Category Archives: Compliance

Source-to-Pay+ Part 9: Cyber

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), in Part 6 we addressed the first major supply chain risk: in-transport, followed by the second major supply chain risk: lack of multi-tier visibility in Part 7. In our last article, Part 8, we discussed the baseline Analytics that should be part of all of the different risk systems we covered in Parts 3 through 7, as well as a control centre.

Today, in Part 9, we move onto Cyber Risks. In today’s hyperconnected SaaS world, nearly half of an organization’s data breaches originate in the cloud (see this recent article by Illumio on Cyber Magazine, for example). So cyber security is important, but not just for your organization — for your entire supply chain.

Note that we are not going to dive deep, there are plenty of security firms that will do that for you. We’re just going to highlight key points of risk that must be covered in your cyber security plan.

Internal Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
E-mail Plenty of risks come in through e-mail. The biggest one you are likely aware of is fraudlent requests for payment from fraudsters posing as fake suppliers / service providers / consultants or new employees in a remote office asking you to approve an emergency payment. However, since fraudsters blast these far and wide (as it takes less work to create them), the most common fraudulent emails are usually phishing/ransom attempts where you have to click an email and enter your system login information to retain access to your email account (or another system you use). (Then they use those credentials you freely gave them to login to your systems, lock you out of them, and demand payment to unlock your account.)

Your email system needs to do more than identify an external sender. It, or the security plug in, needs

  1. to verify the originating domain of the email (since most fraudsters can’t mask the domain they send from),
  2. to identify the domain and location of the first intermediate server the message hits (since that can’t be masked unless they’ve hacked that) as well as if it matches the locale of the domain the email purports to come from, and
  3. to identify the domain of each embedded link and the company it belongs to (as fraudsters are great at registering domains just ONE letter of an actual domain and cloning the contents of the faked domain; e.g. chaEse.com vs chase.com … one is your bank, one will soon be scooped up by a fraudster who will skim account logins for a day during a “maintenance window”, then drain all the accounts dry (or at least to the transfer limits) the next day and wire the money to a foreign account in a jurisdiction with no extradition or banking treaties with the US, then empty the account the day after that, and then disappear never to be seen again …
Hacking Hackers will constantly be trying to penetrate your firewalls, the web servers and underlying operating systems of machines in the DMZ, the applications you are running, and the underlying security systems you use for monitoring and detection (but these are likely the most secure, especially if you are having them maintained and monitored by a professional, big name, IT security firm); You need to be monitoring for unusual activity, (D)DoS attacks, repeated login failures or access abandonments at particular ports or in particular application logs, and so on; You also need a few attractive honeypots that emulate the systems the hackers would want to access most, and if you don’t understand this, or why, talk to your security guru.
Ransomeware Hackers want to access your systems for two reasons, to steal money and IP or lock you out of them (if they can’t access any IP worth stealing or you don’t use any finance systems capable of [authorizing] payments) so you will pay them to get back into your systems. You need to be very careful to not only detect hacking attempts, but the installation of new software that is unrecognized / not authorized by security. This is because you could be totally screwed and have no choice but to pay the ransomware even if you do complete, incremental, daily backups across all systems because smart hackers will install the ransomware, let it sit for a few weeks or so, and then activate when you can’t roll back to a backup because you’d lose weeks or months of data (as you’d have to roll back to just before the ransomware was installed because the majority of backup systems would not be able to identify the actual file changes and there’s no way you could do a restore and not restore the ransomeware after the ransomware was discretely installed).
Infected Websites Your users love to surf, surf, surf the web and go where the hidden links take them. You can’t expect they will all keep their browsers up to date, keep the underlying OS up to date, and, simply put, not be careless. You need to enforce security software on their machine, and check for it, before that machine accesses your network and that the security software is up to date because if they visit the right infected website (from a fraudster’s point of view), it can be an instant hack and/or backdoor for the automatic installation of ransomware on their machine and/or your network.

External Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
Compromised Supplier Site If a supplier site or system is compromised, and you engage with that system in any way, then your system could be compromised. You need a system that monitors for supplier system/site/cloud risks as well as (known) supplier breaches.
Compromised Data All of your systems run off of data. Compromised data is the easiest way to compromise a system. If an email gets intercepted and altered in-transit with a man in the middle account and the hacker changes bank account information, you’re paying a fraudster and not the supplier. If the third party risk metrics are adjusted, your system can be tricked to diverting all business to a single, new, supplier which, while a legal entity, was setup by the founder to take your money and run. And so on.
Compromised Identities Identity theft is on the rise, and it’s often the easiest way for a fraudster to get funds from a business. You need to track all known cases of identify theft associated with all individuals associated with all businesses associated with your business as you will need to do extra verifications on requests from those individuals.
Web-Based Vulnerabilities You need to be aware of where the biggest web-based vulnerabilities are in your suppliers and partners, make sure your suppliers and partners monitor and address those, and make sure you lock down your security to the max when you have to interact with their systems that are classified as high risk for vulnerability.

