Category Archives: Risk Management

The Supply Chain is Full of Hidden Risks

A recent article in the Supply Chain Management Review by Avetta provided Insights for Procurement Leaders on tackling hidden risks in the supply chain. As per the article, supply chains are full of:

  • Geographic Vulnerabilities
  • Cybersecurity Threats
  • Ethical and Compliance Issues
  • Financial Instability
  • Environmental Recklessness

… and all of this poses a major risk to your supply chain. Avetta‘s baker’s dozen of recommendations are to:

  • conduct due diligence on all level of suppliers
  • identify alternate sources
  • monitor geographical developments
  • prioritize cybersecurity measures
  • conduct regular risk assessments
  • foster a culture of cyber awareness
  • establish clear codes of conduct
  • regularly audit supply chain partners
  • prioritize transparency and accountability
  • rigourous financial due diligence
  • monitor key financial indicators
  • prioritize sustainability initiatives
  • establish robust contingency plans

And these are all good, but most of the risk results from one thing:

  • lack of timely, accurate data on
    • the physical supply chain (people, plants, product, vehicles, etc.)
    • the financial supply chain (the financial state of suppliers, contractors, employees, etc.)
    • the information supply chain (completeness, accuracy, security, etc.)

This says that if you really want to tackle the hidden risks, you need to start with the following as you can’t tackle anything you can’t identify:

  • supply chain visibility — map every entity in your supply chain
  • external risk monitoring — whenever a geographical, political, environmental, or cyber disruption happens anywhere, and is reported, you need to detect that, identify all entities that may be affected, confirm which entities in your supply chain are affected, and take an appropriate mitigating action
  • cyber network monitoring — you need to monitor your entire network, every server, every client (desktop, laptop, tablet, AND cell phone), every router, every API end point, and every wire … your weakest link is your effective security
  • cross-system and account financial monitoring — money disappears when there are holes for it to fall into; holes exist when you have disconnected P-Card, e-Procurement, and AP systems, especially across divisions and you aren’t correlating balances between transfers, bank accounts, and investments on at least a daily basis
  • activity monitoring — all waste, loss, and fraud is the result of a bad actor, whether or not the bad acting was intentional (hint: if the loss is significant, it usually is intentional; incompetence often only results in minor loss); but you can’t monitor everyone, even if you wholly operate in a jurisdiction where doing so is legal; but, when everything is digitized, you can monitor every action, whether or not is in accordance with policy, flag everything that isn’t, and escalate any actions that are against policy that should be investigated

As you detect issues and disruptions, you can start with standard mitigation actions, and as you identify patterns of commonality, you can identify additional contingency plans, which you should already have for every product or service that is critical to your operation.

Note that Sourcing Innovation has published a list of 55+ Supply Chain Risk Vendors that already have solutions that do a lot of this monitoring. There’s no excuse for your organization not to have at least an 80% solution in place today.

Source-to-Pay+ Part 10: Over 55 Supply Chain Risk Vendors to Check Out

Last quarter, we ran a 9-part series that served as An Introduction to Supply Chain Risk where we introduced you to the risk elements not covered by traditional supplier management platforms (which we covered in our 39 Steps … err … 30 Clues … err … 39 Part Series on Source to Pay where we listed over 90 supply management companies of which over 1/3 claimed to have some degree of “risk”, which we dub supplier “Uncertainty”, management).

In our series, we focussed heavily on corporate risk, third party risk (which included ESG, Human Rights, Regulatory Compliance), supply chain risk (including transparency, traceability, and multi-tier tracking), transport risk, cyber risk, and analytics. We also noted that our next instalment would provide a starting list of vendors that you could check out to meet (some of) your supply chain risk needs.

This is that instalment. Hopefully this starting list will be useful to you. In the months that come, the hope is that some of these will be covered

Finally, a second reminder that inclusion on this list DOES NOT imply Sourcing Innovation is recommending the vendor.

Legend

 3P 3rd Party / TPRM
S/V supplier risk / verification
SCT supply chain transparency
T/L transport / logistics
 MT multi-tier
  C cyber
ESG Environmental, Social, Governance
 HR Human Rights
 RC Regulatory Compliance
BoM Bill of Materials (Direct)
 DX Discovery
 TX Traceability
Vendor LI/#Emps  3P S/V SCT T/L  MT   C ESG  HR  RC BoM  DX  TX
&wider 20 Y Y
Agora Sourcing 2 Y Y
AMLRight Source 2795 Y Y
Apex Analytix 411 Y Y Y Y
Aravo 117 Y Y Y Y
Archer 681 Y Y Y
Altana Atlas 166 Y Y Y Y Y Y
Brooklyn Solutions 24 Y Y Y
Certa 200 Y Y Y Y
Circulor 63 Y Y Y Y Y
Contingent 28 Y Y Y Y
Darkbeam (Apex Analytix) 8 Y
Diligent 2245 Y Y Y
Exiger 765 Y Y Y Y Y
Everstream Analytics 165 Y Y Y Y
Fact 360 12 Y
FairSupply 40 Y Y
FRDM 28 Y Y Y
FusionRM 275 Y
GoSupply 33 Y Y
IntegrityNext 96 Y Y Y
Interos 254 Y Y Y Y
Kharon 102 Y Y Y Y
MetricStream 1373 Y Y Y Y Y
Navex 1343 Y
NQC 104 Y Y Y Y Y
Overhaul 312 Y Y
Prevalent 161 Y Y
Prewave 150 Y Y
ProcessUnity (w/CyberGRX) 143 Y Y Y
Raad360 3 Y Y
RapidRatings 166 Y
Resilinc 299 Y Y Y Y
Resolver (Kroll) 371 Y Y
Responsibly 17 Y Y
RiskLedger 34 Y Y
Riskonnect 801 Y Y
RiskRecon 116 Y
RoboAI 57 Y Y Y
SAI360 435 Y Y Y
Sayari 180 Y Y
Sedex 442 Y Y Y
Seerist 127 Y
SourceMap 91 Y Y
Sphera 125 Y Y
Supply Risk Solutions 10 Y
SupplyShift 59 Y Y
SupplyWisdom 116 Y
Sustainabill 15 Y Y
The Smart Cube 1033 Y
ThirdPartyTrust (Bitsight) 16 Y
TraceLink 947 Y Y Y Y Y
Trademo 97 Y Y Y Y
Transparency One 23 Y
Trust Your Supplier 15 Y Y
Versed.AI 17 Y Y
VisoTrust 47 Y
Whistic 81 Y
WholeChain 10 Y

