This white paper is on innovation in managing third party risk, specifically around helping companies manage their third-party supply chains through assessing financial health. For this white paper I interviewed James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of a special five part podcast series which ran on the Innovation in Compliance podcast on the Compliance Podcast Network.
Part I - Introduction
Why is managing your supply chain risk is so critical in today’s business environment? Supply chain risk management as a discipline that has been evolving significantly but still has a long way to go. Gellert began by noting that supply chain risk really means all third-party risk. These risks are getting more diverse from a geographic perspective as well as from a technology perspective. It can come from more aggressive mergers and acquisitions (M&A) activity, organic company expansion or an organization simply getting more creative with outsourcing and working with different kinds of companies for different solution sets. It also means that this group of third parties have the ability to impact businesses, both positively and negatively.
Too many suppliers can certainly be inefficient. This means that many companies are trying to trim down the numbers of third-parties with which they are working. This could be through adjusting time or implementing lean types of philosophies around supply chain. This makes each third-party partner more important and criticality is something that can be measured in lots of different ways. Gellert said it raised such questions as: “How much money you spend on a company? How much access will your third parties have access to company information? How much access will they have to your IT systems? All of these things have led to the evolution of a much more complex supply chain that people have to manage and they contain more risks.”
I asked Gellert how managing the risk and supply chain is different than managing on the sales side? He began by noting that there is “definitely overlap when looking at third parties.” Yet the more sophisticated method is a “360 degree” approach which means to look all aspects of the relationship. In the anti-corruption world, the focus has typically been on the sales side. But it can also “mean suppliers all the way through to customers and intercompany affiliates and so forth.” Another approach from the compliance perspective has been upon knowing your customer (KYC). Gellert stated, “Customer risk is inherently more transactional than supply chain risk, in part because of who’s buying and who’s selling. When you are selling to someone, you are evaluating their ability to pay you. In this situation an organization needs to make sure that the company is one you want to do business with, that’s going to be able to pay you on time and in the terms that determined are economical for you”
However, “when you are looking at suppliers, you’re buying from them, whether it’s a supplier of a product or a vendor of a service. You may have a five-year product cycle, a 10-year product cycle. If the suppliers your company is embedding into that portion of your business are not strong for the long-term or are not resilient, then you have problems that you are baking into the ecosystem of companies with which you are working.” Gellert concluded, “I think probably the biggest difference in customer evaluation and supply chain evaluations, you need to be able to understand the risks of those companies over the long haul as well as the short-term risks. So, you can avoid the short-term problems that could arise from a weak supplier.” It also means that you are “baking in the most resilient and strong long-term partners to work with, as you possibly can, into your organization.”
One of the frustrations for compliance professionals is that they do not know how far down the third party or supply chain they should go to either evaluate or manage the risk. They may understand who to go to for a direct counter-party, their immediate counter party, their first party supplier or their first party sales agent, they may certainly understand managing that risk. I asked Gellert how about much farther down the chain a compliance practitioner should begin to look at that issue? He said it can be quite complicated but that is where a technological solution can help.
He began by stating, “it’s not just first tier, second tier, third tier supplier in your supply chain may affect you.” One of the reasons it is so difficult for the compliance professional is there are so many areas you must consider. Gellert said these can include, “fraud detection, anti-money laundering, anti-corruption considerations and making sure that that no one appears in a sanctions list. All of these things get more difficult exponentially as you go deeper into a supply chain and the people on supply chain risks sides who have been looking at delivery risk and logistics and other operational aspects including finance and newer elements like cybersecurity It gets really hard when you’ve got to go to your supplier’s supplier.”
The bottom line is that there is not a really good answer for this except that collaboration between a company and its first-tier supplier is really essential to understand what the second and third tier supplier risks will be. Unfortunately, “many times organizations do not even know who their second tier supplier is for particular good or product or service because the tier one supplier has been delivering fine and there has been no need to find out how or where that tier one is getting the parts that they are bringing in.” Gellert conclude by noting, this “is changing but needs to change more. It really does start with collaboration and an understanding between the company and its tier one suppliers that understanding the risk deeper than that is going to be important and beneficial to everybody involved in that chain.”
