Supplier risk mitigation has become very important, especially in these times. The two key themes to come out of 2020 from a procurement and supply chain standpoint have been supplier risk mitigation and cyber threat. As the pandemic’s effects started to grow, organizations found their business continuity plans (BCPs) being thrown out of the window.
Over dependency on one supplier or a small group of suppliers from one region dealt with organizations a heavy blow. They also saw their supply chains crumbling under the pandemic’s weight.
With time, organizations did find ways to get their supply chains back up and running. However, with more digital technologies being used than ever before, a new and enhanced cyber-threat problem emerged. Suddenly organizations found themselves fighting off phishing attacks, fraud, duplicate invoices, and guarding themselves against data leaks to ensure that their businesses don’t suffer anymore.
Given that the pandemic has disrupted our ways of working not just for 2020 but for the near future, these two challenges will be a constant for procurement and supply chain professionals.
This is why we thought of putting together a few key points that you can incorporate into your strategy to conquer supplier risk and cyber threats in 2021 & beyond.
Challenges with pre-COVID-19 supplier risk mitigation practices
A majority of organizations across the globe were caught in a fix as soon as the pandemic hit as they had little to no visibility beyond their Tier-1 supplier. As the pandemic wore on, Tier-2 and Tier-3 suppliers were unable to feed the supply line either due to lockdowns or due to longer payment terms, which resulted in a cash flow crunch for them, eventually force them to halt production.
As Bruce Everett, CEO APAC, IACCM suggested in one of Zycus’ webinar earlier this year, organizations and nations expected the pandemic to impact them or maybe a couple of their neighbors, but no one expected the whole world to come to a standstill.
This sums up what most organizations were thinking when the pandemic hit. For them, the immediate reaction was to assess if their key suppliers were under threat. Most organizations missed looking beyond their primary suppliers and evaluating the extent of the damage across the whole of the supply chain.
For organizations whose primary suppliers got impacted, a subsequent challenge was looking for a new supplier or a pool of suppliers who could fill in the gap. Unfortunately, most years of dependence on a select few suppliers and an impaired supplier performance system made this search a tedious process.
Even though a majority of organizations found a make-shift way out of this fix, the question is, how do they find a long-term solution and account for any significant disruptions in the future? Here’s a quick look at a 3-step approach to better managing supplier risks.
A 3-step approach to better supplier risk mitigation:
1. Assess: According to a Gartner survey, 89% of companies experienced a supplier risk event in the last 5 years, yet their awareness and plans to mitigate it lacked maturity. 1
What organizations need is a holistic 360° view of supplier risks, which factors in various types of risks viz. operational risks, Geo-political risks, financial risks, legal and compliance risks, reputational and information security risks, etc., and isn’t only limited to the primary supplier but takes into account the supplier’s supply chain as well.
In addition to external risk coverage, organizations also need to monitor supplier performance through risk assessment scores continuously. Supplier risk and performance management KPI benchmarks and scorecards can come in handy in ensuring the right parameters are being set and monitored.
2. Manage: Once the correct KPIs are set, organizations can periodically review their suppliers’ performance scores and segment them based on their risk scores. This way, they have a clear view of who’s the most impacted due to any of the possible risk factors stated above and who has a healthy supply chain.
Suppliers whose risk and performance scores go below the minimum threshold can be asked to undertake SCAR (Supplier Corrective Action Request) programs.
3. Monitor: The final piece of the puzzle is continuously keeping an eye for events and news across various parameters on a real-time basis. Automated alerts, risk trends, surveys, etc., can help organizations stay ahead of the curve. They can also be prepared for a black swan event like the pandemic.
While the above steps seem logical and easy in theory, organizations have struggled to put these into place due to a lack of technology improvisations over the past couple of years. Manually keeping a check on supplier performance, looking for news and events across the globe, and deriving insights into possible impact on the supply chain on a real-time basis is not possible.
This is why organizations need to adopt modern-day technologies such as Artificial Intelligence (A.I.), which can help. Gartner’s survey says that companies that use risk mitigation technologies are almost twice as effective as those that don’t. 2
The information security conundrum:
According to INTERPOL’s assessment of the impact of COVID-19 on cybercrime, there’s been a stark increase in the number of cyberattacks on major corporations, governments, and critical infrastructure ever since people started working from home. 3
Source: INTERPOL REPORT SHOWS ALARMING RATE OF CYBER ATTACKS DURING COVID-19
This is a cause of worry and caution for procurement teams, which may be looking to rapidly onboard new suppliers to fill in the gap created by their primary suppliers going bust. This may lead them to do a sub-par risk assessment of new suppliers. Also, this leaves the door open for fraudulent suppliers to enter their systems.
There’s also been an exponential increase in the number of fake or duplicate invoices sent to the A.P. teams across commercial and Government organizations. Given the number of queries and emails that A.P. teams get during a day, manual oversight may result in fraudulent invoices getting passed as valid invoices and payments being made.
With manual processes and systems in place, organizations will find it challenging to counter any such attacks, resulting in large-scale financial losses. Therefore, they need an automated tool such as the Zycus Merlin Invoice Reader BOT, which can go through invoices, extract line-level information, and highlight any fraud or duplicate data while ensuring no financial losses are incurred by the organization.
An A.I. system also helps raise a red flag in case any of an organization’s supplier is impacted by a cyber attack or data theft. Organizations can immediately act upon such instances. Also, they can reach out to their suppliers to check if their data was stolen or compromised. Hence, they can then take corrective actions if required.
COVID-19 was an eye-opener for organizations who believed that their supplier risk and business continuity plans were fool-proof. Having limited or no visibility beyond the primary supplier and relying on manual systems to identify and iron out any potential risks proved detrimental. What made matters worse was the barrage of cyberattacks aimed at maximizing the fragile systems in place, especially with people working from home.
The need of the hour calls for organizations to have a holistic approach to supplier risk mitigation. This can be done by using advanced A.I. engines. Also, having a healthy and diverse pool of suppliers, which can be segmented according to their risk scores on a real-time basis, helps organizations make the right moves to circumvent any adverse situation and gain a competitive advantage over their peers. Governments can use such systems to ensure enhanced security and that none of their tax payer’s money goes to waste.
Learn More: Vendor Management Guide