© 2014 IBM Corporation

What Every Procurement Professional Should Know About Supplier Risk Management: The IBM Story

Presented by : Lou Ferretti, Project Executive, Product Environmental Compliance & Supply Chain Social Responsibility Bill DeMartino, Practice Executive, Supplier Management

© 2014 IBM Corporation © 2014 IBM Corporation

Meet our speakers for today

2

Lou Ferretti is the project executive for developing and leading these global and strategic programs within IBM’s Integrated Supply Chain and across IBM’s global supplier network. He is also ISC’s representative to IBM’s Corporate Crisis Management Team. His work has received numerous external and internal awards. Prior to Lou’s current work, he was on assignment in Singapore as director of Production Procurement’s Outsourced Supply Chain Operations, overseeing IBM’s $6 bn “buy/sell” procurement spend. Before this Lou was named to IBM’s Executive Pandemic Steering Committee – developing policies and implementation plans. And just prior to that, Lou headed up Procurement’s end to end Y2K supplier global readiness program. Lou has held senior management/executive positions in Engineering, Procurement, Materials Management, Supply Demand and Operations.

Bill DeMartino, as a Practice Executive for IBM Emptoris, Bill leads the company's efforts to bring world-class Strategic Supply Management solutions including Supplier Lifecycle Management and Spend Analysis to the marketplace as well as working with its clients to ensure the success of their initiatives. While with IBM, Bill has been in charge of the delivery organization for the Spend Analysis solution, held a leadership role in Product Management as well as heading the efforts to bring Supplier Management solutions to market, giving him a unique insight to the solution space. Prior to Emptoris, Bill held leadership positions in Product Management and as a Technical architect for leading Product and Services organizations.

© 2014 IBM Corporation © 2014 IBM Corporation

Agenda

Introduction of supply risk management framework – Challenges – Solution

IBM Best Practices of Supplier Risk Management

Q&A

3

© 2014 IBM Corporation

Risk Management is an Imperative

4

• Global Sourcing • Deeper Outsourcing • Lean Operations • Emerging Markets • More Volatile World • Increasing Regulatory

Requirement • Surging Social Media

Business Environment

• Supplier Compliance • Supplier Financial • Contract/Legal Risk • Supply Chain Risk • Social Stability • Natural Disaster • Sub-tier Supplier Risk

Increased Risks

Weak Programs

Procurement failed as Gatekeeper

World Class Programs

Procurement protects shareholder value

Poor performing risk management programs can impact share value as

much as 8%

© 2014 IBM Corporation

Supplier Failure

Currency

Political

Fuel Costs Social Responsibility Intellectual Property

Attrition Rates

Labor Disputes

Environmental Regulatory Compliance

Product Safety

Taxes Responsiveness

Brand Impact

Labor Costs Geophysical

Varied & Growing Risk Exposure

5

© 2014 IBM Corporation

RISK MANAGEMENT

GLOBALIZATION INCREASING CUSTOMER DEMANDS

60% 56%

43%

Customers have increased demand

for more: right product, right

place, right time, right price, sooner.

Process, data, and technology are identified as the

roadblocks to good risk management, yet they are the key enablers.

Lead times, delivery, and quality are top challenges,

but overall globalization has been a positive

boon for the leaders.

SUPPLY CHAIN

VISIBILITY

70%

Supply chain visibility is inhibited by a lack of timely data and too much

data to digest.

COST CONTAINMENT

55%

Fighting integral costs might be futile, but being

flexible can identify cost

savings elsewhere.

Source: IBM Institute for Business Value

IBM Chief Supply Chain Officer Study: Identified Five Top Challenges

6

© 2014 IBM Corporation

Risk Management Paralysis

7

© 2014 IBM Corporation

Risk Management Approach

8

#1 Supplier Compliance Focused on the first tier supplier Ethics Sustainability

#2 Supply Risk Measurement Score suppliers, category and regions

#3 Supply Chain Risk Focused on parts, logistics, n-tier

Comprehensive Risk Indexing Risk Measurement

Contingency Quality Finance Regulatory

Sub-tier Critical parts Logistic hubs

© 2014 IBM Corporation

Supplier Compliance

9

Policy & Regulations

BU/Category specific assessments

Approval based on business requriements

Performance Management

Cross-functional evaluation

Determines strength and weaknesses for comparison

Supplier assessed on: Supplier evaluated on: CSR & Code of Conduct Environmental & Conflict

