Category Archives: Supplier Management

Is Your Supplier Management Built On Bedrock?


Sometimes I feel
Like I need a new platform
Sometimes I feel
Like I’ve been banished
To the city of cavemen
The city of Bedrock
Where I’m a Flintstone
Now I’ll tell you why

Well, I’ve got I’ve got a fax for invoices
Well, I’ve got I’ve got an AP clerk writing cheques
Well, I’ve got I’ve got a green screen ERP
We push a little paper and we drink our cares away

… sound familiar? Then this article is for you!

Bedrock was founded by people who knew what it was like to live in the stone age of Purchasing and Supplier Management and decided to do something about it. More specifically, a supplier management platform that was designed to support Accounts Payable AND Procurement with a tool that’s as easy to use and as streamlined for suppliers as it is for the buyers they are building the platform for.

In addition, it’s the first platform we’ve seen since Lavante (acquired by PRGX in late 2016, where the auditors feared it and the tech team didn’t truly comprehend it [or they would have done with it what Opera, now ElectrifAI, did with BIQ — rebuild their entire platform on it]) that is built to not only support recovery audit, but detect potentially duplicate payments before they are made (with more functionality on the horizon for 2024).

Bedrock was designed to be the supplier onboarding, information management, and accounts payable support platform that the majority of organizations, especially in the mid-market, don’t have. We’ll address each of these core capabilities separately.

But first, when you login you are taken to the dashboard, which is customizable by Bedrock, or your power user, to display summary widgets that summarize all information in the system — number of suppliers, in onboarding or vetting, cleansing success, total associated spend, total recovered, total prevented, projects in progress, and so on. The widgets are completely customizable as well, and can display visual reports that summarize any piece of data in the system. Bedrock’s new UX, releasing in December, was designed to not only simplify and enhance the user experience, but to allow for any data element, including data elements added for specific installations, to be processed and reported on.

Before we start with onboarding, we’re going to start with Cornerstone Cleanse and Cornerstone Verify, which are the two modules you’re going to want to employ when Bedrock first implements their platform.

Cornerstone Cleanse is designed to help you create your supplier golden record. Bedrock runs your organizational supplier data from your AP, ERP, or last generation e-Sourcing / e-Procurement solution through its solution, identifies duplicate / missing / (obviously) erroneous data, adds data from their own global supplier database if they have it, automates the supplier requests for any remaining data, and then, once the profiles are updated, they can push to your ERP/AP or source systems where you need up-to-date data and/or want to store your golden record. (Note that they are PROs at API management, so if you were to augment your Bedrock platform with a Tealbook data feed, they would be able to automatically fill in all the missing data, and do deeper validations on data elements than they could do without a third party data feed [since they are limited to data type validations where the supplier isn’t in their database, i.e. is that a valid ISBN/address/etc.] as well as simplify the onboarding for a new supplier,)

On top of that, and this is something you don’t see much outside of the suite/enterprise-focussed solutions (with the enterprise price tag to match), is their Cornerstone Verify solution where they can automatically validate banking, registration (TIN, IEO, etc.), government sanction (OFAC, HHS, PEP, DPL, etc.), and other key identifiers using their 60+ out-of-the-box integrations (with new ones being added every month) they have with the appropriate third parties. More importantly, they do more than return a match/no match, they also return and cache all information associated with the check, so if something matches (that you didn’t expect to) or doesn’t match, you can see the entire record from the TIN, OFAC, HHS, or PEP registry. This allows you to determine whether a (non-match) was the result of a data input error … as you don’t want a mis-key denying a perfectly good supplier or allowing a questionable supplier to be verified. While there are a few last generation providers that have more verifications, their new platform allows them to add a new API / lookup in two weeks or less, so if they’re missing something you actually need, they can have it integrated before your implementation is complete. Note that while banking verifications might be limited (and US based at the moment), they are currently working on integrating global banking verification capability, which is coming in 2024.

