SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Shani Richards shares how this course has opened her eyes to the inherent risks associated with not having a solidified third-party risk management system in place.
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Jamie Huntington shares her thoughts on why Due Diligence is so essential in the third-party risk management process.
Jamie Huntington, Supplier Diversity & Development Manager, Black Hills Energy
America’s love affair with e-cigarettes evaporated quickly as millions of users were recently confronted with unnerving news—their vapes could actually contain toxic chemicals powerful enough to be deadly.
The CDC issued words of caution on September 27, “Anyone who uses an e-cigarette or vaping product should not buy these products off the street.” The sentiment is clear—consumers need to avoid e-cigs from potentially shadowy manufacturers and distributors fed by an unregulated supply chain.
Duty to the Consumer
E-cig manufacturers have a responsibility to pinpoint precisely what in their products is harmful, just as distributers must be confident they are only carrying reputable items that are sourced through a responsible supply chain. Many vaping products have been found to contain illegal synthetic marijuana, even when consumers believed they were buying THC-free products such as CBD pods.
In an industry as young and unregulated as e-cigs, it’s not surprising an unknown health consequence was lurking on the horizon. Consumers had no idea what ingredients or manufacturers to be wary of because no one yet knew there was a concrete hazard.
Liz Mantovani, CSP, CSMP, C3PRMP, Director of Operations, SIG
Keynote speakers, thought leaders and industry publications show no signs of slowing when it comes to evangelizing the benefits of the supply chain’s digital transformation. With its promises to save you time and money, the market has exploded with offerings of cloud-based solutions, IoT devices and a legion of outsourced practitioners who can make all of your spend visibility and risk management dreams come true. But for all the benefits touted, what is often left out of the conversation is the topic of security, especially as it relates to third-party vendors.
The Path of Least Resistance
As hackers become cleverer in their approaches, they’ve moved from directly attacking large organizations to exploiting vulnerabilities and penetrating third-party cloud software, apps and IoT devices to implant malware directly into the software or steal login credentials. “The challenge with supply chains is that they are multifaceted and there are many places where a hacker can enter,” says Brandon Curry, Senior Vice President with NTT Communications. Curry, who is also a Certified Ethical Hacker, frequently reports on trends in cloud and supply chain software security. He notes that the top cost of a supply chain breach is legal and reputational costs, with software supply chain attacks costing an average $1.1 million per attack globally.
Compromised software is one of the primary causes of supply chain software breaches, and the damage isn’t limited to grabbing customer credit card numbers or personally identifiable information (PII). Hackers are also looking to steal intellectual property, mine your customer base, counterfeit your product and take over your market share.
Contracting is one of the most important parts of the sourcing process – this is one of the final steps in the process before (or in parallel with) implementation and it documents all terms and conditions agreed to by both parties throughout the sourcing engagement. While it is one of the most important steps in a sourcing engagement, it can also be one of the most painful with numerous rounds of revisions and reviewing legalese that can extend out a project timeline substantially at times. As a Sourcing professional, I’ve reviewed my share of contracts ranging from one page agreements to lengthy contracts with multiple attachments and exhibits. Each contracting experience is different, some have gone smoothly and are wrapped up in a few days’ time, while others took months to come to agreement on the final language. I will highlight a few recent experiences with contracting and some of the lessons learned that can be applied to others in similar situations.
Don’t skip the contract just because of a low spend figure.
On a recent project, my team was brought in to negotiate with a local hardware store that was used regularly for as needed supplies at a local manufacturing plant. Upon further investigation, we learned that the client had already negotiated a discount structure with this supplier earlier in the year, but there was no formal documentation because the annual spend with the supplier was below the threshold when contracts are required.
With the rapid acceleration of cloud software, Internet of Things (IoT) and advancements in FinTech, the financial and technology industries saw significant increases in cyberattacks over the past year. Attackers find vulnerabilities in supply chains and software, capitalize on lax security updates and use social engineering to manipulate end-users.
As hackers become more creative in their subversive techniques, businesses need to become more proactive in educating their workforce and stepping up their cyber incident response plans. Businesses should consult with their vendors, third-party suppliers and stakeholders in every business unit to ensure continuity, mitigate risk and verify that security measures are being employed and regularly updated.