Minerals Financial Contingency

Quality Logistics Technology Ability to Ramp Output

© 2014 IBM Corporation

Control: Ensure only approved suppliers are utilized

Supplier on-boarding and SIM

Registrations and assessments

Supplier master and control center

3rd party data provider

Master

Registered Suppliers

Contracted suppliers

Approved suppliers

Supplier Compliance

10

Sourcing

Execution systems

Contracts

© 2014 IBM Corporation

Supply Risk Measurement

11

Supplier Risk

Real-time flexible risk models

Internal specialists or 3rd party feeds

Monitoring & alerting

Supplier assessed on: Labor & Health Physical Security Ethics Strategic Importance

Compliance

© 2014 IBM Corporation

Supply Risk Measurement

12

Category assessed on: Special handling /

packaging / dangerous goods

Pricing escalation, volatility Upstream / raw material availability Legal regulations (conflict minerals)

Category Risk

Region assessed on: Corruption perception

index ranking Social, civil, political unrest Currency Stability Country economic trends Country infrastructure

Region Risk

© 2014 IBM Corporation

Supply Risk Measurement

13

Compliance

Supplier Risk

Category Risk

Region Risk

Total Supplier Risk

Overall risk score for a supplier

© 2014 IBM Corporation

Supply Chain Risk

14

Multi-tier

Incident management

Logistics

Part / Ingredient

Tracking of risk on transportation hubs

Track disasters and risk events Manage scope and mitigation

Assessment & monitoring of sub-tier suppliers

Critical part management Part impact analysis

photo of the "Ital Florid by NASIM4248

© 2014 IBM Corporation 15

What Every Procurement Professional Should Know About Supplier Risk Management

Louis Ferretti IBM Iintegrated Supply Chain, Project Executive Product Environment Compliance & Supply Chain Social Responsibility July 24, 2014

• Business processes in the Cloud • Mobile/ubiquitous computing decreases

reliance on people creating information • Analytics gives rise to intelligent systems

that make decisions automatically • Unprecedented interaction/collaboration

• Mega cities, mega regions and mega corridors; where most business will occur

• Globalist employees replace less effective approaches

• Technology rules and understanding of intersection between physical and virtual worlds increases

• Managing market and political uncertainty is more complex than ever

• Accelerating global shifts pose new risks; resiliency/responsiveness differentiate

• Evolution to a holistic view of risk management

• Risks can be hedged through intelligence

Tech

nolo

gica

l Pr

ogre

ss

Ris

k C

ompl

exity

• Sustainability is an imperative • The future sustainable enterprise provides

significant and measurable benefits to operational efficiency, growth & the brand.

• Consumer demand & government regulations mandate product lifecycle GHG, energy, water, waste mngt Su

stai

nabi

lity

Impe

rativ

e

• Economic power shifts to Asia • The development of Growth Markets

lead the world’s growth • Real time business to business decisions

and collaboration in an open environment • Outsourcing will continue to accelerate as

businesses seek to optimize operations Glo

baliz

atio

n R

edef

ined

• Customers thrive on knowledge and wield unprecedented power

• Consumers are busier and are demanding – and receiving – more information before making their decisions

• Consumers have more power to reward or punish and want their consumption to match their values

Info

rmed

C

usto

mer

Informed Customer

Popu

latio

n M

igra

tion

Source: IBM Institute for Business Value

16

Major factors affecting the enterprise today Six mega-trends impacting enterprises around the world

External Environment

Senior Leadership

Approval and Ownership

Business Strategy

Operational Model

Financial Model

Emerging Risks

LowMedium

-LowMedium

- HighHigh

HighMedium-HighMedium-LowLow

Sample Sample

Sample Sample Sample Sample

Sample Sample

Sample Sample Sample Sample

Sample Sample

Sample Sample

Sample Sample

Sample

LowMedium

-LowMedium

-HighHigh

HighMedium-HighMedium-LowLow

Sample Sample

Sample Sample Sample Sample

Sample Sample

Sample Sample Sample Sample

Sample Sample

Sample Sample

Sample Sample

Sample

Impa

ct

Likelihood

Reputation

Board / Audit Committee

Review

Relationship with critical suppliers: Ability to manage the end-to-end supply chain, including the dependency on critical suppliers

Risk Management Competitive Advantage

Enablement

EffectivenessProgram

and Practices

LeadershipReport Communicate

Monitor Implement

External Research

Executive Interviews

A systematic approach to Identify, Assess and Address risk Enterprise-wide view Focus on both hazards and missed opportunities Improve business results and drive competitive advantage

17

IBM has developed a robust Risk Management program – and Supply Chain risk management is an important focus area

18

How “Risky” is the Supply Chain ?

