Category Archives: Supply Chain

Source-to-Pay+ Part 7: Multi-Tier Risk

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), and then in Part 6 we addressed a major supply chain risk: in-transport.

As part of (generic) supply chain risk, we highlighted multi-tier risks that arise when multiple suppliers need to process materials, make sub-components, build components from those sub-components, and then assemble those components to make your product. When it takes 10,000 suppliers to make your product (which is the case with some complex electronics products), the risks are beyond what most minds can comprehend. Multi-tier risk management systems for direct supply chains must address a number of specific requirements outlined in Part 5.

Capability Description
Connections & Relationships It is incredibly important to keep track of all of the connections in the supply chain, not just the links that represent the paths of raw materials from the source into the products that your tier 1 suppliers supply you. You need to know who else your suppliers supply, any risks that poses to you (if your competitors have more influence and can steer the direction, process, and quality of the supplier); who supplies your suppliers, any risk that poses to them, and thus to you; who owns your suppliers, and any risk that creates to your organization in different countries of operations due to sanction lists; and who your suppliers contract out too, and any risks that may pose.

It is thus critical that a multi-tier supply chain risk management solution support connection graphs that can be re-oriented around any entity at any time for a quick inspection of risks posed by that entity and all entities it may in turn affect. It is also critical that the solution support drill-in at each entity for deep insights and analysis.
Bill-of-Materials The platform must support multi-level bill of materials (BoM) support. You can’t track the full supply chain if you can’t track the full product inputs all the way down to the raw material inputs for each component, sub-component, and primary part. You also need to be able to trace any product with an issue down to the supplier who made the part/sub-component/component with the issue.

The platform must make it easy to define, maintain, alter, and otherwise work with the bill of materials. It shall be easy to instantiate an instance for each supplier of a product and trace all the way down to the mine or fields the raw materials come from, or the recovery/recycling plants if the materials are being re-used in a sustainable fashion.
Manufacturing Visibility The visibility doesn’t stop at the BoM. It begins at the BoM. For each product you buy from each supplier, you need to track the supplier’s production capacity at the plant, as well as how that capacity is influenced by other products, and switchover time. (If you buy multiple products that use the same production line, then you can’t get full capacity of both.) It must be easy to see all manufacturing information related to a plant of a supplier, how many products it is associated with, and what tradeoffs are in effect when you order a specific product from a supplier.

The platform must be capable of calculating the units per hour/day/week, the switchover time, and how many units of each could be produced given a requirement for one product. (And the same must hold true for three or more different products/configurations.)

It’s critical that the platform allow for easy definition and manipulation of BoM instantiations, supplier plant nodes, manufacturing details, production line capability, and associated timings.
Public vs. Private Differentiation The platform must be able to maintain the distinction between public and private entities, specific to the countries the entities are located/headquartered in, as well as the different types of information the organization needs to keep on both from a risk perspective. In some countries, public entities are more rigorously regulated and in other countries, private entities could be more heavily regulated. The platform needs to allow a buying organization to ensure that the entities are acting appropriate to their type. Also, investments and sanctions can sometimes work differently depending on entity type.

The platform must be capable of tracking entity type, associate the entity with the relevant regulations and requirements based on the type, and alert the organization if anything changes with respect to the type or any change that could impact the type classification.
Predictive Sub-Tier Mapping A supplier may not always disclose it’s sub-tiers. In such a situation, the platform must predict which sub-tier suppliers are being used based on product type, raw material, raw material availability, available transport networks, and so on.

The platform must contain an adaptive algorithm that learns as new information becomes available, continuously updates its knowledge from market data feeds (import/export logs are often public information), and integrates with third party (commodity) markets that can predict changes over time.

Source-to-Pay+ Part 6: (In) Transport Risk

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), and then in Part 5 we laid the foundation for Supply Chain Risk (Generic).

As part of supply chain risk, we highlighted transport mapping and tracking as a key risk that the system should track, but noted that a generic supply chain risk management system would generally not be a full featured transport risk management system because such a system would also monitor and mitigate risks of goods in-transport. (Not just risks at nodes.) Such a system has a number of specific requirements beyond the basics outlined in our last article. In this article, we are going to discuss a number of those specific requirements.