An Introduction to TPCM: Third Party Compliance Management

TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )

Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by the Big X and Mid-Sized Consultancies that chimed in during the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)

As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.

And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.

In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.

Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.

That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.

And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.

What Impact Will Power Politics Have on the Sustainable Acquisition of Raw Materials?

the doctor doesn’t know, but it’s a question we need to ask, and answer, before politicians run away with an agenda that maximizes their bank account while simultaneously maximizing economic and environmental damage.

In September, JPMorgan Chase CEO Jamie Dimon stated that geopolitics is the world’s biggest risk and, more specifically, that we have dealt with inflation before, we dealt with deficits before, we have dealt with recessions before, and we haven’t really seen something like this pretty much since World War II. And while he didn’t mention power politics in particular, we’ve seen a lot of first world countries elect leaders with protectionist/centrist viewpoints, a directorial demeanor, and anti- free-trade stances.

Due to a loss of jobs, a loss of manufacturing, and a lack of reliability of supply, we’ve seen a lot of pushback on China (which is a major global source of many raw materials, and rare-earths in particular) while India is gaining ground in the BRICS (thanks to the anti-Russian Sentiment among those Pro-Ukraine and the instability of the Brazilian economy along with the China pushback), the United States implementing Buy American policies, the EU taxing anything they are sanctioning or trying to enforce “Buy EU” policies on, and the UK making decisions since (and including) Brexit that no one understands.

Now, we should all be buying local to the extent possible (which might be the local farm, the state farm, or the farm one country south if ours is too cold to grow the produce we need; and, similarly, a factory in the country or a neighbouring one), when it comes to certain raw materials, especially rare earths and metals for which we do not have (more sustainable) alternatives, one doesn’t always have a choice. And the reality is that, for a given country, only one country will have the most sustainable source of rare earth and/or metal supply when you take into account the mining operation, the processing operation, and global shipping. And if protectionist/centrist/trade policies prevent purchasing from that country, and the next two or three most sustainable (and/or most economical if your company is in/selling primarily to a developing country and you can only afford so many sources), the alternatives are not good.

So while it’s hard to quantify what the current era or power politics will have on the sustainable acquisition of raw materials and (precious) metals, it’s a question your organization needs to answer if you rely on such, and take steps to inform your local lobbying organizations to make sure that critical, sustainable, sources of supply are not blocked until alternatives are developed (especially if your organization needs to hit carbon [reduction] targets).

And if you don’t think this is an important topic, then why did Dr. Naoise McDonagh, a Lecturer at Edith Cowan University and a former Board Member of the Australian Institute of International Affairs, recently publish an article in the interpreter (published by the Lowy Institute) on why Australia must play the geoeconomics game, or risk being side-lined.

Dr. McDonagh believes that acts such as the US’ IRA (Inflation Reduction Act) or the EU’s Critical Raw Materials Regulation, designed to drive growth in a particular industry (and, in particular, North American or EU-based EV supply chains) will act as a vast black hole sucking global capital from other destinations operating on purely comparative advantage terms which includes Australia.

Dr. McDonagh argues that these acts, and similar measures being implemented globally, are part of a geopolitical transition that is creating a two-level world economy: a standard economy with normal market access and a de-risked economy with restricted access for actors of concern. And since the types of restricted access we are seeing typically revolve around rare earths and metals, this means that we need to ask the question we asked in the title: What Impact Will Power Politics Have on the Sustainable Acquisition of Raw Materials?

the doctor doesn’t think the answer is obvious, and definitely doesn’t agree that Dr. McDonagh’s insistence that the answer for Austrailia is the 10-year Australian Renewable Industry Package because the doctor believes the question is more nuanced than anyone currently understands. However, the doctor does agree with Dr. McDonagh’s reading of the situation and that power politics is quickly becoming one of the most significant risks to your supply chain, which is even more unpredictable than strikes and natural disasters.

If you have a partial answer, comment on LinkedIn. We need them before bad decisions are made for us.

Source-to-Pay+: An Introduction to Supply Chain Risk

If you missed the risk series, you might want to catch up. Risk doesn’t just stem from your immediate inbound tier 1 suppliers, it stems from your entire inbound supply chain. Your Supplier “Risk” Management solution only gives you a partial picture at best. Find out what you need to get the rest!

1: The Beginning
2: End-to-End
3: Corporate Risk
4a: Third Party Risk, Part 1
4b: Third Party Risk, Part 2
5: Supply Chain Risk, Generic
6: In-Transport Risk
7: Multi-Tier Supply Chain Risk
8: Analytics / Control Center
9: Cyber Risk