More Related Content Similar to Leveraging Ariba Discovery for Supplier Identification and Vetting (20) Leveraging Ariba Discovery for Supplier Identification and Vetting1. #AribaLIVE
@ariba
Leveraging Ariba Discovery for Supplier
Identification and Vetting
David Landsman, Global Director, Ariba Discovery
@AribaDiscovery – @Sourcing David
April 9, 2015
© 2015 Ariba – an SAP company. All rights reserved.
2. #AribaLIVE @ariba
Agenda
• Introduction of Panel
• Ariba Solutions for Supplier Risk Management
• Supplier Risk Management Insights
• Q & A
© 2015 Ariba – an SAP company. All rights reserved.2
3. #AribaLIVE @ariba
Panel
• Bill Michels, Aripart Consulting
CEO
• Tracy Yarmolich, Equifax
AVP of Product Development
• Jason James, Evantix
VP Risk Management, CISA
© 2015 Ariba – an SAP company. All rights reserved.3
4. #AribaLIVE @ariba
Moderator
• David Landsman – Global Director
Ariba Discovery (Marketplace)
Trade World (Public Tenders)
• 13 years w/ marketplace model businesses
• Thought leader in supply chain, sourcing and risk
• @SourcingDavid
© 2015 Ariba – an SAP company. All rights reserved.4
5. #AribaLIVE @ariba
Importance of Supplier Risk Mitigation
• Changing global/regional economic conditions
• Sourcing new commodities or new products
• Low-cost country sourcing or re-shoring
• Fulfill rush orders
• Rationalizing or diversifying your supply base
• Identifying diversity, green, or SMB suppliers
© 2015 Ariba – an SAP company. All rights reserved.5
6. #AribaLIVE @ariba
Minimizing Supplier Risk with Ariba/SAP
Solutions
Ariba Discovery
Research/Vet Potential Suppliers Upfront
• Quickly identify relevant suppliers in 1.7 million
global supplier base
• Reach informed decisions with extensive
supplier profile information
• Vet potential suppliers within Ariba Discovery’s
user interface
• Import desired suppliers directly into Sourcing
or P2P
SAP Supplier InfoNet
Predictive Supplier Performance Insights
• Employs crowd sourcing to collect performance
data about SAP suppliers
• Provides KPIs and benchmarks against other
suppliers in the SAP supplier network
• Predicts supplier behavior
• Proactively identify supplier performance
issues, including sub-tier supplier issues
© 2015 Ariba – an SAP company. All rights reserved.6
7. #AribaLIVE @ariba
Rich Supplier Profile Information in Ariba
Discovery for Supplier Risk Management
Supplier Profile Insights
• Company information
• Product and service categories
• Ship-to and service locations, and industries
• Diversity, quality, green classifications
• Transacting relationships
• Ariba-Ready certification
• Customer references and ratings
• References
© 2015 Ariba – an SAP company. All rights reserved.7
9. #AribaLIVE @ariba
Supplier Risk Management Overview
What is the current environment?
What are the risks?
The importance of the sourcing decision
Building EQs PQs and OWC
Big Data enables opportunities to find new
and better suppliers
© 2015 Ariba – an SAP company. All rights reserved.9
10. #AribaLIVE @ariba
CPO Top Priorities
Internal and External Collaboration
Talent Improvement
Innovation
Cost and Value
© 2015 Ariba – an SAP company. All rights reserved.10
11. #AribaLIVE @ariba
Understanding the Future
11 © 2015 Ariba – an SAP company. All rights reserved.