And, of course, Cornerstone Cleanse and Cornerstone Verify can be continuously applied to all new suppliers as they are being onboarded with Cornerstone Onboard.

Cornerstone Onboard is designed to be an easy-peasy one-screen 20-minute basic onboarding process for the supplier. [Exceptions would be if you needed them to upload/define a lot of product/category information.] (A basic onboarding can literally be done in 10 minutes, if you only need a few pieces of information and a few documents.) (And only minimal meta-data and contact information needs to be defined for a supplier to be invited.) Standared onboarding asks the suppliers for information in the following 9 categories, which can be marked as mandatory or optional.

  1. Company Information – standard metadata tracked by all SXM solutions
  2. Additional Vendor Contacts – one must be defined to invite the vendor
  3. Financial Documents – with easy drag-and-drop upload
  4. Tax Document Information – for verification against US/EU registries
  5. Bank Details – for e-payments
  6. Product & Category Information – can be as minimal or extensive as the buyer and/or supplier likes
  7. Trade References – again, as minimal or extensive as the buyer and/or supplier likes
  8. Insurance Information – with metadata for auto-reminders to the supplier upon forthcoming expiry
  9. Minority/Diversity Certification – with document upload

The supplier can easily expand each section as needed, fill in the information, collapse the section, and continue (making a one-page registration process truly manageable). It saves partial progress (in case the supplier rep needs to go and track down a document), verifies that all mandatory information is completed before the supplier submits, and will run basic data (type) validations as well. Once the supplier returns the profile, all of the Cornerstone Validations are run, it goes into a queue for approval, and the buyer is notified. When the buyer accesses the profile, if any validations fail (or are inconclusive due to missing data), the buyer can easily see that and if the failure is due to missing/incomplete data, one-click flip the profile back to the supplier asking for updated information / documentation and if it fails due to sanctions, one-click deny the supplier. And if everything is okay, one-click approve the supplier.

Once the supplier is onboarded, it’s easy to query for, and bring up, the complete supplier profile on one screen (with expanding/collapsing sections), edit information, drill into verifications or attached documents, see open projects (in recovery), and even add new fields to the profile. Bedrock will customize the (default) supplier profile for you on implementation, adding any fields that you need, and you can add fields later as needed.

Once you have Bedrock implemented, whether as a standalone solution or integrated with your AP or ERP, you can activate their Keystone Recover solution, which is their contingency-based Accounts Payable recovery solution. As a first step, they apply their (semi-)automated 3-step recovery process which recovers an average of 0.15% just based on the payment data and invoice meta-data in your system and the statements the suppliers upload — which is 50% more than an average audit recovery solution will find. Then, they will dive into exceptions or abnormalities with their AP experts, ask suppliers for clarifications or additional uploads, and may find even more. Their solution can find duplicate payments and overpayments.

Once you have loaded supplier payments and invoices into their system, you can active Keystone Prevent which you can use to prevent duplicate / obvious overpayments before they are made. With their Keystone Prevent solution, you can drag and drop an ok-to-pay file into the platform and it processes all of the payments against the invoices and historical payments and immediately identifies any (likely) overpayments or duplicate payments. With a single click, you can un-approve the identified over/duplicate payments and then export a revised payment file with just payments that are obviously okay. It doesn’t matter what AP / payment system you use — Bedrock already supports a number of file formats and can easily add yours during implementation if you are using a payment system file format they haven’t seen yet.

Moreover, when they identify a duplicate/overpayment, they ask the supplier for an explanation of why it happened so they can identify a root cause and either make a recommendation to the supplier to prevent it from happening again, create a new rule / algorithm to more easily identify similar situations with that, and other, suppliers int the future, or both. (This allows the company to understand why errors are happening and proactively work with suppliers to fix their system or process to prevent them from happening again.) Also, once an overpayment is detected, Bedrock follows up to get a credit memo or refund, depending on the buyer’s preferences.

And the buyer has complete visibility into the process at any time. Payments/invoices processed, supplier statements requested, supplier statements uploaded, supplier statements processed, claims opened, claims closed, credit memos received, refunds coming, refunds received, and associated root causes for each claim. A buyer can also click into any claim and see the complete communication history.