Capability Description
Modal-Specific Support Cargo can travel by land, rail, sea, or air. As a result, an in-transport platform has to recognize each of these modes, the differences between them, the data that needs to be tracked, and the data that can be obtained from carriers providing each mode.

Such a platform should integrate with industry standard data feeds from TMS (Transport Management Systems), data feeds from major carriers, GPS systems, and other systems that provide data on your shipments, where they are, and when they are expected to get to the next location if the current leg of transport does not have a real-time GPS feed.
Cold Chain/Hazardous Not all cargo can travel dry at room temperature. Some has to travel wet, some has to travel refrigerated or frozen, and some has to travel with special precautions for hazardous materials. It’s critical that such a platform be able to tag items with these tags, these transport requirements, and assess the risks associated with the transport based on carrier, route, geolocation, etc.

Such a platform must be able to detect when a risk materializes or escalates, such as the delivery time estimate being pushed forward by a week when the cargo was only expected to have a shelf-life of six (6) days when delivered, extreme weather phenomena suddenly materializing in the region of the transport vehicle, or dangerous (man-made) accidents occurring as a result of a leak, accident, or failure in transport.
Manifests/Bills of Lading The system should be capable of accepting bills of lading and cargo / shipping manifests and ensuring that the bill of lading exactly matches the shipment that is expected from the supplier, the cargo/shipping manifest exactly matches the bill of lading, and the inventory at the dock/yard matches the cargo manifest. This is the only way to minimize the chance of theft and fraud during transport. And by fraud, we don’t just mean your goods disappearing, we mean your containers and your company being used to smuggle goods into one or more countries where the goods are prohibited in those countries.

The system should also be capable of identifying carriers who have had incidents in the past, the carriers who are most at risk due to the regions they operate in, and the carriers who are most at risk due to the products they are carrying, both for you and for others (based on public manifests).
Ports The system will track detailed information on the ports that are used in the supply network. It will maintain information on port capacities / throughput, the carriers that go in and out, the equipment, the security at the dockyards, and so on. It will maintain information on the labour situation (last strike, the date the contract ends, likelihood of a strike/slowdown, etc.) as well as the available workforce.

The system should be capable of tying in weather information, local geopolitical information, economic information, and other disruptions that could affect the port, as well as any other risk-based factors that are relevant.
Canals/Straits A lot of the world’s goods flow through canals (primarily the Panama and Suez) and straits to ports that are off of lakes and seas and not on the Atlantic or Pacific Ocean. While there are the risks of natural disasters just as there are on the high seas, there are also the geopolitical risks associated with all of the countries that border the canal or strait. (Especially if they are unfriendly to the country of origin, destination, or registration of the ship.)

The system must track all of the risks specific to the canals and ports that the organization, and its carriers, use in the ocean-based transport of goods.
Warehouses/Cross-Docks Most goods procured by an organization will live in multiple warehouses in their journey through the supply chain. The suppliers, the shipper’s local cross-dock, the port warehouse, the railroad cross-dock, your primary warehouse, and the regional warehouses that supply your local retail centers or manufacturing plants, as appropriate. These docks all pose a security risk.

The system should support all of the third party risk capabilities that are relevant for the owner/operator of the warehouse, the locale the work force is in, the third parties that provide the workers, and any other risks that can be identified and monitored for.
In-Yard (Rail/Dock) Sometimes the goods are in a warehouse, and sometimes they are just in a yard at the dock or the (rail)yard waiting to be loaded on a truck or a train to be taken to a cross-dock or warehouse. The risk will be a blend of warehouse/cross-dock and port/rail risks, tailored to the relevant locale.

The system should support all of the associated third party risk capabilities that are relevant, and, as with the warehouse/cross-dock, support risks that can be identified and monitored for.
Airports/ Some goods will go by sea, some by rail, some by land, and some by air. Airports have their own class of risks — which can include hijackings, crashes, and way too many carriers and personnel in and out of shared warehouses.

Similar monitoring to in-yard, but expanded to meet the specific need of airports servicing your cargo.
Driver/Conductor/Captain The biggest risks in transport are often not the third party carriers you deal with, but the people — are they appropriately vetted, trained, certified, and monitored? Who are they associated with? Can those associates pose risks? Do they need to be monitored? If so, when and how?

