2019 was a tough year when it came to risks in the supply chain. There were several big named companies that fell victim to cyber attacks, leaving others to wonder if they were truly protected. As the new year quickly approaches, there’s no better time to assess current risk management plans, and where there’s room for improvement.
Supply & Demand Chain Executive sat down with Danny Thompson, SVP of market and product strategy at APEX Analytix to discuss how companies can protect themselves from risks as we enter a new decade.
SDCE: What are common risks that the supply chain faces?
There are five common risk categories that can disrupt the supply chain: reputation (negative news about the company or suppliers), geographic (country instability, environmental events), financial (fraud, credit risk), operational (employee or supplier errors) and regulatory (conflict minerals, child labor laws).
A couple specific risks that our clients are dealing with on a daily basis are:
Hong Kong very quickly changed from an extremely stable country to receiving a downgrade in its credit rating. Delayed shipments are today’s problem, but supply chain executives need to plan for how this may either devolve into a larger problem, or if it will just be a blip in Hong Kong’s history. We anticipate Hong Kong’s instability will be listed in multiple companies’ annual reports on what impacted their current and projected financials.
Certification Validations & Sanctioned Entities
Many times, value-adds in products start with the raw material. Certifications (e.g., USDA Organic) have become the protocol to keep everyone following a certain standard while avoiding an on-site visit from the buyer. Validations when sourcing new partners ensure suppliers that could tarnish a brand are not onboarded.
The inverse of value-add certifications are companies being added to sanctioned entity lists like OFAC, FBI or Interpol. These lists are maintained by government agencies that will restrict trade with people or companies of national security concern, and failing to comply will result in fines. In fact, 22% of fines levied by OFAC are over a $1 million.
In a recent business email compromise scheme, one of Toyota’s suppliers paid approximately $37 million to a fraudulent bank account and they will most likely recover $0. This impacted their bottom line and most likely had great ramifications to the internal teams, supplier relationships, communication with suppliers, and the ongoing prevention of the next attack.
With our client’s having an average of 40,000 global suppliers, there are many factors that could affect the credit worthiness of the overall supply chain — and many are outside of a supplier’s control. Country instability or an environmental event associated with a downstream supplier will impact whether a supplier has the necessary components to manufacture a product. It isn’t just the buying company’s revenue that could be lost, but every company in the supply chain.
SDCE: In what ways can companies address these risks?
Removing manual processes from risk management is key. Manual controls create inefficiencies and will eventually fail.
Here’s what we recommend for addressing each risk category:
Credit rating downgrades indicate a region is becoming unstable, but this downgrade may happen after the region has become unstable. News articles of day-to-day events are better predictors that a region may become unstable. AI-technology to analyze, score and alert on high-risk countries or specific regions can provide guidance for a supply chain manager to further investigate and decide how to minimize exposure.
Supply chain managers need automatic alerts if a shipping company has been flagged by the US government as illegal to do business with. The US recently sanctioned several Taiwanese and Hong Kong shipping companies for helping North Korea evade international restrictions on its petroleum trade. Doing business with these companies will result in fines, bad press and disruptions to the supply chain.
Automated supplier identity validation against sanctioned entities lists during onboarding, and every time a payment is about to be issued, will help avoid hefty fines that result from paying prohibitive organizations. Pairing automated validation with human investigation further aids in confirming any matches.
Fraudulent invoices disrupt the supply chain because suppliers will eventually see that an invoice is overdue and possibly stop shipments. The best control to prevent paying a bad actor is real-time automated bank account ownership validation, which goes beyond the traditional “call back” validation and confirms that the company name, legal entity type, tax ID and other identifiers are the same as the legitimate supplier. If a fraudulent change request is made, the bank account ownership test will provide a fail-safe control confirming the bank account is owned by the legitimate supplier and not a bad actor.
Similar to monitoring sanctioned entity lists, a supply chain manager needs to be alerted when a supplier’s credit rating has significantly changed — positively or negatively. If a supplier’s credit rating increased, then shifting production to that supplier from higher risk suppliers will benefit the supply chain. Alternatively, a decrease in credit rating would mean the opposite.
SDCE: Why is it important to have a plan in place in case something goes wrong in the supply chain?
Fraud, environmental events and bad supplier news will happen in every global supply chain every year. When these occur, you shouldn’t be making any important decisions in real time. This ensures when you are operating under pressure, you won’t make mistakes that will disrupt your supply chain and bottom line, or decisions that will disrupt your customers supply chain and bottom line.
SDCE: What are some ways to improve current risk management plans? Does technology play a role?
Yes. Technology can help you identify suppliers, evaluate the risk and prioritize contingency plans.
SDCE: Why do you think collaboration is important when it comes to risk management?
Collaboration creates a true partnership with your suppliers to ensure transparency around critical components of the supply chain and risks to it. It will encourage suppliers to alert you when conditions approach critical thresholds. With secondary providers, collaboration creates dependable contingency plans to mitigate supply chain disruption.
Internal collaboration is also key to ensuring the critical components of risk management are truly defined and contingency priorities are planned for.
SDCE: How do you get others involved in the supply chain to get on board with changes made in risk management plans? What errors can occur if not everyone is on the same page?
Senior leadership needs to endorse the risk management plans and create a risk committee to actively participate in guiding the risk management program. Without senior leadership’s endorsement, these types of programs get deprioritized for revenue generating or cost cutting programs until there is an event that forces senior leadership to get involved.
When communicating the contingency plans, each stakeholder must know how it impacts their objectives. If everyone is not on the same page, you will be communicating what the mitigation plan is rather than executing it.
SDCE: What risks do you expect to occur going into the next decade?
In August 2019, a cyberattack used AI-based software to mimic the voice of a CEO on the phone, resulting in a transfer of $243,000 to a fraudster. This was for a wire transfer, but what about a transfer of cars, petroleum or pharmaceuticals with the voice and visual of a trusted person via video? This technology will become more prevalent and these types of attacks will be a new tactic of supply chain pirates.
Global climate change will undoubtedly have an impact across the supply chain, logistics and financial markets over the next decade, but to what degree is still undetermined and needs to be monitored. Climate change will reshape the risk profile of regions and thus shift a company’s supplier base.