Finally, you can even use the solution to do Payments with Keystone Pay. Bedrock takes over your payment operations and accomplishes payments using their partnership with Finexio.

And the new UX allows the solution to be completely configured by a Power User. A Power User can add new users, and, section by section, grant different levels of permissions to the user. So only people with payment authority will see banking details, only people with purchasing authority might have complete access to the product and category information, only account owners can edit, and so on.

A Power User can also define the currencies, the e-mail templates used to invite suppliers, GDPR rules, roles, claim preferences (for Audit Recovery), verification rules (including mandatory verifications a supplier has to pass in order for a buyer to be given an approval option), and basic platform configuration settings. These settings can include localizations, cron jobs, authorization workflows, reminder intervals (for document refresh), and PDF support (among other things).

So, if you’re looking for a modern Supplier Information/Onboarding Management solution with great support for Procurement and Accounts Payable, and you’re looking to minimize your AP losses from over and duplicate payments (as well as reducing your risk of fraud as you can verify supplier entities and bank accounts), and even simplify payments as a whole, we highly suggest you take a look at Bedrock — especially if you are a mid-market operation that can’t afford the few enterprise solutions that are out there (or are tired of paying thousands of dollars and waiting 6 to 12 months for them to add a single field to your supplier profile).

Bedrock is a great foundation for your supplier management activities, and will help get you out of the stone age. In fact, we predict that if you need a SXM solution that supports Procurement and AP, and implement Bedrock, like Weird Al, it won’t be long before you’re singing:


Yabba dabba, yabba dabba dabba doo now
Yabba dabba, yabba dabba dabba doo now
Yabba dabba, yabba dabba dabba doo now
Don’t know what it means but I say it anyhow!

Bedrock Anthem

Source-to-Pay+ Part 5: Supply Chain Risk (Generic)

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” (or should we say “Uncertainty”) Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk and then in Part 4 we took on Third Party Risk (in Part 4A and 4B).

But there’s much more to risk than just the (internally focused) corporate risks and the third party (supplier) risks. There are also supply chain risks. Today we are going to discuss the basic supply chain risks that an organization can expect to keep track of with a generic supply chain risk management application.

Capability Description
Multi-tier Mapping A good supply chain risk management system will map the organization’s known supply chain and allow them to track what facilities are located where, at least to the extent that they supply a higher tier that eventually leads to a good or service being delivered to a company location. This will include the tier 1 suppliers, the tier 2 suppliers they use, the known locations of the suppliers they use, all the way down to the raw materials. It will include intermediate warehouses, ports, (cross)-docks, rail yards, and FTZs used by the organization.

The organization will be able to search by product, and see the known supply chain. Search by location, see the suppliers who are there, and then see all the products that flow through those suppliers at that location.
Geo-Political Tracking For ever region the organization does business in, the platform tracks news and events related to the geo-political climate. Government decisions, labour unrest, increases in crime, terrorist activity, man-made disasters and other, related, events will be tracked. Government stances on issues, local business preferences, likely election outcomes, and anything that could cause a change in the political climate will also be tracked.

For each government decision, labour unrest, terrorist activity, man-made disaster, closure, etc, the platform will associate it with all affected suppliers and supply chain network nodes (warehouses, ports, etc.) in the network. In addition, any news or events that may turn into an event of interest will also be referenced.
Economic Tracking For every region the organization does business in, the platform will track the local economics. How is the currency trading against the primary currencies used by the organization and is it increasing or decreasing in value. How is the local job market, is unemployment decreasing or increasing? How is local consumer spending?