Clearly Defined Linkage
Supply Chain
Transparency
& Integrated
Business Systems
Supply Chain Risk
Management
Value Management
Innovation Capture
The
Future
is Here
12. #AribaLIVE @ariba
Current Business Trends
• Sustainability
• Global manufacturing is moving to more
local/regional focus versus global
• Mergers and acquisitions
• Labor costs are becoming less important
when determining location of factories
or expansion
• Organizations returning to their
core business
• Customers demand higher levels of value
© 2015 Ariba – an SAP company. All rights reserved.12
Megatrends
Shifting
economics
—
information
&
knowledge Increased
demand
—
green products
& services
Changing
demographics
& political
unrest
Increased
customer
value
expectations
Increase in
globally
extended
supply/value
chains
Price
pressure on
basic
materials
13. #AribaLIVE @ariba
Supplier Selection
• Is the most important decision a sourcing professional can make
• If done correctly will add significant shareholder value,
integrated supply chains and lean low cost producers
• If done incorrectly will be expensive, introduce significant risk to
your business and be costly
13 © 2015 Ariba – an SAP company. All rights reserved.
14. #AribaLIVE @ariba
Choosing the Wrong Supplier
© 2015 Ariba – an SAP company. All rights reserved.14
What is happening…and what could happen?
Product tampering
Exchange rates
Patent infringement
Legal
Political
Fire/explosion
Counterfeit products
Prolonged equipment breakdowns
Credit/financial
Bankruptcy
Business interruption
Product liability
Natural catastrophes
Environmental impairment
Regulatory issues
Product recall
15. #AribaLIVE @ariba
What Relationship Do We Want?
• Is it a strategic category?
• Are there few suppliers or many?
• Will it be sourced for a short or long time?
Is IP involved?
Is significant investment involved?
What relationship do we need with the supplier?
What is the performance that we need?
© 2015 Ariba – an SAP company. All rights reserved.15
16. #AribaLIVE @ariba
Point 1
Supplier Classification is Critical
Point 3
Building your KPIs
Point 2
Establishing Entry
Qualifiers
Point 4
What criteria
wins the bid?
Building EQs PQs and OWC
© 2015 Ariba – an SAP company. All rights reserved.16
17. #AribaLIVE @ariba
EQ
PQ
OWC
Ariba Discovery can
provide key criteria for
establishing EQs PQs
and OWC
All of which should be
identified prior to the
bidding event
Using Discovery
© 2015 Ariba – an SAP company. All rights reserved.17
19. #AribaLIVE @ariba
Who is Equifax? A Proven Market Leader
• Started in 1899
• S&P 500 Company
• 400,000+ Customers
• 250+ Products
• Operations in 14 Countries
• $1.8 Billion in Revenue
• 7000 Associates
• NYSE Firm (EFX)
Data
• 400 million Consumer/Commercial
Profiles
• 5 billion Trade lines
• 2 billion Updates Monthly
• 5.5 billion Scores Annually
• 5 million Decisions Daily
© 2015 Ariba – an SAP company. All rights reserved.19
22. #AribaLIVE @ariba
Continuity
• Will my supplier be able to pay his
suppliers in a timely manner?
• What is the likelihood that my supplier
will unexpectedly close his doors?
© 2015 Ariba – an SAP company. All rights reserved.22
23. #AribaLIVE @ariba
Reputational Risk
• The supplier performs either a key service or provides a
product which is critical to your business
• Will my brand be negatively impacted by one of
my suppliers?
