’s supplier management solutions.

As a result, when it comes to ease of use and supplier on-boarding, it has developed one of the best, as well as one of the easiest to use, solutions for Supplier Information Management as many people today are familiar and comfortable with the Web 2.0 and social network like interfaces it has developed for supplier, partner, and contact profile management as well as for survey creation and information gathering. It’s scalability and ease of use has allowed one of its largest customers to on-board their roughly 13,000 suppliers and manage roughly 150,000 points of contact. The solution has assisted this customer in credentials capture, compliance, training and enablement, and new technology rollout.

But, as you know, SIM is only the first component of Enterprise Management, whether you call it Supplier Central (CVM Solutions), Extended Enterprise Management (Hiperos), or Enterprise Community Management. There’s also, depending upon your outlook, risk, performance, compliance, sustainability, diversity, dispute resolution, initiative management, and collaboration for innovation.

The RollStream solution addresses, in its own words, basic Supplier Information Management in the form of on-boarding and profile management, Dispute Resolution by way of on-line collaboration, Compliance and Risk Management by way of task-managed projects and web surveys, and Performance and Feedback Management by way of a workflow-based community dashboard and collaborative scorecarding process.

The Supplier Information Management component, which is what they started with, is mature, and as I said above, one of the best and easiest to use solutions that you’re going to find for SIM on the market today, used by a number of global Fortune 3000’s to manage supplier bases of over 10,000 suppliers and 100,000 contacts in a number of verticals. The collaboration components, with complete conversation and audit trails, simplify the online dispute resolution process and make it much friendlier than the alternatives.

The Performance and Feedback Management is good for simple surveys and on-line discussions, but don’t expect to be able to build any complex scorecards within the system at this point in time. If you have a solution that generates your scorecards as spreadsheets or PDFs, you can automate the retrieval and attachment of the scorecards within the platform and then create tasks around the discussion of the scorecards with the relevant individuals at each of your suppliers, which could be quite helpful, but you can’t yet build complex scorecards within the system or attach comments to individual sections. This should not be an issue for most companies in most verticals, but if you are very metric-focussed or use collaborative scorecarding and need to retrieve inputs as well as send them and integrate all of the scorecards into a common collaboration tool, you’ll need to evaluate the solution carefully.

This brings us to the last component — Compliance, Risk, and Sustainability Initiative Management. Their solution, which allows you to build as many virtual sub-communities as you want within the application, and then create as many task-managed projects around those communities as you want, is quite powerful in its simplicity when it comes to the management of these projects, but most projects will require data collection and the degree of data collection will determine its fit within your organization. If you primarily do indirect sourcing or simple commodity sourcing, the solution should be more than enough for your needs as most of the regulatory requirements can be captured in simple yes-no questions. But if you do direct manufacturing, where you have to deal with RoHS, REACH, and or WEEE, the simple survey-monkey style web-form survey capability isn’t going to cut it when you have to capture not only whether or not thousands of chemicals are present in your products, but to what extent they are present. Similarly, if you have adopted, or foresee the need to adopt, complex carbon measurement calculations which depend not only on if-then logic (which the forms support) but also complex built-in calculations, then you’ll find their solution is not ready for prime time.

So what’s the verdict? I think many companies will find that the solution meets their SIM-Centric Enterprise Community Management needs, especially when you consider that even the best solution will take at least a year to roll-out to thousands of suppliers and get them proficient on the solution. In that timeframe, you’ll see more capability added to the Performance Management and Compliance, Risk, and Sustainability Management components as RollStream continues to implement their solution roadmap.

Panjiva Was Right — It is Doom and Gloom!

Share This on Linked In

If you’re been following Panjiva, namely their blog, their press releases (sign up at your own risk), or their twitter feed, you know that they’ve been preaching doom and gloom for months where global trade and supplier viability is concerned. Well, this has been backed up by a recent CPO Agenda survey, summarized in their recent article on “balancing the cost-risk equation”, that found that nearly half of the respondents have already experienced the bankruptcy of at least one key supplier since the year started and that over three quarters are (very) concerned about the prospect of other key suppliers going out of business before the year is over.