Part II - Criticality
What is ‘criticality’ in the supply chain and third-party risk management? Gellert began by relating that the word “criticality” is used quite a bit in supply chain and broadly on third-party risk. He defined it, “as a means of defining for a company which suppliers are most important.” Yet he also noted it can be defined in different ways at different times. Historically, criticality was more about how much money was spent with suppliers. In practice, this meant the top spend suppliers would be the ones that were most critical. Conversely, suppliers where you were spending a small amount of money were seen as less important. However, Gellert cautioned that while such an approach is still an important part of defining risk management programs “it’s not the end of the story.”
He explained, “Criticality now really stretches out into a whole bunch of other topics, such as which third-parties, irrespective of how much money you spend with them, have the ability to disrupt your business if they are not performing for one reason or another.” Put another way, “Do they have the ability to sidetrack your business? Does it cause you a disruption that not only has a revenue impact on your organization, but may have a reputational impact on you? What about companies that may have access to your internal IT infrastructure and therefore pose security risks? They may not be a big spend, but they may have the ability to cause a cyber problem for you.” This means that cyber risk is one of the newest and most important risks that companies are focused on. Obviously, this means if a company uses, tracks and maintains private information of its customers or others, any supplier that has access to that information has a another set of critical elements to it.
Subsequently, when organizations are trying to evaluate criticality of suppliers, they may segment them in different ways and create different cohorts of suppliers. For instance, you may want to start with those who can create the most business interruption, those that can create the most reputational risk and impact and those that can disrupt revenue and cost the most amount of money. Gellert related, “all of those are elements of credit, quality, and innovation are really just about the movement of product services. Data analytics and business process that allows companies to manage all of those suppliers and all of those risks in a more cohesive way.”
All of this means that supply chain risk is really about an enterprise-wide risk. It includes, “the sourcing, identifying what companies to work with, perhaps many possible ones and then narrowing it down to the one you want to work with and move forward with the due diligence. The next step is ongoing, continuous monitoring to ascertain that the suppliers that can grow with the business. It is important that with the ups and downs of business cycles it can withstand the shock, coupled with the flexibility an organization needs to make the investments; that the supply chain partner continues to be a good business partner. All of those are really important as companies align with the best possible partners.” Risk management is really valuable for the compliance professional to know it is a part of a long continuous process over the lifecycle of working with a company. Gellert stated, “It’s not just about doing something that’s a part of an onboarding process for really, there’s a lot more longevity and value that can be created when looking at suppliers and applying supply chain risk management best practices.”
One of the innovations which RapidRatings has brought is through its Financial Health Rating (FHR). The FHR allows an organization “to look deeply inside a company and compare it against years of public and private company data. And in order to generate an FHR, RapidRating obtains the financial statements from private companies and we use the filing data from public companies.” It is a review of more than simply a company’s financial statement but a more comprehensive look at overall financial health correlated to lots of other risks that are valuable for people to understand.
One of the key reasons for the innovation of this approach is that, in the past, companies have tended to use payments scores and payment data from companies to understand whether they are good risks or bad. However, this is a “pretty antiquated way now of understanding the health of a company. It is the first opportunity to be able to give people comprehensive coverage of really all of the suppliers that they work with or customers that they work with in a very quick, fast and very precise way.” The FHR helps to make the risk management process more efficient in a workflow process. It does so in a manner at scale for companies around the world, in a very analytically way. This adds tremendous value to the entire process.
Part III - Third-Party Expansion
What is the definition of third-party? Gellert explained, “Historically, people talked about simply an entity outside of your organization as a third party. However, that definition is broadening, to mean really that entity with which your company works.” Obviously, this can be a supplier or vendor, it can be a service provider, a customer, a joint-venture (JV) partner and/or an intercompany affiliate. A broader view could include intercompany affiliates as third parties, even though many people would see them as just being another entity inside of a business. Gellert said, “the definition of third parties is expanding, which only makes life more complicated for anyone trying to do third party risk assessments and then the tiering just creates an exponential change.”