And more. There’s a lot of risk in cyberspace thanks to the fact that the information and financial worlds have merged, and your organization needs to be on top of it. Identify appropriate providers, or you will need very good luck to not fall victim to a significant cyber-based threat.

It’s Not Just Beds Burning Anymore, it’s the Planet. What Impact Are Your Efforts To Stop it Having?

Four decades ago, when sustainability was only a concern for the environmental extremists because, thanks to industrialization and burgeoning globalization, we had other disasters to deal with (hunger in Africa, aboriginals being forced from their land [sometimes with fire], the global AIDS epidemic, etc. — see Billy Joel’s We Didn’t Start the Fire, which took us through 1989 [the year, not the 2014 Taylor Swift release], and the doctor chronicled the next 20 years here in an unofficial Part II). And even though we still have all these disasters, and many more, the planet is in upheaval with every type of natural disaster occurring everywhere all the time. In fact, climate-related disasters have tripled in a mere 7 years. 7 years! We’ve gone from disasters increasing over the span of thousands of years during natural planetary cycles to disasters increasing in the span of mere years due to global warming thanks to the rapid increase in carbon and GHG emissions as a result of 150+ years of industrialization and rapid deforestation and wetland destruction. (Forests and wetlands have historically acted as carbon sinks for all of the carbon released by life, it’s historically primitive actions, and traditional disasters that resulted in the destruction of forests [and when trees die or get burned, all the carbon they captured is released]).

Now it’s true that, on average, even the largest of corporations on its own could only make a small dent when the depth of the problem is considered, but if even ten of the largest corporations in an industry teamed up, they could make quite an impact. (And if the largest retailers teamed up, think Amazon and Walmart and Target, and insisted on a maximum carbon footprint per product — think of the impact that would make.)

For details on the impact that can be made today, you should download the new Ecovadis Network Impact Report, 3rd Ed. which points out that Industry-level collaboration is one of the best levers available to companies looking to build more sustainable value chains and scale their positive impact. EcoVadis Sector Initiatives (SIs) are a highly effective vehicle for this. Six initiatives spanning a diverse range of sectors — from chemical manufacturing to health — are using the EcoVadis solution to share best practices and collectively address sector-specific challenges across their often highly interconnected supply chains. Our data shows that participation in an SI helps buyers improve their supplier engagement and enables rated companies to improve faster than their network peers.

More specifically, companies engaged in a Sector Initiative outperform the [Ecovadis] network average by 5.3 points — not only do companies that try to better than those that don’t, but companies that work with peers on the right objectives do better still.

But this is only one reason you should read the latest Ecovadis Network Impact Report, 3rd Ed.. Another reason is because, if you don’t, you won’t see how Ecovadis, which in 2022 officially became a “purpose-driven” company under French Law, has continued to grow at a rapid rate and how it is starting to make a global impact. When your customers represent 4.8 Trillion in global spend, you are starting to get somewhere. That’s 4.5% of GDP, and if Ecovadis could grow 30% year-over-year for nine years, that 4.5% could become 49%, close to the tipping point where we’d finally start making significant progress. (Which means if we can survive until 2032, we could start making real progress on sustainability and environmental stabilization. Not as fast as we need to, as parts of the planet will literally start burning by then, but Ecovadis and its peers may still save some of us.)

And, even if you don’t think Ecovadis is the answer for you (even though 945 organizations do and the number increases every year), the report will still educate you on the five key pillars of a sustainable procurement platform. And once you understand those pillars, you can assess, monitor, improve, report, and continue the wheel.

CSR, Procurement and North America: Creating a Market

In our previous article, we asked if you could solve the modern compliance challenge, and, more specifically if you could do it with Ecovadis. This is because compliance has morphed over the past few years from insuring you weren’t doing any illegal trading and simply satisfying the tax man (and import/export compliance is essentially just respecting the legality of the country you are trading with and satisfying its tax man) to having to comply and deal with a lot of regulations around financial reporting and global trade to having to respect the environment (pretty much everywhere but the US, with the exception of California) to having to take corporate social responsibility for the organization’s entire supply chain and ensure there is no violation of worker’s rights, child labour, or human trafficking — or face the consequences that can not only include bad press (at internet speed) and large fines but, in some countries, criminal charges against the officers of the corporation.