All of the above are indicators of the local economy. The organization is interested in not only how much it will cost for the goods now and tomorrow, but, if they are selling in the local economy, how likely it is the local market will (continue to) be able to afford the products, and how likely the supplier will be able to attract and retain the workforce it needs to serve the organization.
Natural Disasters For every region, and every region between every region the company sources from and every region they sell in, the organization tracks natural disasters, their impacts, and, if recovery is necessary, the state of recovery. It also tracks natural disaster risk, and any nearby (weather) events that could turn into a disaster (hurricanes forming over the ocean, tremors that could signal an earthquake, lava flows that could signal a volcanic eruption, etc.).

In addition to tracking the disasters that have happened, might happen, and will happen again, it also tracks the impact a disaster will have for every day a supplier’s operation is disrupted. The platform will contain the ability to model the cost of a disruption at every tier 1 node and propagate that down the chain.
Disruption Tracking The platform will also contain the ability to track arbitrary disruptions, track the recovery status, model the potential impact, and track the actual impact.

This will normally form the foundation of a control centre, which will be integrated with the analytics and monitoring capability (which, as we noted in our last three parts, will be covered in a separate article), and allow the organization to centrally track, manage, and mitigate organizational risks.
Transport Mapping & Tracking As noted above, the platform will track every region, and every region between every region, that the company operates in and use this information to map and track the organization’s transport networks. Every node used by every carrier will be tracked, every lane will be mapped, and every route monitored to the extent possible by the application.

This normally won’t be a full fledged transport risk management platform, which will be something we cover in another article, but will provide enough foundations that a third party application can be linked in or data feeds imported.

Moreover, a Generic Supply Chain Risk Management Application will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are common, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article, as we noted in our coverage of Corporate Risk, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring.

Source-to-Pay+ Part 4B: Third Party Risk, Part 2

In Part 1 of this series we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites (which is really more of a Supplier “Uncertainty” Management module). Then, in Part 2 of this series, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then in Part 3 of this series we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Then, yesterday in Part 4A, we began our discussion of third party risks and outlined some of the specific baseline capabilities that such a solution should possess. Today we complete our discussion of third party risk and outline the remainder of baseline capabilities that we believe such a solution should possess.

Sustainability An organization needs to be sustainable, which it can only be if the suppliers it uses are sustainable as well. As such, a TPRM solution needs to monitor the sustainability of its suppliers. Their carbon footprint, or at least the footprint of the products/services they provide, associated GHG emissions, and (fresh)water utilization, especially if significant or beyond the norm (and reducable).

This part of the application should integrate with third party data feeds and assessments on sustainability as well as the integrated assessment module.
Commodity Markets Sudden, unexpected, price increases represent a great risk to the organization, no matter where they occur in the chain. Since it’s usually the supplier (or the supplier’s supplier) who buys the raw materials from the commodity markets, the organization often doesn’t know about the price increase until it’s too late. Thus, it’s critical that an organization monitor the commodity markets for any raw materials it needs in considerable quantity that can have a significant impact on its financials.

Thus, a good TPRM system will integrate with commodity market feeds and track the raw materials used in the relevant Bill of Materials of the organization. As such, the system should also integrate with the ERP and be able to pull in the raw materials the organization’s suppliers need to acquire in large quantities on a regular basis.
Location Considerations There’s a lot of risk associated with a location. Geopolitical, economic, natural disaster, and so on. The system should track all of the locations associated with each third party, the risks associated with the location, the likelihood, and, if possible, the potential impact.

This part of the solution should tie into the event monitoring, sentiment monitoring, third party feeds, and any other indicators that could indicate a location-based risk. When one is detected, all of the (potentially) impacted suppliers should be identified, and the potential severity of the event also identified.
Certificates The solution must track all appropriate certificates / certifications for third parties that the organization needs to verify that the organizations are compliant with regulations, have the appropriate insurance, and so on.

A good solution will also integrate with third parties that can verify the existence/issuance of the certificate, the dates of validity, and other key meta-data.
Industrial Accidents It’s important to keep track of any industrial accidents in the third parties you do business with, whether they have been cleaned up, what the impacts were, and whether or not the third parties have taken steps to prevent similar accidents from happening again. A supplier that could be shut down at any time due to an accident which has more than a negligible chance of occurring is not a reliable supplier. Plus, this can also impact reputation / brand.