Specifically, “in supply chain, a tier one supplier is one of the suppliers your organization is directly purchasing from. Next a tier two is one that your company’s tier one is buying directly from. This means for risk managers assessing the various risks of their supply chain have to go deeper and deeper. One way to do so is through trying to understand the connection between tiers one, two, three, four and so on. The problem is there are many risks that companies do not manage because they cannot identify which companies are taking risks.” Gellert further noted, “one of the hottest topics in 2019 for a supply chain and risk managers is trying to get their arms around how to handle this particular question.”
How should a supply chain professional began to think through some of these issues articulated but in the context of a global supply chain? Gellert began by stating, “anyone who is involved in third party or supply chain risk management needs to try to map out and understand the suppliers whose exposure they need to assess for their organization. Obviously, this includes both direct and indirect suppliers but in terms of the tiering, the best way for anyone to understand the supply chain risk is to have really good communication with their tier one suppliers to be able to discuss the risks to both businesses.”
Moreover, “this means communicating with a tier one supplier about who their tier ones are that are providing product or service that are coming to that client. Only with that type of transparency and communication can businesses look through the tier one into the sub tiers to understand the risk your organization has and where there may be a risk concentration. Without effect communication and dialogue, created and fostered as part of the relationship, people are going to fly blind.” Finally, in this global economy with such internationalization and diversification of supply chains, organizations you “really do need to pull out all the stops to try to manage risk. Communication is one of the first places to start.”
Gellert concluded with some thoughts on transparency, which he believes is not only important but “should be applied everywhere.” He said you should begin with your tier ones but the ability “to look deeper into the supply chain is also really important.” Further, Gellert said, “a lot of supply chain risk professionals can go wrong if they use transparency as a bludgeon as opposed to as an opportunity. Then the company they are asking for information from only sees risks in disclosing information as opposed to seeing commercial value and we promote transparency as a means to commercial value.” But it is more about fostering the relationship so that you can adequately assess and then manage the risk. Gellert noted, “that’s the key part, that people have to embrace if they’re going to be able to look deeper into their supply chains.”
Part IV - Challenges in 2019 and Going Forward
Gellert observed that organizations are aligning their suppliers and supply chain to be the more resilient to market volatility. With this increased volatility, suppliers need to be able to go through such periods and come out on the other side still in good business and financial health. This certainly contributes to the longer-term core health of a company. Another area critical to understanding your business risk is “what the two to three-year perspective is on a company as well as the one-year perspective. Companies tend to try to align themselves with suppliers that have strong core health so they will be around, be trusted, be nimble and agile over the next handful of years.” However, even if you wanted to avoid all risks, your organization cannot do so. This means you must work to manage risk. But with greater risk this usually means greater business opportunity.
It really turns on getting “full risk visibility”. As Gellert noted, “one cannot manage the unknown risks that can occur in unknown.” This goes to the big risks such as is now going on in the UK with the Brexit imbroglio that Parliament has put not only itself but the British nation into. Gellert said, “Everyone knows that Brexit is extremely important for the companies that are affected in the UK and in Europe, but without a resolution on what the Brexit plans going to be, no one really knows how much. This uncertainty is affecting companies and the management of their supply chains in all sorts of ways.” But even turning away from such massive unknowns as Brexit, down to a much more macro environment, Gellert believes “it is important for people to recognize that over the last 10 years this country has been in an incredible credit market, with artificially low interest rates and investors scrambling down the credit curve to find yield wherever they can.” It will end and are you ready from a supply chain risk management perspective?
While the easy credit market has bolstered the low end of the credit markets so that weak or inefficient companies have had access to capital and been able to raise money at inexpensive rates; as the market begins to change you will see more volatility in the market, higher interest rates, therefore higher costs of capital. This means that over the next couple of years, companies will be unable to refinance the debt that they have so easily financed over the last few years. Gellert believes this is “going to cause a lot of problems because private companies and smaller businesses will have a harder time raising money and that will affect their ability to expand and just deliver on goods that have obligations to deliver on.” This translates to supply chains as a convergence of factors wreaking havoc over the next few years on supply chain risk management.