We also noted that solving the compliance challenge was tough because you needed environmental data, sustainability data, social compliance data, and even third party audits on your suppliers, and sources of this data (outside of internal surveys that were unverifiable without site audits) were few and far between. The few players with even remotely recognizable names that exist are in Europe, and Ecovadis is the largest. As a result, it likely has the best shot at championing a market in North America, especially with its increasing partner footprint, supplier database (with over 55K assessed companies), and global reach (as they cover suppliers across 155 countries).

But Ecovadis is not a household brand in North America. To become one, it really must drive material commercial traction outside of the EU and, most important, prove that the market for CSR ratings and compliance in North America is as central to supplier management as other supplier management initiatives (e.g., risk, EHS, etc.) to truly “go global”.

The case for an Ecovadis model is sound. Most major procurement departments at US F500s and larger mid-size companies are still focussed on cost-cutting. And using Ecovadis to get the sustainability data the organization needs is roughly 20% of the cost of trying to do it in house.

Further:

  • Organizations that are embarking upon more strategic category management want deep supplier information before selecting potential strategic suppliers and the response rate to Ecovadis-initiated assessments is 90%
  • The average organization will struggle with a 70% response rate in such initiatives, especially when you consider the average supplier turn-over (as identified in a recent QIMA survey) is 27%
  • Once a supplier is in the Ecovadis network, the chances that their overall CSR rating will improve on their next (annual) assessment is 64%
  • For an average company, unless they initiate a supplier development program and work with the supplier, the chances the supplier will otherwise improve on their own is, as we all know, closer to 6.4% than 64%

Less money. Better results. You’d think it would be an instant buy, but it’s not. So why. Is it because it’s European?

Not necessarily — Jaggaer One+ and Jaggaer One Direct from Jaggaer, which is one of the S2P juggernauts, has good NA penetration, and those solutions (formerly BravoSolution and Pool4Tool) are European.

So that’s not it.

Is it because the space is new or unproven? Can’t be. Ecovadis has been around for 12 years and Sedex Global for 18. Plus, there are a number of other players in the space. Is it because the solution is not user friendly? No — it’s delivered via a simple SaaS platform and they even have public quotes from F500s to that effect. So what’s the problem?

North American companies.

First of all, with apologies to Spike Lee, many will “only do the right thing” when they are forced, and then only to the extent necessary (although this may be changing).

Second, they’d rather profit today than save tomorrow (even if the long term savings would be multiples of the short term profit gains). This means that for them to invest in a solution, they want to see a large, immediate, sometimes unreasonable ROI.

Third, they tend to only act when they’re scared (e.g., losing budget if they have extra).

This means that, unless something changes, for Ecovadis to create a true market in North America with a similar reasonable TAM for say, the compliance management side of supplier / contractor management, it will need to lead with evangelism and, perhaps, more.

All things are possible. But as Vincent Ngo speculated decades ago, it takes a superhero to change the mind of the corporate culture. Can Ecovadis be that superhero?

For the sake of procurement and a better world, we hope that they’ll do it — or someone else.

For more information on Ecovadis, check out Spend Matters’ recent post on Catching Up on a Provider to Know (which also includes links to a deep 3-Part Vendor snap-shot co-written by the doctor and the maverick).

Can You Solve the Modern Compliance Challenge? Can Ecovadis?

Compliance used to be easy. Collect the tax information. Make sure the other party is not on a denied party list. Don’t buy or sell a restricted material without the right permits and don’t buy or sell a banned substance. Done.

But then came globalization. Now you had to collect information for import / export requirements. Satisfy a new slew of tax regulations. Comply with additional inspection and security requirements. Track all of the restricted substances, denied materials, and denied parties of another country. And then as supply chains lengthened and ships made multiple port stops, multiply these requirements.

And that was manageable, but then came a new round of financial regulations, like SOX, in the wake of corporate meltdowns (like Enron) which made compliance more cumbersome. And that was somewhat doable. But with the global penetration of the internet, news spread faster and faster and the unsafe and sometimes inhumane working conditions that outsourced providers were comfortable with made the news regularly, the dangers of poor “recycling” efforts which just saw almost toxic waste dumped on mass to ill-equipped “recycling” centers, and the use of slave/child labour where it was not known before.