This system should integrate with an employee/contractor certification and monitoring systems to at least make sure all employees/contractors assigned to the organization’s cargo have appropriate licenses, certifications, training, and insurance.

And, of course, an In-Transport Risk Management system will also need a host of generic analytics/planning/monitoring capabilities, but since many of these are common, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article, as we noted in our coverage of Corporate Risk, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring.

Source-to-Pay+ Part 5: Supply Chain Risk (Generic)

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” (or should we say “Uncertainty”) Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk and then in Part 4 we took on Third Party Risk (in Part 4A and 4B).

But there’s much more to risk than just the (internally focused) corporate risks and the third party (supplier) risks. There are also supply chain risks. Today we are going to discuss the basic supply chain risks that an organization can expect to keep track of with a generic supply chain risk management application.

Capability Description
Multi-tier Mapping A good supply chain risk management system will map the organization’s known supply chain and allow them to track what facilities are located where, at least to the extent that they supply a higher tier that eventually leads to a good or service being delivered to a company location. This will include the tier 1 suppliers, the tier 2 suppliers they use, the known locations of the suppliers they use, all the way down to the raw materials. It will include intermediate warehouses, ports, (cross)-docks, rail yards, and FTZs used by the organization.

The organization will be able to search by product, and see the known supply chain. Search by location, see the suppliers who are there, and then see all the products that flow through those suppliers at that location.
Geo-Political Tracking For ever region the organization does business in, the platform tracks news and events related to the geo-political climate. Government decisions, labour unrest, increases in crime, terrorist activity, man-made disasters and other, related, events will be tracked. Government stances on issues, local business preferences, likely election outcomes, and anything that could cause a change in the political climate will also be tracked.

For each government decision, labour unrest, terrorist activity, man-made disaster, closure, etc, the platform will associate it with all affected suppliers and supply chain network nodes (warehouses, ports, etc.) in the network. In addition, any news or events that may turn into an event of interest will also be referenced.
Economic Tracking For every region the organization does business in, the platform will track the local economics. How is the currency trading against the primary currencies used by the organization and is it increasing or decreasing in value. How is the local job market, is unemployment decreasing or increasing? How is local consumer spending?

All of the above are indicators of the local economy. The organization is interested in not only how much it will cost for the goods now and tomorrow, but, if they are selling in the local economy, how likely it is the local market will (continue to) be able to afford the products, and how likely the supplier will be able to attract and retain the workforce it needs to serve the organization.
Natural Disasters For every region, and every region between every region the company sources from and every region they sell in, the organization tracks natural disasters, their impacts, and, if recovery is necessary, the state of recovery. It also tracks natural disaster risk, and any nearby (weather) events that could turn into a disaster (hurricanes forming over the ocean, tremors that could signal an earthquake, lava flows that could signal a volcanic eruption, etc.).

In addition to tracking the disasters that have happened, might happen, and will happen again, it also tracks the impact a disaster will have for every day a supplier’s operation is disrupted. The platform will contain the ability to model the cost of a disruption at every tier 1 node and propagate that down the chain.
Disruption Tracking The platform will also contain the ability to track arbitrary disruptions, track the recovery status, model the potential impact, and track the actual impact.

This will normally form the foundation of a control centre, which will be integrated with the analytics and monitoring capability (which, as we noted in our last three parts, will be covered in a separate article), and allow the organization to centrally track, manage, and mitigate organizational risks.
Transport Mapping & Tracking As noted above, the platform will track every region, and every region between every region, that the company operates in and use this information to map and track the organization’s transport networks. Every node used by every carrier will be tracked, every lane will be mapped, and every route monitored to the extent possible by the application.

This normally won’t be a full fledged transport risk management platform, which will be something we cover in another article, but will provide enough foundations that a third party application can be linked in or data feeds imported.

Moreover, a Generic Supply Chain Risk Management Application will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are common, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article, as we noted in our coverage of Corporate Risk, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring.