Supply chain failures continue to be the top concern for US and Canadian business leaders. … The CHUBB Multinational Risk Survey finds that

….. Businesses cite supply chain failure as the top concern. …

……[only] 56% of the companies report having a business continuity plan.. … The lack of continuity plans … is disturbing From Inside Supply Management – June/July 2014 Global Trends – news in a changing world

Risk Management Model - Optimize risk management with lowest TCO

19

Prevent Mitigate Plan

Understand Analyze Evaluate

Communicate

• Supplier Selection

• Supplier Evaluation

• Supplier Monitoring

Risk Possibility Risk Impact

• Supply Chain

Remediation Actions

Supplier Compliance Supplier Financial Risk Contract / Legal Risk Logistics Risk Commodity Risk Foreign Trade Risk Country Corruption Social Stability Labor Market Risk Natural Disaster Sub-tier Supplier Risk

Supplier Risk Common Supply Risk Supply Chain Risk

Risk Landscape Procurement Managed Risks

Unpreventable Risks

Total Cost of Ownership

Supply Chain Vulnerability

System Maturity

Supply Chain Resiliency

Desirable Risks

Continuously Manage and Monitor

20

Initial and On Going Risk Compliance – to legal and internal policies.

• Ethics, Bribery and Corruption • Import / Export & Embargoed Country Restrictions • Environmental, Product Safety, Electromagnetic Compatibility (EMC) • Chemical Management and clean up • Quality and defective products reporting, corrective action and recalls • Diverse business relationships • Data security • Sustainability and code of conduct • Financials • Supply chain risk / business continuity planning

21

- successfully uncover and manage supplier and supply chain risk • Well defined “on boarding” check list and tool • Risk profile assessment • Documented process, line ownership and management system • Data base / tool to house data and perform computations • Impact / likelihood weighing algorithm • Risk ranking methodology • Mitigation and business continuity plans • Real time alerts • Experienced cross functional, multi cultural core team

Key ingredients necessary to

IBM Procurement has always conducted some level of supplier risk assessment Financial, single source, logistics – no consistency of assessment one category to another Increased global sourcing drove need for a more comprehensive means of assessing risk especially in view of increased complexity of supply chain and cumulative nature of risk

Set off to buy tool and service RFIs to leaders in supplier risk management – primarily financial, logistics, single sourced No one else in industry, asking for a view of total risk (2009)

Engaged procurement council and several commodities Ran pilot with prototyped tool – lessons learned from user team incorporated in final design

5 Elements: Country, Hub, Supplier, Supplier Site, Commodity Use of External Data Source Provider as trusted data source for country, region, hub Sourcing provide input on suppliers, supplier site and commodities Incorporated iLog Alert feature and Lotus Notes data base for Mitigation Plans

Deployed to Production Procurement Dec 2010 Integral part of management system and executive reviews with associated metrics Runs 2x/year for existing suppliers All new suppliers evaluated at time of on boarding All high risk suppliers to have mitigation plans in place

22

Setting the Context – Getting Started and Beyond

Our objective is not to eliminate risk, because without risk there is no progress. Instead it is to ensure we can manage and mitigate risks.

Social Listenin

g

Market Intelligence

Social and

Environmental Leadership

Business Analytics

Supplier Total Risk Tool & Process

Risk Assessme

nt

Risk Mitigation Planning

On-going Risk

Monitoring and

Control • Comprehensive risk assessment • Ongoing mitigation

Protections against loss of revenue and profits by minimizing likelihood and severity of supply chain disruption

Solution

ISC Risk Management Tools

Managing market and political uncertainty is more complex than ever

Risks can be hedged through intelligence and holistic view of risk management

1. Incorporating key information about global supply chain from market intelligence communications

2. Augmenting existing information not available via current market intelligence processes

3. Listening for sentiment and trends for critical items and events

Recognition

•IBM Outstanding Innovation Award

•Patent for impact likelihood algorithm

•CSCMP finalist for Supply Chain Innovation Award 23

Uncovering and Managing Supplier / Supply Chain Risk

2 x year complete Supply Base Assessment Country / Hub / Supplier / Supplier Site / Commodity