Thus, the application needs to tap into organizational filings and disclosures to identify past accidents, event monitoring to identify accidents as they happen, assessments to get updates from suppliers as they clean up / recover, action plans that capture what the supplier/third party plans to do, and monitoring.
Recalls Just like its important to keep track of industrial accidents, it’s also important to keep track of recalls. For what, how often, and how severe. A supplier that has to regularly do recalls has quality (management) issues and is not a supplier you want to be relying on.

It’s important that the application track recalls, track any updates on those recalls, and track any news stories that led to those recalls. You also want to know how often a supplier has had to do a recall in the past.
Related Parties We’ve more-or-less stated this in many of the sections above, but it’s critical that you track the parties related with a supplier/third-party of interest. Those that supply, service, or invest in the third parties you rely on should also be tracked. In addition to tracking these, it’s critical to maintain the relevant relationships between the parties and keep this up to date.

The system should integrate with third party corporate registries that track ownership and relationship information and update the relationships in the TPRM as necessary.
Action Plans / Development Goals As we hinted at in our discussion of Industrial Accidents, it’s not enough to just track the risks, the likelihood, and indicators they are materializing / have materialized, an organization has to work with suppliers to minimize the likelihood and, should they materialize, minimize the recovery time and the impact on the organization.

The application must support the definition of a multi-stage plan, with multiple tasks per stage, collaborative development of the plan, approval workflows, and when the plan is instantiated, execution and tracking of the progress made by the third party. Basically, it’s customizable development program management for a third party.
Maturity Model The platform should support the definition of maturity models by third party (supplier) organization type, the mapping of third parties to these models, default action plans that can be instantiated to help a third party progress up the maturity model, and associated metrics to measure the aptitude of a third party at each level.

In other words, it’s not just point-based program management for the development of select capabilities in a third party, it’s integrated multi-faceted organizational management of a third party with monitoring, management, and reporting over time.

Moreover, a Third Party Risk Management (TPRM) will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are common, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article, as we noted in our coverage of Corporate Risk, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring.

Source-to-Pay+ Part 4A: Third Party Risk, Part 1

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application (that we prefer to call Supplier “Uncertainty” Management) that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then, in Part 3, we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Today we are going to talk about some of the third party risks and outline the function specific baseline capabilities that such a solution should possess. Before we get started on the risks, we should note that a third party risk management (TPRM) can also be used for Supplier Management as a supplier, in addition to being a second party, could also be one of the many “third parties” an organization has to worry about if it is a sub-tier provider contracted by another primary, first-tier, supplier of the organization and a good TPRM solution will contain all of the functionality in an average Supplier Risk/Uncertainty Management module in a Source-to-Pay solution and much, much more.

We’ll continue in yesterday’s format, outlining some of the key capabilities and what that may mean solution-wise. There are quite a few key capabilities. So many, in fact, that, as you may we’re actually breaking this article up into 2 parts.

Capability Description
Customizable Assessments No matter how many capabilities come out of the box, every organization is going to need to do a customized assessment of a third party at some point. Thus, any TPRM system must support the creation of customized assessments with arbitrary questions, multiple forms of answers (multi-select, numeric, free-form, etc.), customizable weighting systems (that also support group-based weightings using averages, medium, or weightings based on role) and customizable reporting on the results.

In addition, the system should come with a slew of starting, customizable assessments out-of-the-box on every area covered in the application, whether or not there are third party data feeds and assessments that can be sucked into the application for use by the client. (This is because most third party feeds and assessments come with a cost, which may not be worth it to the organization if that aspect is only relevant to a few suppliers or doesn’t cover all of the aspects an organization needs.)
Reputation/Brand As we noted in our last article, a significant risk to the company is its reputation/brand, and that includes reputation/brand risks that come from being associated with third parties with reputation/brand risks. As a result, an organization needs to keep on top of the reputation/brand of its suppliers and partners.