Source-to-Pay+ Part 4B: Third Party Risk, Part 2

In Part 1 of this series we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites (which is really more of a Supplier “Uncertainty” Management module). Then, in Part 2 of this series, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then in Part 3 of this series we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Then, yesterday in Part 4A, we began our discussion of third party risks and outlined some of the specific baseline capabilities that such a solution should possess. Today we complete our discussion of third party risk and outline the remainder of baseline capabilities that we believe such a solution should possess.

Sustainability An organization needs to be sustainable, which it can only be if the suppliers it uses are sustainable as well. As such, a TPRM solution needs to monitor the sustainability of its suppliers. Their carbon footprint, or at least the footprint of the products/services they provide, associated GHG emissions, and (fresh)water utilization, especially if significant or beyond the norm (and reducable).

This part of the application should integrate with third party data feeds and assessments on sustainability as well as the integrated assessment module.
Commodity Markets Sudden, unexpected, price increases represent a great risk to the organization, no matter where they occur in the chain. Since it’s usually the supplier (or the supplier’s supplier) who buys the raw materials from the commodity markets, the organization often doesn’t know about the price increase until it’s too late. Thus, it’s critical that an organization monitor the commodity markets for any raw materials it needs in considerable quantity that can have a significant impact on its financials.

Thus, a good TPRM system will integrate with commodity market feeds and track the raw materials used in the relevant Bill of Materials of the organization. As such, the system should also integrate with the ERP and be able to pull in the raw materials the organization’s suppliers need to acquire in large quantities on a regular basis.
Location Considerations There’s a lot of risk associated with a location. Geopolitical, economic, natural disaster, and so on. The system should track all of the locations associated with each third party, the risks associated with the location, the likelihood, and, if possible, the potential impact.

This part of the solution should tie into the event monitoring, sentiment monitoring, third party feeds, and any other indicators that could indicate a location-based risk. When one is detected, all of the (potentially) impacted suppliers should be identified, and the potential severity of the event also identified.
Certificates The solution must track all appropriate certificates / certifications for third parties that the organization needs to verify that the organizations are compliant with regulations, have the appropriate insurance, and so on.

A good solution will also integrate with third parties that can verify the existence/issuance of the certificate, the dates of validity, and other key meta-data.
Industrial Accidents It’s important to keep track of any industrial accidents in the third parties you do business with, whether they have been cleaned up, what the impacts were, and whether or not the third parties have taken steps to prevent similar accidents from happening again. A supplier that could be shut down at any time due to an accident which has more than a negligible chance of occurring is not a reliable supplier. Plus, this can also impact reputation / brand.

Thus, the application needs to tap into organizational filings and disclosures to identify past accidents, event monitoring to identify accidents as they happen, assessments to get updates from suppliers as they clean up / recover, action plans that capture what the supplier/third party plans to do, and monitoring.
Recalls Just like its important to keep track of industrial accidents, it’s also important to keep track of recalls. For what, how often, and how severe. A supplier that has to regularly do recalls has quality (management) issues and is not a supplier you want to be relying on.

It’s important that the application track recalls, track any updates on those recalls, and track any news stories that led to those recalls. You also want to know how often a supplier has had to do a recall in the past.
Related Parties We’ve more-or-less stated this in many of the sections above, but it’s critical that you track the parties related with a supplier/third-party of interest. Those that supply, service, or invest in the third parties you rely on should also be tracked. In addition to tracking these, it’s critical to maintain the relevant relationships between the parties and keep this up to date.

The system should integrate with third party corporate registries that track ownership and relationship information and update the relationships in the TPRM as necessary.
Action Plans / Development Goals As we hinted at in our discussion of Industrial Accidents, it’s not enough to just track the risks, the likelihood, and indicators they are materializing / have materialized, an organization has to work with suppliers to minimize the likelihood and, should they materialize, minimize the recovery time and the impact on the organization.

The application must support the definition of a multi-stage plan, with multiple tasks per stage, collaborative development of the plan, approval workflows, and when the plan is instantiated, execution and tracking of the progress made by the third party. Basically, it’s customizable development program management for a third party.
Maturity Model The platform should support the definition of maturity models by third party (supplier) organization type, the mapping of third parties to these models, default action plans that can be instantiated to help a third party progress up the maturity model, and associated metrics to measure the aptitude of a third party at each level.