External and Internal Market Intelligence

4 x year Supplier Cluster Assessment Political, Environmental, Terrorism, Labor Risk

External Market Intelligence

Real Time Alerts Critical elements of the Supply Chain fot Countries,

Hubs, Supplier, Commodities External and Internal Market Intelligence

Additional Market Intelligence Feeds and Actions

White Paper, Advisories, Weekly Reports Bi-Weekly Updates to the Management Team Quarterly Briefing to IBM‘s Chief Risk Officer Central Repository (aka community) for all Risk Related Topics

External Data Source focusing on selected growth market countries and hubs

Providing specialized alerts

External Data Source Provider searching upstream supply chain re. Conflict minerals and rare earth metals

24

Highlights - Risk Process and Management System

Risk Mitigation Plans (via Lotus Notes database)

Plans formulated to address identified risk Plans reviewed and approved by management

Total Risk Assessment Tool

Supplier Financial Risk Assessment (SFRA) Tool

Supply Chain Risk Entities: • Commodity • Supplier • Supplier Site • Country • Hub

Risk Categories: • Disaster • Political, Legal & Social • Supplier Financial Stability • Security • Country Economic & Financial Stability • Infrastructure, Logistics & Energy • Environment & Natural Hazards • Labor & Health

Supplier-Site & Pandemic Questionnaires

Commodity Lead

Council Lead

Supplier & Commodity Questionnaires

Country & Hub Questionnaires

Market Intelligence

External Data Source Provider

Country & Hub Questionnaires

Cognos BI Reporting • Risk ratings by … Country Hub Supplier Supplier Site Commodity • Reports Generated … Global View Supply Chain Report Questionnaire Report Pandemic Questionnaire Report

Risk Identified

SFRA

Total Risk Assessment Tool (Determines Risk Rating for

combination of all entities and risks)

Automated email alerts via ILOG Business Rules Business Continuity

Planning Supplier Assessment Ratings

Real Time Alerts from External Data Source Provider – anytime, re. potential disruption threat

Supply Chain Social Responsibility Audit Compliance Reference

25

Total Risk Tool and Process Landscape

Categories Supplier Site Supplier Commodity Country Hub Pandemic

Disaster Production Stoppage, Pandemic related

Raw Material related

War and Civil Unrest related

Shut Down related

Communication & Cooperation

Environment & Natural Hazards

Economic / Financial

HR Infrastructure, Logistics & Energy

Labor & Health Includes Pandemic

Political, Legal & Social

Product & Market Requirements

Quality Security Strategic Importance

26

Categories and Types of Risk Evaluated

Supplier Risk Assessment

0.000%

10.000%

20.000%

30.000%

40.000%

50.000%

60.000%

70.000%

80.000%

90.000%

100.000%

0.00% 20.00% 40.00% 60.00% 80.00% 100.00%

L

I

y = 1 / (10 * (x + 0,05)) + 0,1 y = 1 / (10 * (x + 0,20)) - 0,1 Supplier

High Risk

Medium Risk

Low Risk

Impa

ct

Likelihood 27

Look into Risk - Impact & Likelihood

Real time alerts from External Data Source Provider of specific aspects as events unfolded provided an assessment damage and how quickly supply could be restored

Based on tool out put, immediately knew number of suppliers in Japan, which categories affected (e.g. commodities, logic, memory) and what tier supplier impacted

Able to immediately contact suppliers and understand - Extent of damage - Whether in exclusion zone or not - Ability to produce / maintain measure of supply continuity - Supplier contingency plans - Mitigation Actions (e.g. moving manufacturing to alternative locations)

Can look for supply continuity down through multiple levels of supply chain where IBM

has qualification / sourcing relationships with sub tier suppliers - Through use of related tool and process

12-24 hour head start in securing supply and implementation of mitigation actions

28

2011 Japan Earthquake / Tsunami and Thailand Flooding - Demonstrated value of tool and process

Likelihood Impact Model

Risk = Probability of Risk Event x Impact to Business Heat Map with modified Thresholds Thresholds set to capture 10 – 15% High Risk Supplier

~95%+ Spend Coverage ($12bn)

