Hundreds, thousands, or even tens of thousands of third parties power your company every minute of every day, in all your markets and geographies, for every product and service. Third parties are everywhere, in virtually every part of your business. You have less control over third parties than over your internal operations, so getting this right is essential for your company’s success.
Third-party relationships are complicated. But the “right” third parties, if thoughtfully evaluated, managed and controlled, deliver what you contracted for and serve up many opportunities to be better. Better means new products, services and markets. Better means access to specialized top talent, processes and technology. Better means less risk.
Unfortunately, risk is everywhere and even though technology is advancing in leaps and bounds, operational ecosystems are growing more complex every day. Consequently, risk events, cyber attacks, fraud, data corruption and privacy breaches are becoming commonplace, and are too often the fault of a careless third party. The proliferation of third-party relationships and new technologies means that it’s hard for companies to stay on top of third-party risks, and even harder to implement effective controls, monitoring and oversight.
Management of third-party risk is a relatively new discipline – involving a new set of skills, rigorous methodologies, well-crafted tools and advanced technologies. But proactive professionals need to learn the language of risk and learn it quickly because everyone is now a risk manager and everyone is responsible for effective and efficient risk management, particularly for critical third parties.
Linda Tuck Chapman, Third Party Management advisor, author, popular speaker & President, Ontala
Keynote speakers, thought leaders and industry publications show no signs of slowing when it comes to evangelizing the benefits of the supply chain’s digital transformation. With its promises to save you time and money, the market has exploded with offerings of cloud-based solutions, IoT devices and a legion of outsourced practitioners who can make all of your spend visibility and risk management dreams come true. But for all the benefits touted, what is often left out of the conversation is the topic of security, especially as it relates to third-party vendors.
The Path of Least Resistance
As hackers become cleverer in their approaches, they’ve moved from directly attacking large organizations to exploiting vulnerabilities and penetrating third-party cloud software, apps and IoT devices to implant malware directly into the software or steal login credentials. “The challenge with supply chains is that they are multifaceted and there are many places where a hacker can enter,” says Brandon Curry, Senior Vice President with NTT Communications. Curry, who is also a Certified Ethical Hacker, frequently reports on trends in cloud and supply chain software security. He notes that the top cost of a supply chain breach is legal and reputational costs, with software supply chain attacks costing an average $1.1 million per attack globally.
Compromised software is one of the primary causes of supply chain software breaches, and the damage isn’t limited to grabbing customer credit card numbers or personally identifiable information (PII). Hackers are also looking to steal intellectual property, mine your customer base, counterfeit your product and take over your market share.
Think environmental, social and governance (ESG) factors only matter to specialist investors? While ESG standards may have been the exclusive purview of sustainability investors a few decades ago, that is no longer the case. “Only two decades ago, concerns about climate change, water scarcity, exposure to corruption, working conditions in the supply chain and gender equality were barely on the agenda of company executives. They were considered externalities or were dealt with through philanthropic approaches with little or no impact on the bottom line,” noted Harvard Professor of Management Practices Dr. Robert Eccles, and former United Nations Global Compact Executive Director Georg Kell. But times have changed.
Just two years ago, the Organization for Economic Co-operation and Development (OECD) began promoting “responsible business conduct for institutional investors” in its Policy Framework for Investment. In it, the OECD encourages investors to engage with corporate leadership on ESG risk and contends that ESG issues represent part of a company’s fiduciary duty when evaluating long-term value. It’s an approach that more institutional investors are taking to heart. In an article on EthicalBoardroom.com, Michelle Edkins, a Managing Director and Global Head of Investment Stewardship at BlackRock writes, “An emphasis on investing for the long-term, changing client and societal expectations, and better data, reporting and research have all influenced a steady mainstreaming of ESG considerations by investors.”
There’s a lot of talk regarding all the ways technology is going to revolutionize procurement. Blockchain can increase supply chain visibility, the Internet of Things (IoT) can change the way our business devices communicate with each other, etc…But what type of innovations are available at the sourcing level?
From paper RFPs to conferences, it seems the way we source business has largely remained the same. Procurement teams are limited to siloed, outdated supplier databases and incomplete business information when attempting to make business decisions. It’s expensive and time-consuming to get a holistic picture of a supplier’s business health and mitigate third-party risk. How can we adapt today’s technology for tomorrow’s sourcing needs? Here are a few innovative ways that your organization can source business:
Daryl Hammett, CSMP, CSP, General Manager/Chief Operating Officer, ConnXus
With the rapid acceleration of cloud software, Internet of Things (IoT) and advancements in FinTech, the financial and technology industries saw significant increases in cyberattacks over the past year. Attackers find vulnerabilities in supply chains and software, capitalize on lax security updates and use social engineering to manipulate end-users.
As hackers become more creative in their subversive techniques, businesses need to become more proactive in educating their workforce and stepping up their cyber incident response plans. Businesses should consult with their vendors, third-party suppliers and stakeholders in every business unit to ensure continuity, mitigate risk and verify that security measures are being employed and regularly updated.
Below are summarized findings from the recent NTT Security Global Threat Intelligence Report that focus specifically on the finance and technology sectors in the Americas, which account for the most highly targeted attack sectors in this region. Recommendations from the National Institute of Standards and Technology Framework are included here as well. Organizations can also look to the Department of Homeland Security’s National Cyber Incident Response Plan for guidance on dealing with and addressing cyber incidents.
Finance and Technology Top the List of Targets
Attacks to the finance sector nearly tripled, accounting for 43 percent of attacks compared with 15 percent the previous year. Attacks targeted at the technology industry sector increased to 27 percent of attacks, up from 11 percent in the previous year. For comparison, manufacturing was the most attacked sector in 2016, with 23 percent of attacks, but has since fallen to five percent of attacks in 2017.
