…it’s everyone’s business - coupa inspire · economic labor in the private sector estimated...
TRANSCRIPT
…it’s EVERYONE’S Business
Dawn TiuraPresident and CEO, SIG
Coupa Inspire11 May 2016
A sourcing professional’s job today has changed dramatically
• New processes have emerged that did not exist 15-20 years ago• New tools and technologies are being used• The markets have changed and are becoming
increasingly globalized• There are higher
expectations on Supply Chain organizations to contribute to operating results
Cyber security risk
Geopolitical risk
Human trafficking
Risk is everywhere…
…and is everyone’s
job
Vendor risk
Natural disasters
Nothing is constant but change…• Regulatory landscape is changing rapidly• Certain issues are growing in importance• Mergers and acquisitions increase potential
supplier risk conflict
Source: EY, SIG Summit, March 2015;
This is a wake up call!
Do you know…• Who all your third parties are?• Why you are in business with those particular
third parties?• Who in your company interacts with those third
parties?• What risks those third parties expose you to?
“Currently 80% of companies conduct background checks on their full time employees,
but less than 20% do any type of due diligence on their vendors.”
Source: Hiperos, SIG Summit, March 2015; True Champion Consulting
“…and over the past several years, ‘Bob’ received excellent performance reviews of his ‘clean, well written’ coding. He had even been noted as ‘the best developer in the building.’”
Target was hacked when network credentials were stolen from a third party vendor…an HVAC company
40 million…the number of credit and debit cards exposed to fraud in the 2013 data breach
$67 million…the amount of money Target set aside to reimburse financial institutions for costs incurred in the breach
$350 million…the amount trade groups representing community banks and unions spent to reissue credit and debit cards
Build a program that allows insight into all your third parties• Automate where it makes sense• Be aware that the only constant is change• Create an integrated risk scoring and
monitoring model• Develop a governance framework to facilitate
decision-making• Implement a process that aligns technology,
governance and organization design• Optimize cost of risk profile
Source: Hiperos, SIG Summit, March 2015; EY, SIG Summit, March 2015
• Involve cybersecurity experts early• Determine what data will be accessed or
stored by supplier• Categorize that data by risk level (sensitivity,
volume, legal/contractual obligations)• Review relevant parts of your information
security plan• Conduct questionnaires regarding security• Perform security reviews and audits• Estimate cost of ongoing security review
Source: The 5 Steps of a Cybersecurity Risk Assessment, by Peyton Engel, October 2010; http://www.rmmagazine.com/2010/10/01/the-5-steps-of-a-cybersecuri ty-risk-assessment/
Because information has a monetary value in the black market
1,000 stolen email addresses are worth up to $10
A valid credit card number is worth up
to $60
Scans of real passports are worth
up to $2 each
1,000 followers on social media are worth
up to $12
Custom malware that diverts
payments are worth $12 - $3,500
Sending spam to 1,000,000 verified email addresses is
worth up to $150
Websites can range from $1 to
$1,000
A full healthcare profile is worth up
to $50 each
Chance that your organization will experience a breach of at least 10,000 records within the next 24 months22%
Source: https://www.proofpoint.com/sites/default/files/pp-databreach-infographic.pdf
When a third party is involved in a
data breach, the average cost is
increased by 10%
The number of people required to manage the response in a 10,000 employee organization 40
Source: https://www.proofpoint.com/sites/default/files/pp-databreach-infographic.pdf
The total salaries in MILLIONS for those 40 people assuming an average IT salary of $80,000 per year$3.2Average lost business costs from a data breach$3.3
Source: Mayer Brown and Unum Group, Contracting for Data Security: Protecting Against Emerging Threats, SIG Global Summit, March 2015
• Expense to respond • Damage to brand/reputation and resulting loss of
sales• Disruption to management, public relations,
marketing and operations• Regulatory sanctions or mandates • Shareholder derivative suits against directors and
officers • Consumer class actions against the company • Collateral damage to other companies, who then
sue
Source: Mayer Brown and Unum Group, Contracting for Data Security: Protecting Against Emerging Threats, SIG Global Summit, March 2015
•Designate dedicated data security personnel• Identify material internal and external risks• Implement reasonable safeguards to control risks•Develop reasonable steps to select secure
vendors and limit their access to your systems•Restrict secondary uses of your data•Maintain a data map showing which vendors
have access to which data• Evaluate, monitor and adjust regularly over a 20-
year period Your security is as good as your weakest vendor’s security
Can you afford NOT to do anything?
72% of attacks are
from malicious or criminal activity or
human error…
Time matters!
