Procurement Risk – Limited Visibility of the Supply Chain
A few weeks ago, I reviewed the 2018 Deloitte Global Chief Procurement Officer Survey and was not surprised that cost reduction, new products/market development and managing risks remain the top three business strategies for procurement. Sixty-five percent (65%) of procurement leaders report having limited or no visibility beyond their Tier 1 suppliers. Procurement professionals excel at creating tailored sourcing plans offering insightful advice, development strategies and execution plans to achieve goals. I believe sourcing plans must now contemplate the commercial rigours of the regulatory and risk-averse environment we operate in. Failure to understand the supply chain beyond major suppliers increases the level of risk with the potential to drive up costs.
Adopting ethical sourcing practices enables procurement teams to engage in meaningful dialogue with like-minded peers making greater impact in achieving Corporate Social Responsibility (CSR) objectives. Procurement departments must now help their organisations minimise the impact of modern slavery on supply chains. Legislation has already been passed in over seven countries to eradicate this shameful industry.
According to the Global Estimates of Modern Slavery Report, an estimated 40.3 million people were victims of modern slavery in 2016. Three in five (62%) victims of modern slavery worldwide were exploited in the Asia and the Pacific region, followed by 23% in the Africa region and 9% in Europe and Central Asia. In the U.K. alone there could be 136,000 victims. The Walk Free Foundation told Sky News “British consumers could be unwittingly buying billions of pounds of goods made by people trapped in the slave trade in other countries.” The foundation believes the U.K. imports £14bn ($18bn) worth of goods each year, including electronics and clothes, which are at a considerable risk of being made by slaves.
The 2015 U.K. Modern Slavery Act requires every organisation conducting business in the U.K. with total turnover exceeding £36 million to produce slavery and human trafficking statement every financial year. Australia introduced similar legislation in 2018. Organisations with consolidated revenue of more than AUD $100 million must report annually on the risks of modern slavery in their operations and supply chains, and actions to address those risks. Companies will need to come up with innovative and tangible ways to comply with the laws and provide training to their staff. Lack of transparency in the supply chain is a significant risk as involvement in modern slavery could directly or indirectly lie with Tier 2 and Tier 3 suppliers. Organisations are likely to suffer considerable reputational damage if a media outlet highlights a business is associated with unethical practices or human suffering.
There have been recent reports of increased malicious hacking activity directed at Managed Service Providers (MSPs) and their customers. In February, a vulnerable plugin for a remote management tool provided an opportunity for attackers to encrypt systems belonging to all clients of a U.S.-based MSP. Between 1,500 and 2,000 customer systems were cryptolocked, with the MSP facing a $2.6 million ransom demand. Chris Bisnett, Chief Architect at Huntress Labs told Darkreading.com “From the MSP’s standpoint, the tool they use to manage everything was just used against them to inflict damage on customers….Everyone is looking at the attack and saying, ‘This could have been me’”.
The Australian Cyber Security Centre (ACSC) has called on Australian businesses and individuals to be proactive in implementing better cyber security practices. ACSC has recommended organisations implement eight essential mitigation strategies, including multi-factor authentication and restrict administrative access, services often provided by MSPs. MarketsandMarkets reported the global MSP market is expected to increase from USD $180.5 billion in 2018 to USD $282 billion in 2023. The opportunities for cyber criminals grow as the managed services industry expands. MSPs typically subcontract some of the services they provide to their clients. If 65% of all procurement leaders employed by MSPs have limited knowledge of their Tier 2 and 3 suppliers, this represents a key risk as third-party vulnerability is considered one of the major cyber threats. In heavy fog, “low visibility” procedures require aircraft landing at an airport be separated by six miles instead of the usual three. There is very little distance separating multiple customer systems operated by an MSP in a cata center.
A November 2018 report released by the Australian Cyber Security Growth Network (AustCyber) highlighted a deep skills shortage. It is estimated there is a shortfall of 2,300 professionals within Australia requiring 17,600 more cyber security workers by 2026. This could be costing the country AUD $400 million in lost revenue and wages. A cyber security employee receives on average an extra AUD $12,000 per annum over their IT industry peers. Gartner has predicted global information security spending will reach USD $124 billion this year. There are approximately 3,000 security startups in the world today harnessing AI and machine-learning enabling organisations to automate tasks and use technology to overcome the skills shortage. Companies probably source security technology from several small to medium enterprises making it relatively straightforward for procurement teams to discover the capabilities and innovative solutions they offer.
The building of trust is a dynamic and complex process built up over time. The rate of human reliance on companies to keep our information secure is crucially based on trust. A recent article published by Network World referenced an IDC report predicting worldwide data will grow 61% to 175 zettabytes by 2025, with as much of the data residing in the cloud as in cata centers. A zettabyte is a trillion gigabytes. David Reinsel, senior vice president at IDC says “If one were able to store 175ZB onto BlueRay discs, then you’d have a stack of discs that can get you to the moon 23 times…..if you could download 175ZB on today’s largest hard drive, it would take 12.5 billion drives.” Walmart has more than 100,000 suppliers with French oil company Total buying from over 150,000. It is estimated 62% of small and midsize businesses are already using cloud computing.
Most corporations will have sensitive customer information spread across their entire supply chain. Consumers expect organisations to have high levels of accountability and reliable approaches to data quality and privacy. Europe’s General Data Protection Regulation (GDPR) came into effect last May and requires companies to report data breaches to the appropriate authorities within 72 hours of discovery. Countries are adopting their own privacy-focused regulations with Australia amending the Privacy Act requiring certain entities to comply with the Notifiable Data Breach (NDB) Scheme. The U.K. Information Commissioner’s Office is planning to fine British Airways £183 million as a result of the 2018 data breach that exposed the personal data of 500,000 consumers.
Developing a better understanding of the supply chain is an opportunity to unlock value and shape the relationship with companies who may become your organisation’s most important partner. For example five years ago Tableau may have been considered a Tier 2 technology supplier. As demand for improved business intelligence increased Tableau has become the major provider of data visualisation tools and on 1 August 2019 was acquired by Salesforce for US $15.7 billion.