It's been a busy news cycle and a busy summer at SIG. We are implementing a lot of changes to bring delegates the latest news, thought leadership and professional development opportunities to help you and your team stay sharp and informed.
Here's a look at the latest news and opportunities for SIG delegates in August.
Future of Sourcing
Originally launched in 2005, Outsource Magazine has built a strong reputation of quality thought leadership among the sourcing, outsourcing and procurement community. The digital content has continued to grow through its vast collection of contributors and with it, our audience. For this reason, it was decided that Outsource Magazine needed a transformation to better represent the thought leaders in the global sourcing community.
Today we present to you Future of Sourcing, a digital publication that will continue to provide you with unparalleled insight into the trends, best practices, challenges and opportunities facing the industry.
If you're already an Outsource Magazine subscriber, your subscription will be carried over to Future of Sourcing and you will continue to receive our bi-weekly email newsletters. If you're not a subscriber, we encourage you to sign up to receive the latest articles directly to your inbox. And don't worry, we won't spam you with unnecessary emails and never share your information.
We hope you like the new look! Check out some of our latest articles in the Future of Sourcing:
Investors. Consumers. Employees. Suppliers. They all want—even expect—the companies they associate with to operate with transparency and trust. But lately, trust has been in short supply. In the U.S., for example, trust in institutions—government, business, media and NGOs—declined a record 23 points in the annual Edelman Trust Barometer survey, which covers 28 markets around the globe. Business alone saw a 10-point, year-over-year decline. Clearly, companies in America need to focus on rebuilding trust, but how?
Embrace Corporate Social Responsibility
Corporate Social Responsibility (CSR) and Environmental, Social and Governance (ESG) criteria can play a significant role in establishing or regaining trust. What do CSR and ESG entail? CSR involves implementing a business model that includes accountability—to stakeholders and consumers—on a range of societal and environmental issues. Similarly, ESG focuses on how companies tackle key issues such as climate change and human rights, which financiers increasingly consider alongside traditional financial factors when evaluating investment portfolios.
Procurement has evolved to become more strategic and collaborative and has moved from an isolated, back-office function to a boardroom partner. While the procurement function must continue to drive hard savings, manage suppliers and mitigate risk, it must also pivot to look for opportunities to deliver future savings and innovation.
“Procurement is at an inflection point,” said Dr. Marcell Vollmer in a recent interview with SIG CEO Dawn Tiura. “Procurement needs to transform into a value-added function focusing on strategic tasks.” How can procurement teams do this?
Based on interviews with today’s leading procurement executives, innovative suppliers and academic research on the procurement function, five notable areas stand out in which procurement can drive innovation in areas critical to the sourcing industry.
INVEST IN THE RIGHT TALENT
For all the great advancements that technology brings, it requires people to manage the technology. Oxford Economics’ survey among procurement executives and practitioners found that the top three investment priorities include new talent recruitment, training/upskilling programs and procurement/supply-chain technology.
The relationship between buyers and providers can be a tricky one, especially when operating across multiple continents. Speaking during a podcast interview with Dawn Tiura, Sean Delaney, Vice President of Sales for cloud platform Determine, draws on his experience as both a buyer and provider to share best practices for relationships that are sustainable and strategic.
WORK ON YOUR SOFT SKILLS
Technical expertise is valuable, but your ability to establish a rapport with customers is important for sustainable relationships. “Candor is important because there's a large degree of personal credibility that buyers are putting on the line when selecting a vendor," says Delaney. "That needs to be understood as a seller and we need to make sure that we don't break that trust. That's our role.”
Nearly five years ago I wrote a blog about Big Data and how it could be relevant for sourcing and supply chain professionals. Needless to say, a LOT has happened since then. In a Gartner survey performed in October 2016, 48% of companies indicated that they have a Big Data initiative currently underway, with another 25% who stated they had plans on the horizon. So it is no longer a question of whether or not companies are using Big Data…that is a given. Now the question is how companies are using it and how they are incorporating Robotic Process Automation (RPA) and Artificial Intelligence (AI) into the equation.
The information being collected from Big Data initiatives is powerful and can provide predictive analytics and insightful information. For example, a shipping company being able to change delivery routes based on current traffic patterns increases productivity (not to mention customer frustration). A large company using it to detect anomalies in behavior by third party vendors and mitigate the risk associated with that information could protect them from millions in cyber security damages.
.png "Strategic and Sustainable Business Relationships between Buyers and Providers")
Third-Party Risk Management: An Opportunity for Procurement
Hundreds, thousands, or even tens of thousands of third parties power your company every minute of every day, in all your markets and geographies, for every product and service. Third parties are everywhere, in virtually every part of your business. You have less control over third parties than over your internal operations, so getting this right is essential for your company’s success.
Third-party relationships are complicated. But the “right” third parties, if thoughtfully evaluated, managed and controlled, deliver what you contracted for and serve up many opportunities to be better. Better means new products, services and markets. Better means access to specialized top talent, processes and technology. Better means less risk.
Unfortunately, risk is everywhere and even though technology is advancing in leaps and bounds, operational ecosystems are growing more complex every day. Consequently, risk events, cyber attacks, fraud, data corruption and privacy breaches are becoming commonplace, and are too often the fault of a careless third party. The proliferation of third-party relationships and new technologies means that it’s hard for companies to stay on top of third-party risks, and even harder to implement effective controls, monitoring and oversight.
Management of third-party risk is a relatively new discipline – involving a new set of skills, rigorous methodologies, well-crafted tools and advanced technologies. But proactive professionals need to learn the language of risk and learn it quickly because everyone is now a risk manager and everyone is responsible for effective and efficient risk management, particularly for critical third parties.