In plain English, if you haven’t lost a key supplier yet, it’s just a matter of time before you do. The only question is, will you know which one before the shipment fails to arrive and the line goes dead?

Beyond the Hack (Some Tips on Protecting Yourself from Inside Fraud)

Share This on Linked In

Editor’s Note: This is Norman Katz’s second post as a regular contributor on Sourcing Innovation. Norman, who has published dozens of articles on the subject, is a supply chain fraud and supply chain risk expert and will be covering these topics in his new column, which is indexed and archived.

Let’s start by taking a look at a real-life fraud story:

An accounting clerk who worked for Broward County (FL) workforce development agency perpetrated fraud that enabled her to walk away with $2.4M. Let’s learn a little bit about our fraudster:

  • She had worked at this government agency for over 10 years
  • She was hired with a criminal background (multiple convictions) but lied on her application
  • She did not have more than a high school education
  • She did not make more than $32,000 per year
  • She was living, with her property-manager husband, in an $840,000 house, and owned another house plus several apartments

I want to be very clear that this fraud was not perpetrated by hacking the agency’s network infrastructure; these breaches get lots of airplay in the media typically because they are associated with stolen credit card information. This fraud did not require the use of viruses or other network penetration hacking techniques. This fraud did not require extensive technical knowledge or programming skills of any kind. This fraud was perpetrated from inside and within: inside the organization (by an employee) and within the protected network infrastructure.

How was this fraud perpetrated? The fraudster wrote checks to herself. Yes, that’s it. The accounting clerk simply wrote herself checks. The check amounts varied from $12,000 to $20,000 during the course of approximately 6 years.

(The fraud was discovered by a bank teller; fortunately for the agency, the fraudster banked at the same financial institution as the agency did. The agency’s management admitted that a failure — or rather, lack — of internal controls and monitoring enabled this employee to perpetrate the fraud.)

In fairness, this fraud likely found its way into the news because it was done at a government agency; there are plenty of serious frauds that occur at private and public companies that never see the light of day due to the reputation damage they could cause. As such, too many fraudsters are not prosecuted to keep the organization’s name out of the news spotlight; these perpetrators are simply let go and can move on to other organizations to exploit their gaps.

While it’s very important to protect your network infrastructure, too many companies fail to address risks from the inside. Reasons given for top management’s unwillingness to take a serious look at internal risks range from an assumed trust in their employees to a lack of belief that it could happen at “my company”.

When users have extended or unrestricted rights within a business software application, especially when such broad authority permits bypassing or exceeding controls, there is a (greater) chance of fraud perpetration. Typically, such employees are performing multiple tasks that would better be separated across multiple employees.

A good starting point would be to review your employee handbook. Does the employee handbook contain sections that educate the employee as to what is and is not acceptable behavior? Are the penalties for breaches of conduct clearly stated? (And is the organization willing to back up words with action?) I’m pretty certain that even if the employee handbook had included such information, this agency employee would still have perpetrated the fraud. But this is just a starting point on what needs to be a continuous journey to bring integrity into the workplace for people, operations, and software applications.

Norman Katz, Katzscan

Jim Lawton on Avoiding Supply Chain Disruption

Share This on Linked In

Jim Lawton, Sr. VP & General Manager of D&B Supply Management Solutions, who guest posted on winning the battle on risk: information and technology here on Sourcing Innovation recently penned a great article for Industry Week on understanding risk and avoiding supply chain disruption. According to Jim, avoiding supply chain disruption basically boils down to three steps:

  • get the data,
  • go beyond the finances, and
  • proactively manage the supplier base.