In other words, it’s not just point-based program management for the development of select capabilities in a third party, it’s integrated multi-faceted organizational management of a third party with monitoring, management, and reporting over time.

Moreover, a Third Party Risk Management (TPRM) will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are common, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article, as we noted in our coverage of Corporate Risk, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring.

Source-to-Pay+ Part 4A: Third Party Risk, Part 1

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application (that we prefer to call Supplier “Uncertainty” Management) that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then, in Part 3, we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Today we are going to talk about some of the third party risks and outline the function specific baseline capabilities that such a solution should possess. Before we get started on the risks, we should note that a third party risk management (TPRM) can also be used for Supplier Management as a supplier, in addition to being a second party, could also be one of the many “third parties” an organization has to worry about if it is a sub-tier provider contracted by another primary, first-tier, supplier of the organization and a good TPRM solution will contain all of the functionality in an average Supplier Risk/Uncertainty Management module in a Source-to-Pay solution and much, much more.

We’ll continue in yesterday’s format, outlining some of the key capabilities and what that may mean solution-wise. There are quite a few key capabilities. So many, in fact, that, as you may we’re actually breaking this article up into 2 parts.

Capability Description
Customizable Assessments No matter how many capabilities come out of the box, every organization is going to need to do a customized assessment of a third party at some point. Thus, any TPRM system must support the creation of customized assessments with arbitrary questions, multiple forms of answers (multi-select, numeric, free-form, etc.), customizable weighting systems (that also support group-based weightings using averages, medium, or weightings based on role) and customizable reporting on the results.

In addition, the system should come with a slew of starting, customizable assessments out-of-the-box on every area covered in the application, whether or not there are third party data feeds and assessments that can be sucked into the application for use by the client. (This is because most third party feeds and assessments come with a cost, which may not be worth it to the organization if that aspect is only relevant to a few suppliers or doesn’t cover all of the aspects an organization needs.)
Reputation/Brand As we noted in our last article, a significant risk to the company is its reputation/brand, and that includes reputation/brand risks that come from being associated with third parties with reputation/brand risks. As a result, an organization needs to keep on top of the reputation/brand of its suppliers and partners.

Thus, it needs a platform that can monitor news sources and social media and look for stories about all of its suppliers and partners that could blow up, sentiment that could propagate, and events that could cause repercussions through the supply chain.
Regulatory Compliance Organizations need to be compliant with regulations in every geography in which the organization does business, which means that it needs its core suppliers and key partners to also be compliant with those regulations. As a result, it needs to monitor all of its suppliers and their suppliers/partners for compliance with the regulations that are relevant to those suppliers/partners.

This may mean tracking certifications, tracking raw material inputs, tracking human resources assigned to projects, tracking carbon/GHG reports from the third party, and other key pieces of information. It may mean asking suppliers for additional (self) assessments, getting (temporary) access to third party data feeds, and having third party do compliance audits for you.
Ownership/Financials Just like your company cannot be associated with sanctioned entities, you need to be careful not to do business with suppliers who are (partially) owned or controlled by sanctioned entities as well or who are doing business with sanctioned entities to support your organization. In addition, you don’t want to be doing business with suppliers or third parties who are financially unstable, as their bankruptcy could negatively impact your business.

Thus, this system must tie into all sanctioned and denied party lists of every country it operates in, cross-reference the ownership and partners of all suppliers/third parties the company does business with against the sanction list, and monitor ownership changes as they occur. In addition, it should tie into systems that monitor financials of public companies as well as systems that judge the financial stability of private companies.
Human/Labour Rights Legislation has been introduced and/or is being considered in many jurisdictions around the world that make your organization responsible for any abuses of human or labour rights in the supply chain. It’s important to have systems that can monitor for human/labour rights in the supply chain, even if this is only through integrations with third parties that do (independent) on-site assessments.

This should also make use of the brand/reputation monitoring module that monitors news sources, events, and related data feeds to scan for anything that could indicate a human/labour rights violation.

Come back tomorrow for Part 4B as we continue our discussion of Third Party Risk.