~650 High to Low Impact Suppliers

~2400 Supplier Site-Commodity Combinations Main driver Component and Memory

Subtier Supplier include certified FAB locations Differentiation between Fab, Assembly and Test

Components, Logic, Microcomponents, test

~ 60 Commodities Tracked From finished Boxes to Assemblies to Chip Families

~50 Country and Regions Tracked

All Growth Markets covered

~50 Key Transportation Hubs Tracked ~ Main Country Entry and Exit Transportation Points

~3000 Supply Chains captured

29

Factoids

Past & Current (examples) Bangkok Political Unrest 2009 / 2010 Russia – Ukraine Gas Dispute 2009 / 2010 Japan Tsunami and Reactor Melt Down 2011 Thailand Flooding 2011 / 2014 Super Typhoon Haiyan – Philippines 2013 Hynix Wuxi, China DRAM plant fire 2013 Thailand State of Emergency 2014 Ukraine political unrest 2014 Madagascar hurricane 2014 Chilean earth quake and tsunami 2014 Mexico City earth quake 2014

Current and Following

WTO ruling and China Appeal re. Rare Earth Metal ruling Export of ore restrictions

Continued Focus on Youth Unemployment in Europe Youth Unemployment trigger to Social Unrest

Sanctions on Russia Vietnam roits against Chinese businesses Thailand Martial Law

Source http://www.abc.net.au/news/2014-01-10/fresh-protests-at-rio-expulsions2c-demolitions/5193272

Source http://en.wikipedia.org/wiki/Typhoon_Haiyan

30

Assessment of Major Risk Events

Supplier Sourcing Consider Supplier Risk in Sourcing Process Use as decision support tool to award

business

Business Continuity Planning Consider BCP Readiness into Supplier Risk Inadequate BCP Readiness require Mitigation

Action to Improve Risk Score

Risk of Flooding (under development) Multiple input parameters like topography,

historical weather pattern, soil type, ... Selected Countries GPS tagging of Supplier Location Publicly Available Data Maps Views provided to Sourcing teams

Use of Mobile Communication

(under development) Bi-directional Communication with Suppliers Share Risk Events

31

Pro-Active Elements of Risk Management

Executive Interest and Support

Vice President and Controller –

In response to the IBM Board of Directors Audit Committee Meeting, acknowledged our current work is the right strategy and vision. “The Data Analytics presentation was very well received by the Audit Committee. I walked them through our strategy, … and wrapped up by outlining the impact of Analytics on the Enterprise Risk Map. The Audit Committee was very engaged throughout the presentation and acknowledged that this was the right strategy and vision”

IBM Chief Risk Officer and Vice President Pensions Management –

“I personally reference the tool internally and externally as a prime example of IBM's use of Analytics to support risk management initiatives which clearly underscores our thought leadership in this area. ”

IBM Corporate Office, Director, Global Risk and Insurance Management –

“This tool has been a huge differentiator for IBM when we present our risk profile to the property insurance underwriting community. Business Interruption and Contingent Business Interruption are ever expanding exposures to an organization and not only can impact income to the organization but also our ability to meet our commitments to our customers.”

IBM VP & Chief Procurement Officer –

“Managing and reducing risk in the supply chain … will be key to IBM’s global growth in the future”

32

Corporate-wide Supply Chain Risk Assessment - viewed as the right strategy and vision, key to global growth and a differentiator

Risk management is a fundamental building block to a supply chain strategy

Supply Chain Leaders are integrating process controls in their logistics and operations, supplier compliance programs and planning process

Procurement can deliver true value using an intelligent and comprehensive risk assessment program with suppliers

A strong supplier / supply chain risk management program, can - demonstrate to clients that IBM can be a reliable supplier, and - be a key factor in preserving and growing revenue - be featured to insurance underwriters as rationale for reduced premiums

Objective of these processes is not to eliminate risk - without risk there is no progress - instead it is to ensure we can manage and mitigate risks

“Managing and reducing risk in the supply chain … will be key to IBM’s global growth in the future” - John Paterson, IBM VP & CPO

33

Supply Chain Risk Management – Key Takeaways

Q &

A Lou Ferretti Project Executive, Product Environmental Compliance & Supply Chain Social Responsibility

ferretti@us.ibm.com

Bill DeMartino Practice Executive, Spend Analysis & Supplier Management

billd@us.ibm.com

Thank You!

For more information, please visit: www.ibm.com/procurement-solutions