Thus, it needs a platform that can monitor news sources and social media and look for stories about all of its suppliers and partners that could blow up, sentiment that could propagate, and events that could cause repercussions through the supply chain.
Regulatory Compliance Organizations need to be compliant with regulations in every geography in which the organization does business, which means that it needs its core suppliers and key partners to also be compliant with those regulations. As a result, it needs to monitor all of its suppliers and their suppliers/partners for compliance with the regulations that are relevant to those suppliers/partners.

This may mean tracking certifications, tracking raw material inputs, tracking human resources assigned to projects, tracking carbon/GHG reports from the third party, and other key pieces of information. It may mean asking suppliers for additional (self) assessments, getting (temporary) access to third party data feeds, and having third party do compliance audits for you.
Ownership/Financials Just like your company cannot be associated with sanctioned entities, you need to be careful not to do business with suppliers who are (partially) owned or controlled by sanctioned entities as well or who are doing business with sanctioned entities to support your organization. In addition, you don’t want to be doing business with suppliers or third parties who are financially unstable, as their bankruptcy could negatively impact your business.

Thus, this system must tie into all sanctioned and denied party lists of every country it operates in, cross-reference the ownership and partners of all suppliers/third parties the company does business with against the sanction list, and monitor ownership changes as they occur. In addition, it should tie into systems that monitor financials of public companies as well as systems that judge the financial stability of private companies.
Human/Labour Rights Legislation has been introduced and/or is being considered in many jurisdictions around the world that make your organization responsible for any abuses of human or labour rights in the supply chain. It’s important to have systems that can monitor for human/labour rights in the supply chain, even if this is only through integrations with third parties that do (independent) on-site assessments.

This should also make use of the brand/reputation monitoring module that monitors news sources, events, and related data feeds to scan for anything that could indicate a human/labour rights violation.

Come back tomorrow for Part 4B as we continue our discussion of Third Party Risk.

Source-to-Pay+ part 3: Corporate Risk

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials use; and with the locales they operate in. These risks come in all shapes and sizes. And any single risk can sink the company.

Today we are going to talk about some of the internal corporate risks and outline the function specific baseline capabilities that such a solution will normally possess.

Capability Description
Reputation/Brand A significant risk to a company is its reputation/brand, especially if it’s primarily selling to consumers. And the problem with reputation/brand damage is that it can come from anywhere. Quality issue that leads to a defect that causes consumers harm. Raw materials that are harmful to human health and might cause cancer, or worse, if consumed, inhaled, or even touched. An offensive statement (to a group of people) by an executive. A targeted online misinformation campaign by a disgruntled customer. Environmentalists who claim the organization is doing unnecessary environmental damage. Forced and Slave Labour. The repercussions of continuing to buy cobalt and copper from the congo while turning a blind eye to rampant sexual violence and rape. (An average of 48 victims are treated per day by Medicins Sans Frontieres, that’s 17,520 per year. And this has been going on for over a decade.)

And in these difficult times, you also have to deal with

  • Sourcing from countries engaged in “special military exercises” that have effectively started wars with other countries and
  • Sourcing from countries whose response to terrorist attacks have resulted in 10X the number of casualties caused by the terrorists.

In these two situations, it might be the case that most of your consumer base doesn’t care, but some will praise you while staying the course and helping the side they think is right (or good) while others will go out of their way to aggressively attack your brand for helping the side they think is wrong (or evil). And so on.

As such, the platform needs to be able to monitor news sources and social media. It must look for stories that could blow up, sentiment that could propagate, and events associated with related entities that could propagate. It must tie into multi-tier manufacturing systems and monitor raw materials, quality control systems to monitor production quality, It must tie into CSR/EHG systems to make sure the company is being environmentally conscious. And so on.
Sanctioned Entities An organization that does business with organizations on sanctioned or denied lists can get in serious trouble. It can be prohibited from doing business with government entities, fined, and the executives (criminally) charged. But it’s not just entities, it’s individuals as well. And it’s not just potential employees or contractors, but (potential) investors as well.