Source: https://www.proofpoint.com/sites/default/files/pp-databreach-infographic.pdf
…but 33% of organizations
are still relying on manual technologies
to detect data breaches
75% of companies would take hours to respond to a breach, with more than 39% taking days or even WEEKS
Tax laws are changing
Borders are in fluxThere is social
unrest all over the world
There are NAFTA and regulation changes Protectionism is
always an issue
Source: Geopolitical Risk: Smart companies seek best practices to counter geopolitical risk, Catherine Bolgar, 11-12-12
• Geopolitical risk refers to any exterior risk that isn’t caused by nature or another company• Although terrorism presents a high-impact, low
frequency risk to supply chains, others are more likely to disrupt business• Geopolitical risk often arises quickly• Authorities prefer to be wrong than sorry
The extended nature of supply chains can obscure the risks
• Stay informedo Understand tax implications in other countries, as well as
broader macroeconomic trends, shifts towards protectionism or moves toward free trade agreements
o Understand whether a political disruption in that country will result in goods not being able to enter or leave a port
• Be preparedo Before entering a new country, arrange in advance to
have arbitration in a neutral venue to settle disputes
• Know your vulnerabilitieso Utilize R&D to consider alternatives, especially if you deal
in precious metals, where redundancy in suppliers isn’t possible
• Communicate quickly
Source: Geopolitical Risk: Smart companies seek best practices to counter geopolitical risk, Catherine Bolgar, 11-12-12
In recent years, tsunamis have devastated Japan,
Chile and the Solomon Islands
Hurricane Sandy and Hurricane
Katrina wreaked havoc in the U.S. Much of California is on
a fault line…and like other parts of the world
experience frequent earthquakes
Tornadoes are the most powerful, unpredictable and destructive weather
systems on Earth
Source: Supply Chain Vulnerability in Times of Disaster, Wipro
• In a globally competitive world, supply chain optimization is critical• Outsourcing and offshoring are a given when
margins are under pressure• But global relationships also increase risk due to
unforeseeable events such as natural disasters
The 8.9 magnitude earthquake and resulting tsunami in Japan in
2011 caused $235 billion
Source: http://fortune.com/2015/04/17/how-much-do-natural-disasters-really-cost-corporate-america/
• Sales growth of any of your suppliers directly hit by natural disasters drops by about 5%• Your company is also disrupted and is likely to
see your sales growth drop by about 2%• Companies with lower inventories are most
exposed to disruption affecting their suppliers• Supply disruptions translate into a 1% drop in
company equity values, almost twice as large if the supplier is a specialty supplier• Other suppliers are also negatively impacted
with a sales drop of about 3%
• Have you taken local laws into consideration and how they fit into your disaster plan?
• Are your primary logistics networks (air, land, sea, rail) readily available? What is their proximity to your supply chain?
• Do you have appropriate infrastructure in place (power grids, power backups, water supplies, etc.)?
Source: How to Prepare Your Supply Chain for Natural Disasters,http://www.usanfranonline .com/resources/supply-chain-management/how-to-prepare-your-supply-chain-for-natural-disasters/#.VWjAZVzBzGc
Anticipate short and long-term external disruptions such as power outages and
other shortfalls in local infrastructure so you can plan around them
• Plan ahead with best, average and worst-case scenarios• Establish a crisis team for making and communicating
decisions and be prepared to disseminate information quickly• Diversify suppliers and transportation to increase flexibility and
abate risk• Ask your suppliers for their own disaster plans and review
them regularly• Maintain detailed processes and procedures and keep them
up-to-date• Analyze the need for products. Think through how the
demand for your products will be affected by an emergency• Ensure flexibility by making sure your supply chain has the
capacity to withstand increases or decreases in demand• Hold data backups offsite so you your trade records are safe
and sound should a disaster occur
Source: How to Prepare Your Supply Chain for Natural Disasters,http://www.usanfranonline .com/resources/supply-chain-management/how-to-prepare-your-supply-chain-for-natural-disasters/#.VWjAZVzBzGc
Source: Geopolitical Risk: Smart companies seek best practices to counter geopolitical risk, Catherine Bolgar, 11-12-12; Lessening the Impacts of Natural Disasters on Supply Chains, 3-8-13; http://www.scdigest.com/ontarget/12-01-19-1_Supply_Chain_Ri sk.php?cid=5401
Many companies are aware of potential disruptions but take no
action because of the costs involved…don’t be that company
Source: https://madeinafreeworld.com/slavery/; http://www.ilo.org/global/topics/forced-labour/lang--en/index.htm; http://www.ilo.org/global/about-the-ilo/newsroom/comment-analysis/WCMS_181922/lang--en/index.htm
Over 29 million people are forced to work under threat of violence or for little or no pay
55% are female26% are children
The majority are exploited for
manual economic labor in the private sector
Estimated profit from slavery is $150 billion a year
18 months is the average time spent in
forced labor before rescue or escape
Victims of forced labor forgo $21 milion in unpaid wages
and illegal recruitment fees
Source: https://madeinafreeworld.com/slavery/
With over $88 trillion spent on the procurement of goods, services and
commodities, supply chains are the key to defeating forced
economic exploitation
Source: The 5 Steps of a Cybersecurity Risk Assessment, by Peyton Engel, October 2010; http://www.rmmagazine.com/2010/10/01/the-5-steps-of-a-cybersecuri ty-risk-assessment/
What can you do?• Make your suppliers sign a code of conduct• Require transparency in supply chains• Monitor supply chains back to raw materials• Implement periodic audits• Monitor contracts for compliance• Provide training to help employees identify signs
of human trafficking• Understand state laws regarding human
trafficking
Cyber security risk
Geopolitical risk
Human trafficking
…you can’t be paranoid about
it…just be prepared for it!
Vendor risk
Natural disasters