As a result, ethical countries started implementing laws on environmental protection, dangerous substances, especially around recycling and disposal, ethical and safe working conditions in the supply chain, and even anti-trafficking and anti-slavery laws — all of which the last link in the chain, the end buying organization, was responsible for.
This makes compliance a bit more tricky. There’s lots of data on financial performance and financial risk, certifications, import/export, and even public sector performance data, but when it comes to corporate social responsibility — environmental compliance, worker’s rights, anti-trafficking, and so on – where do you get that data. Not D&B. Not BvD.

This is where a new generation CSR player comes into play – one that tracks environmental data, sustainability data, social compliance data, and third party audits. But there aren’t many players here yet, and Ecovadis is the largest. But will they be able to take their European success and globalize? While there are a few other players in Europe (Sedex Global, FLO-CERT, e-Atestations, etc.), there are few, if any in North America.

Ecovadis likely has the best shot, especially with their ever-increasing partner footprint, but they need to be the first to scale and win over the hearts (and wallets) of global procurement organizations, especially those in North America, which generally are not as advanced around CSR tracking compared with their European counterparts. The road ahead will be interesting to watch.

Contract Compliance Trust But Verify: Part III Monitoring Demand

Today’s post is from Eric Strovink, the spend slayer of spendata. real savings. real simple. Eric was previously CEO of BIQ; before that, he led the implementation of Zeborg’s ExpenseMap, which was acquired by Emptoris and became its spend analysis solution.

When you join transaction data to contract data in order to validate contract price compliance, it is possible to discover lots of interesting information. Some if it can be quite surprising.

For example, you might notice that off-contract items make up a surprisingly large proportion of the spending. This may be trending up with time, so it is worth doing a time-series analysis. You might also notice a pattern of overcharges on particular items, which could be an easily-corrected disconnect at the vendor side on contract terms.

In Excel, these analyses require new pivot tables and, concomitantly, more maintenance effort on refresh. But in a spend analysis system, the model can be augmented with additional pivot-table-equivalents in seconds, with just a few mouse clicks. And, refresh is not an issue, because the spend analysis system updates everything automatically upon loading new transactions. So, much more interesting analyses become real possibilities — including monitoring demand.

The Who

Suppose that we have from the vendor not only the item pricing, but also an idea of who within the organization is doing the purchasing. This then enables us not only to identify off-contract spending, but also find the source of the leakage within the organization, so that corrective action can be taken internally.

There are a number of ways that “Who bought the items” can find its way into PxQ data. Sometimes it is present as a matter of course; sometimes it requires effort.

  • If the item is a catalog buy or punch-out, invoice items likely already contain the cost center.
  • If a PO number was provided to the vendor, invoice items should contain the PO. The PO can be easily translated to cost center (well, “easily” if the PO data can be linked in, as it can be with a spend analysis system).
  • If there’s a useful delivery address on the invoice, that can be mapped to a cost center using the spend analysis system’s mapping tools (of course, you need access to the mapping tools, and they need to be simple to use).
  • Your contract with the vendor could require a cost center to be provided on the invoice as a prerequisite for payment. No cost center, no payment.
  • Corporate purchasing cards are by definition associated with a cost center, so these can be mapped to cost center using the spend analysis system’s mapping tools.
  • Consultants put project codes on invoices; lawyers put matter numbers. These can be mapped to cost centers as well. Any invoice without a project code or matter number shouldn’t be paid.
  • Some spend already has a fixed cost center, for example with copiers. Each copier is assigned a cost center, which shows up on the invoice.

In a nutshell, if you want to have a cost center attached to each row of an invoice, it is very doable, and very worthwhile.

Let’s revisit the dashboard from Part II.

  • We can see a breakdown of overcharge buys by cost center (blue). A similar breakdown of off-contract items helps identify who is buying off-contract. There may be very good reasons for this, of course; and those reasons need to be understood, so that we can either get those items onto the contract, or channel the buying to similar items that are on contract.
  • We can see a time-series analysis of item buys by class, with an associated chart (red). Over time, fewer items are being bought with the contract price, which is not a good trend.
  • We can see all the buys, showing both contract and overcharged prices (green). This is all we need to show to the vendor — just dump it to Excel, email the spreadsheet, done.

Click to enlarge

The basic pattern of this type of analysis doesn’t change with the commodity. Providing that the goods or services can be standardized with a fixed price, and that a contract price is available, the technique is always the same — and the analysis always worthwhile, if only to prove that the contract is in place and actually working.

Thanks, Eric!