Below are summarized findings from the recent NTT Security Global Threat Intelligence Report that focus specifically on the finance and technology sectors in the Americas, which account for the most highly targeted attack sectors in this region. Recommendations from the National Institute of Standards and Technology Framework are included here as well. Organizations can also look to the Department of Homeland Security’s National Cyber Incident Response Plan for guidance on dealing with and addressing cyber incidents.
Finance and Technology Top the List of Targets
Attacks to the finance sector nearly tripled, accounting for 43 percent of attacks compared with 15 percent the previous year. Attacks targeted at the technology industry sector increased to 27 percent of attacks, up from 11 percent in the previous year. For comparison, manufacturing was the most attacked sector in 2016, with 23 percent of attacks, but has since fallen to five percent of attacks in 2017.
In my last blog, I spoke about ethical sourcing and the many benefits it can have for your company. Seems like a no-brainer, right? When attempting to put in a plan to obliterate unethical practices in your supply chain, it starts to be risky business. The best way to mitigate risk is to set up a solid plan and be diligent about following through with it.
In my research to find a clear plan to mitigate unethical practices, I found a slew of proposed methods. Unfortunately, I felt that many of them seemed too simple—basically, too easy and too good to be true. I finally came across a solid and thorough plan proposed by Declan Kearney, the founder of 360° Supplier View, who shares tips with companies to ensure ethical sourcing practices in their supply chain.
Do Your Research
Make sure you do your research on your suppliers…and their suppliers. With myriad complex regulations now put in place, go out and learn from case studies and the resources that will act as a survival guide as you attempt to research your vendors and suppliers.
Stay Away from the Fat Cat
Assess whether the higher-ups in your supplier organization are well known or politically aligned. These individuals are more susceptible to bribery or corruption.
Hailey Corr, Junior Editor and Marketing Associate, Outsource and SIG
In my time working in the sourcing sphere I have become passionate about ethical sourcing. Mexico, where I have lived for nearly eight years, is where many companies source cheap, nearshore labor and is a resource for bilingual, cost-saving talent. I have witnessed unethical sourcing practices in my time here and I am always looking to educate myself and others on the benefits of ethical sourcing. As companies chase better costs to remain viable, the possibility of building a supply chain with poor ethical practices increases. Ensuring ethical sourcing practices in your supply chain can be labor intensive but the benefits are immense.
According to the Chartered Institute of Purchasing & Supply (CIPS), ethical sourcing is the process of ensuring the products being sourced are obtained in a responsible and sustainable way, that the workers involved in making them are safe and treated fairly and that environmental and social impacts are taken into consideration during the sourcing process. Ethical sourcing also means the procurement process respects international standards against criminal conduct and human rights abuses and responds to these issues immediately if identified.
With global sports industry revenues over $145Bn and growing at a rate of 3.7% over the past 4 years, it is evident now more than ever, that behind the tackles and buzzer beaters, sports remains a business. Negotiations in business are usually governed by several tangible measurable data points that are indicative of future performance. Given below are a few aspects that are unique to negotiations in the sports industry:
The global regulatory environment is heating up – and not just because it's summer. As government enforcement actions capture headlines, corporate leaders are rightfully concerned about whether their due-diligence strategy can hold up to the increased scrutiny. Richard Girgenti, KPMG LLP's National and Americas leader for Forensic Advisory Services, wrote in an article in Metropolitan Corporate Counsel recently, that the rapid and ongoing nature of regulatory changes, the array of agencies involved in bringing enforcement actions and the aggressiveness with which they are enforcing such actions are resulting in "record fines and penalties, class action lawsuits, lost earnings and reputation damage." Girgenti would know, having more than three decades of experience – not just in advising organizations but in conducting investigations and overseeing policies on the enforcement agency side of the coin. So, what does he see as some of the top of mind issues for corporate leaders who want to stay out of hot water with regulators?
Three Enforcement Areas that Demand Enhanced Due Diligence
Mark Dunn, Segment Leader, Entity Due Diligence and Monitoring, LexisNexis
 (1)_3.png?27JxhIX4gktVYsS9Rxx0YFPvAst32ns6= "Due Diligence is Due")
Opening The Curtain Of Third-Party Risk Management
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Shani Richards shares how this course has opened her eyes to the inherent risks associated with not having a solidified third-party risk management system in place.