The first challenge of supplier risk management is compiling all supplier information into one centralized location. Since supplier information in most companies exists across dozens — if not hundreds — of systems, this is never an easy task. However, once the data is centralized, it can be used to drive predictive indicators that give insight into supplier viability as far out as 12 months in the future. Furthermore, manufacturers can determine the criticality of each supplier (and determine which suppliers need to be monitored most closely) by asking the following questions:

  • What need does the supplier fill?
  • How essential is the supplier to overall supply chain operations?
  • How does the supplier fit into the corporate plan for supplier diversity and sustainability?
  • What would happen if we lost the supplier?

Then — because risks come in many shapes, including operational, managerial, and geographic — manufacturers can go beyond the financial assessment and look at other factors that could be a cause for concern, which might include:

  • changes in the supplier’s management team
  • quality issues
  • noticeable lags in inquiry response time
  • EPA violations
  • OSHA incidents
  • OFAC violations

Finally, they can actively manage the supplier base to minimize risk, starting with forward-looking supplier scorecards that are designed to detect risks before they materialize and help the manufacturer work with the supplier to improve their operations and prevent disruptions.

Good stuff.

A Supply Chain Risk Management Checklist from PricewaterhouseCoopers

The Global Supply Chain Council recently published an article on “managing supplier risks in a downturn” that had a good checklist for global companies looking to improve their supply chain risk management. It’s definitely worth an expanded review.

As the author clearly points out, focusing on the processes that drive risk rather than reacting to specific events will allow supply managers to be more proactive. Risk mitigation should be incorporated into the sourcing strategy and qualification along with the traditional Price, Quality, Delivery, and Design Selection Criteria. Regular monitoring, and frequently a second source strategy, is necessary — but this should take a more insightful form than traditional third-party plant audits and quality checks. While quality checks are important, they are not a means to manage risk — they occur too late (in the process).

Select the Right Suppliers

  • Do Your Due Diligence
    Be sure the supplier is financially sound and operationally equipped to meet your needs.
  • Validate The Data You’re Basing Your Decision On
    Don’t rely on third party data sources if the supplier is going to be providing a critical part of service — validate the data on your own.
  • Understand Their Customer Portfolio
    Who else do they serve? How likely are they to understand your needs? How important will you be? If you would compose a significant percentage of their business, that could specify financial trouble. If your business would be a rounding error, it would be unrealistic to expect great customer service and first fulfillment if supply is limited.
  • Understand Their Supplier Management Process
    It’s not enough that they comply with your supplier management processes … if they don’t have any of their own, you have no way of knowing whether or not their suppliers are cost efficient, reliable, and socially responsible.

Improve Supplier Monitoring and Measurements

  • Utilize a Robust Risk-Based Monitoring Framework
    Make sure the framework, or scorecard, addresses regular reporting, financial and operational data collection, relevant information, and on-site reviews.
  • Analyze Risk Data Regularly
    A well designed monitoring framework / scorecard is one of your best early warning systems for a potential problem.
  • Focus on Suppliers Near the Limits
    Don’t just focus on suppliers outside the bounds of your risk tolerances … focus on those near the limits as well. This could represent an emerging problem or a malicious attempt to manipulate the system (with slightly skewed false data) to hide a serious problem.

Develop Supplier Development and Contingency Plans

  • Identify Suppliers Who Need Development
    Your efforts should be focused on critical suppliers who most need it.
  • Perform On-Site Reviews
    Self reporting is not sufficient. Do your suppliers understand the framework and metrics? Are they being completely honest with themselves, and with you? Do they even understand how well they could, and should, be doing?
  • Develop Performance Initiatives
    Tailor them to the specific needs of the supplier, as determined by your on-site reviews.
  • Provide the Appropriate Support
    They will need to be helped and guided through the process.
  • Identify Alternative Supply Sources
    Just in case.

Develop a Supplier Exit Strategy

  • Assemble a Cross-Functional Team
    This team will help you identify what the requirements are for a successful supplier.
  • Analyze Supply Alternatives
    Do a market assessment and identify likely candidates.
  • Determine the Appropriate Course of Action
    Stick with the supplier? Or move on?
  • Execute!
    Move on? Use your intelligence to put together the right RFX and begin the supplier selection process anew.