We then turned to cyber risk, which is one of the, if not the, hottest risk management issues for a variety of parties, sectors and relationships for 2019 being discussed at the Board level. While this topic gets a fair amount of attention when someone starts to work with a new supplier, it gets less attention in the continuous monitoring of those suppliers. Gellert says that you must “be able to look over time during the lifecycle of working with a company on whether they’re able to continue to invest in state-of-the-art information technology systems that will allow them to avoid those cyber risks or manage those cyber risks. And companies that are weakening in financial health have less flexibility to be able to invest in the other areas that are in areas that are going to protect or expose their customers and other counterparties to risk cyber being one.”
RapidRatings has found more correlations between financial health ratings and the weak companies that carry high financial risk and their ability to deliver a quality product. The ability to deliver on time and the ability to invest in cybersecurity programs are all interconnected. Gellert sees that “They really need to be viewed as interconnected elements and not looked at as a separate topics and separate risks. The more sophisticated risk management programs are evaluating them as connected risks and making sure that their suppliers have programs in place to try to be able to spot problems before they exist.” This is another facet of getting transparency and a collaborative relationship with suppliers to discuss these problems before they become crippling events so that you can review and remediate them as they are potentially emerging. It means, above all, being proactive and understanding the interconnected relationship involved.
Many compliance practitioners and supply chain professionals understand the need for due diligence but that is only the starting point. It is the starting point for an ongoing relationship and ongoing dialogue, ongoing monitoring companies with more mature compliance programs certainly understand that in the supply chain realm. More and more companies are embracing this process. Gellert stated, “it is being able to action the analytics and action the data that emerges from the risk management itself to be able to build a more cohesive risk management process. It’s really about linking all of those through the business units of a company that may touch on the risk management of an individual supplier as well as the supply base as a whole.”
Part V - The Supply Chain Efficiency Premium
What is the ability of the compliance procurement, credit professional and other cross functional areas to have seamless communication of their data analytics and findings? Obviously, this is vitally important with a hindrance of siloed information across those different business units. Gellert stated, “what we are finding is the most evolved and sophisticated risk management programs are making sure that each one of those areas that may touch on risk is in some form or another connected with the others on findings, so there’s efficiency in that process”; from the Chief Information Officer (CIO) to the Chief Compliance Officer (CCO) to the Chief Financial Officer (CFO).
This means that data and analytics should be shared across business units to benefit from the supply chain. Continuous monitoring and understanding that when a company is deteriorating its financial health could be an indicator of problems. Further, fraud, and even corruption, is more likely to occur when the company is weak and under extreme financial duress and pressure. This is why having a leading indicator like the Financial Health Rating (FHR) is critical because it can communicate to a compliance professional when a company is weakening and enables a risk management to be focused on those suppliers who require a more focused risk management solution.
Gellert related that another “big part of it is making sure that everyone in your organization is speaking from a common language and that the analysis and the findings are shared. This means developing workflow efficiency and also creating a return on the investment for an overall risk management program.” It also allows companies to help their suppliers. Finally, it allows your organization to have a dialogue with suppliers. “It comes from transparency around financials and other risk areas and being able to perform the appropriate risk analysis that can be fostered through a dialogue. The more a company understands the problems that its supplier may have, the more it can do things to help that supplier through those problems.”
The bottom line is that companies want to continue to work with their suppliers. It is not good or even efficient business to engage in looking for ways to stop working with them. The more a business can work with a supplier in a collaborative way to help them through times of difficulty benefits everyone and allows a company that is engaged in risk management and invested in a risk management process to be able to demonstrate the return on investment to the finance side of an organization.
With this process in place, you can develop a well mapped out workflow for handling problems when they arise so that if one comes up, it allows your organization to repurpose and reuse the workflow. Gellert said it “allows for maximum leverage, maximum workflow efficiency.” Once the “tools necessary to put these systems and process are in place, they can be replicated.” Lastly, “When that occurs, the business efficiency and the gain that can come from this kind of an analysis on financial health and other risk areas really does pay dividends in the companies that do it, I think are benefiting significantly across all the different business units that it touches.”
Gellert concluded, “It’s about creating ecosystem that can grow with your business. When your business is doing well, the last thing you want to do is have the opportunity to expand, but then all of a sudden there is a problem in your supply chain that you could have avoided, but you were not being proactive enough to do so. It is very much about creating the most resilient supply chain where you are reducing risks, but you’re also expanding the opportunities to grow over time.” This is the real supply chain efficiency premium.