Source:- ACL Blog, Author:- John Verver
In some industries, such as manufacturing, the complex web of third-party entities involved in providing components, sub-components and services can seem overwhelming. Then, add in the ever growing list of regulatory compliance requirements that impact the entire supply chain and things rapidly turn into a huge challenge for even the most experienced managers responsible for addressing corporate risks. Failure in even a seemingly non-critical part of the supply chain can have huge ramifications, not only in terms of immediate financial performance, but also in corporate image and reputation. Just consider the impact that quality issues with defective airbags, or ignition keys, have had on many auto manufacturers.
The combination of supply chain risks such as supply continuity, component quality, use of child labor, conflict minerals legislation, bribery and corruption, environmental damage and product toxicity, when spread across thousands of suppliers and sub-suppliers and other third parties, is daunting for any risk manager to consider—and that’s just in manufacturing.
There are also many other types of risks within the supplier chain that impact virtually all organizations in every business and government sector. Fraud, error and abuse occur in multiple aspects of vendor relationships and the procure-to-pay processes. Some instances are caused by suppliers and some by your own employees. Either accidentally or deliberately, vendors over-charge, fail to bill in accordance with contracts and submit duplicate invoices. Employees work around controls and enter incorrect information, resulting in unnecessary payments. Some employees create phantom vendor schemes in order to fraudulently funnel funds to their own accounts. Others collude with vendors to over-pay for goods and services. Some senior managers are going to be tempted to disguise payments to secure a contract that is in contravention of the Foreign Corrupt Practices Act (FCPA).
Technology has already been used in many organizations to transform business models and processes. For many this results in brand new markets, new customers, new levels of productivity, as well as new products and services. So it is surprising to see how technology currently supports Supply Chain Risk Management (SCRM) in many organizations today.
In most organizations, SCRM processes have evolved over time to reflect new business lines and products, as well as new regulatory requirements. Typically, software is used to manage certain aspects of SCRM and related risks. But in many cases, the processes are supported by systems that have grown in a haphazard way, using a combination of manual procedures, spreadsheets and certification processes, often spread across various corporate siloes and regions. Producing one overall corporate view of the status of Supply Chain risks and the means by which they are being managed may just not be feasible using homegrown tools and techniques. The entire process of maintaining up to date and reliable information is typically cumbersome, resource intensive and prone to error.
The opportunity for many organizations that find themselves in this situation is to re-think processes, making them more consistent, dependable and efficient. These processes should be driven by technology that is not only designed for this purpose, but can do things, such as continuously monitor activities and risk indicators, which are not practical with older tools and techniques. This enables a degree of transformation that is not otherwise possible.
Given the importance of the supply chain to the achievement of strategic corporate objectives, it is really surprising that so many organizations have so far failed to invest sufficiently in replacing old processes and to better use technology to enable a far more effective approach.
The following are some examples of the ways that the technology can be used to organize and connect the entire SCRM process:
The challenge is to comprehensively identify risks throughout the supply chain, categorize them in a consistent way, and show the inter-relationships and dependencies among risks. These risks include risks relating to regulatory compliance failures. SCRM should normally be one major part of an overall risk management process within an organization. So, risks should also be capable of being categorized and included among a broader set of enterprise and functional risks. Trying to manage all of this through systems of spreadsheets is almost inevitably a hugely inefficient, unreliable and frustrating process.
Supply chain risks are not static and an additional component of creating a complete risk universe is identifying new risks. Data analysis technologies can play a key role in identifying new risk trends and indicators. For example, supplier shipments can be tracked against P.O.’s to detect increasing delays in meeting delivery dates for critical product components, as well as increasing instances of sub-standard quality.
As a consistent risk universe is established and maintained by risk owners throughout the supply chain process, an assessment process takes place. This is usually based on determining probability and extent of impact and takes into account aspects of corporate risk tolerance. The assessment also takes into account the nature of controls in place to mitigate risks, together with ongoing assessments of control effectiveness.
The practical challenges of using traditional techniques in this process are great. For example, trying to not only keep on top of what controls are in place to address compliance risks for regulations such as conflict minerals, employee health and safety, environmental protection and FCPA, but also how the extent of risk is impacted when weaknesses are detected in the effectiveness of controls.
SCRM technology simplifies the process by specifically supporting linking the risks to related and over-lapping controls, including instances where multiple controls and risks are inter-linked.The results of automated monitoring of activities to assess control effectiveness can also be tied directly back to risks to provide updated assessments.
The design and description of control processes are critical to determining whether they are effective and can be understood by control owners and those involved in audit and compliance reviews. Control systems can include automated routines that prevent or flag transactions and activities that are likely to be damaging.
As with many other aspects of risk management and compliance, there are increasing numbers of external control and compliance frameworks that can be used to support the design and implementation of controls. Using software to manage and connect items identified as applicable within a framework to the specific controls, it is easy to get a comprehensive view of how external requirements are being addressed.
Obtaining and collating responses from control owners based on questionnaires and certification sign-off is typically a very resource-intensive process and full of delays. Automation of this process through technology can dramatically reduce the effort involved, not only in timely collection of responses but also in the analysis of the types of responses. Common use cases for this could include, for example, individual employees confirming their understanding of sanction lists and that relevant controls have been tested to determine that no business stakes place with vendors on a list.
Ongoing monitoring of supply chain control effectiveness is usually very difficult to achieve when wholly dependent on manual testing and review activities. Big data analysis technologies increasingly play a key role in SCRM monitoring, using a combination of tests designed to provide indicators of control breakdowns, together with predictive and statistical analytics that identify potential risks for which no controls currently exist.
A lack of effective monitoring is often where SCRM process break down in practice, since even the best designed controls are often ignored or circumvented, for a variety of reasons.
A common area of breakdown in SCRM processes is the response to problems and control exceptions that are revealed through monitoring processes. The questions are often around who is responsible for addressing an issue, the status of follow up and how much risk exposure exists from delays in response.
Current technologies provide workflow capabilities so that, for example, individuals receive emails informing them of issues that need to be addressed. A failure to respond appropriately within a given time period results in an escalation of an issue, so that a more senior manager is automatically notified.
One of the biggest challenges of using traditional spreadsheet or other homegrown SCRM system is getting an overall insightful overview of the state of supply change risks and the ways they are being managed.
This is where a well-integrated technology driven approach produces large benefits. Visual and quantified dashboards provides senior management with reliable, consistent assurance and understanding whenever needed.
While it is important to be able to look at the entire SCRM process holistically, it is also important to be able to put it into the context of enterprise-wide risk management. Achieving a truly enterprise-wide approach to risk management can itself be an overwhelming undertaking. While the process challenges can be great, they are surmountable when driven by technology.
For many organizations it makes sense to be able to manage supply chain risk management and compliance using the same basic processes and technology that drive risk and compliance in other areas of the organization. This, of course, allows senior management and the executive suite to gain a broad view of corporate and organizational risk management—and to see where SCRM fits into the overall picture.
As with any aspect of risk management, the basic steps themselves of an SCRM process are not particularly complicated. What makes things complicated is the volume and detail of issues to address, and all their inter-connections, as well as managing the process and people’s roles in an efficient way. As with any critical business process area that is being transformed and now driven by the right technology, it’s hard to imagine how SCRM can become a really manageable process without taking a technology-driven approach.