Its critical that the system tie into all sanction and denied party lists of every country it does business in, all lists of organizations that have had lawsuits brought against them (and the results if the lawsuits have been concluded), and lists of individuals who have investments in related corporations.
Fraud Every organization that makes money is at risk of being defrauded. That fraud can come from employees, including top executives, suppliers, third parties, and cyber criminals.

Such a system should integrate into the Supplier/Vendor Master and ensure that all invoices are coming from valid entities, the purchase order system to ensure the invoices match purchase orders and the payment amounts are valid, the payment system to make sure the payments go to accounts known to be associated with the vendor who sent the invoice, and no payments made without an invoice or appropriate counter-signed / doubly approved payment approval.

Such a system should also look at connections. Connections between the individuals in the organization who cut the PO, claim the services were delivered, make the payment, and the individuals who sent the invoice, verified the delivery, and accepted the payment.

Such a system should also integrate with the cyber monitoring and internet security systems and look for unusual activity that could indicate potential fraud.
Employees Employees are the biggest internal risks. And not just those who are looking to commit fraud, which will, hopefully, be a very small percentage of employees. There are also those who (might) have a conflict of interest, which could sway them in their decision making. And then there are the rest of the employees, who are human and make mistakes. Small mistakes like accidentally approving an invoice for 5K from a vendor who didn’t actually deliver the services, and might never deliver the services, because there are no processes in place to verify the delivery from approved vendors who have delivered in the past. Big mistakes like not locking down a port that allows a hacker to get into the local payment systems and alter the bank account for the 500K payment going out tomorrow. And everything in between.

This system should not only integrate with background check systems for employees who have access to the payment systems, but those who have access to restricted/classified IP, sensitive systems that need specialized training, and so on.

It should also integrate with certification and training systems to track an employee’s certifications and training.
GHG/Carbon In today’s climate, it’s important for a large company to track it’s internal carbon usage, not just the supply chain.

It’s likely that the organization will have it’s own system for carbon tracking. Such an organization will need to make sure the system is configured to track internal emissions and chain emissions separately, assign internal emissions to the company and the outbound chain as appropriate, and export the summaries to the corporate risk tracking system.
GDPR/Privacy GDPR is here, it must be respected, and failure to do so can be costly. But it’s not just GDPR an organization needs to be concerned with as privacy regulations are cropping up all over the world, and many countries in which the organization does business as a buyer, a seller, or both.

An organization must identify the private data it maintains on its employees, contractors, representatives of third parties, and the public. It must ensure such data is secured, encrypted, accessible only by those with explicit authority, and tagged as data the organization is legally allowed, or required, to keep and data that does not fall under that category. The location of such data must be indexed and the data, as well as all backups thereof, must be easily erased if someone asks to be forgotten (with the exception of any data the organization is legally required to maintain), and that must include all backups.
Contract The organization has contractual risk, both in the contracts with its suppliers as well as the contracts with its customers, and with respects to the contracts it never signed, but implied when it made the first order or purchase from a supplier. These risks include the losses from failure to complete its obligations as well as risks from suppliers and customers failing to complete theirs as well as force majeure risks and lack of of assignment to third parties and/or lack of adequate insurance coverage.

It’s critical that the Corporate Risk System integrate with all of the contract systems used by the organization, track contracts by risk type, identify lack of key clauses, and identify areas where lack of contracts or insurance put the organization at significant risk.
Epidemics/Pandemics The pandemic was not the last epidemic/pandemic the organization is going to face. More are coming. The organization needs to identify which parts of the operation are most at risk, what can be done to prepare for it, and what is in place when the worst happens.

As to how the system should support the planning, monitoring for, detection, and response to an emerging epidemic/pandemic, that’s probably organization dependent. But any Corporate Risk system that doesn’t at least recognize the need is not meeting the full problem.

A corporate risk system will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are, or at least should be, common among multiple types of risk systems, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article describing a particular focus/type of risk application, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring near the end of this series.