© 2015 Ariba – an SAP company. All rights reserved.23
24. #AribaLIVE @ariba
Operational Risk
• Your company is not purchasing a product or service
from this supplier
• The supplier acts as a “sales channel”
© 2015 Ariba – an SAP company. All rights reserved.24
27. #AribaLIVE @ariba
Scrutiny Level Commensurate with
Risk Level
• Level of scrutiny of
Supplier verification
Risk of supplier
• Based on importance to your
business
Number of suppliers for this
service or product
Your service level agreements
Inventory on hand
© 2015 Ariba – an SAP company. All rights reserved.27
28. #AribaLIVE @ariba
Verify ID and Likelihood of
Being Able to Deliver
• Use a credit report to:
Verify business identity
Identify potential fraud
Assess payment habits
Determine likelihood
business failure
© 2015 Ariba – an SAP company. All rights reserved.28
29. #AribaLIVE @ariba
Illegal Activity Monitoring
• Guilty by Association
Screen your supplier portfolio against a
news database
Scrub for name variations, transpositions,
duplicates, abbreviations, and initials
Perform a manual false-positive review
Return clear, easy-to-read alerts with
identifying information
© 2015 Ariba – an SAP company. All rights reserved.29
30. #AribaLIVE @ariba
True Exposure
• Suppliers have multiple names
and addresses
• Understand relationship between
suppliers
• Negotiate for better terms
and price
• Early warning
© 2015 Ariba – an SAP company. All rights reserved.30
31. #AribaLIVE @ariba
Operational Risk
• Suppliers under financial distress are more likely to close
their doors “unexpectedly”
• Firmographics
Years in business
Industry
• Ownership Information
Recent ownership changes
• Payment Performance
Ability to pay their creditors
– Historical payment performance
• Financial Statements
• Public Records
Outstanding judgments and liens
Secretary of State Business
– Registration
© 2015 Ariba – an SAP company. All rights reserved.31
32. #AribaLIVE @ariba
The Complete Solution
• Monitoring suppliers for
negative financial conditions,
suspected activity and linking
of sites enables you to
respond quickly to protect
your business.
• Empowers you to protect
and grow your business
intelligently.
© 2015 Ariba – an SAP company. All rights reserved.32
33. #AribaLIVE @ariba
Monitoring for Changing Conditions
• Protect your brand and
reputation with timely alerts to
critical supplier changes
• Monitor competitive moves,
major business events and
changes in the risk profile of
existing suppliers, enabling you
to proactively respond and
protect your relationships
and profits.
© 2015 Ariba – an SAP company. All rights reserved.33
35. #AribaLIVE @ariba
Why Assess a Vendor?
• You don’t want to be a target for
hackers via your vendors weak
IT controls
• You may have to comply with
various ever increasing regulatory
and other compliance frameworks
HIPAA
PCI
FFIEC
Many others
© 2015 Ariba – an SAP company. All rights reserved.35
36. #AribaLIVE @ariba
FFIEC Announcement
• The appendix highlights that a financial institution’s reliance on third-party service providers
to perform or support critical operations does not relieve a financial institution of its
responsibility to ensure that outsourced activities are conducted in a safe and sound
manner. An effective third-party management program should provide the framework for
financial institution management to identify, measure, monitor, and mitigate the risks
associated with outsourcing. Specifically, a financial institution should ensure that its third-
party service providers do not negatively affect its ability to appropriately recover IT systems
and return critical functions to normal operations in a timely manner:
• Third-Party Management
• Third-Party Capacity
• Testing with Third-Party Technology Service Providers
• Cyber Resilience
© 2015 Ariba – an SAP company. All rights reserved.36
37. #AribaLIVE @ariba
Assessment Approach
Three Key Types of Assessment Approach
1.Spreadsheets and Word Documents
2.GRC (tools such as Evantix, Archer, MetricStream)
3.Onsite Interview and Observation
B U S I N E S S C O N T I N U I T Y P L A N N I N G (BCP)
C O N T R O L F I N D I N G S C O N T R O L E V A L U A T I O N M A N A G E M E N T R E S P O N S E
DOI Questionnaire
Ref #
DOI Questionnaire Question
Management
Response
Control Activity Findings Supporting Evidence
Other Audit
Documentation Used?
Control Assessment
Previous Audit
Recommendations
Remediation Recommendation Comments Evaluation of Response
E1
Is the business contingency
plan a) current, b) based on
a business impact analysis,
c) has it been tested, and d)
address all significant
business activities, including
financial functions,
telecommunication services,
data processing services
and network services?
Y Based on inquiry, and review of company documentation, it appears that:
1a) Current Business Continuity Plans are maintained and saved on an internal
portal - PaceMaker (PaceMaker Initial Screen.pdf). They cover both business and
technical/IT aspects of disaster recovery and business continuity. The samples
selected (Claims, IT, and Financial Reporting) include sections for Maintenance
Phase - Mandatory Update As Required, Quarterly & Semi-Annual Review of Critical
Information, Testing, Recovery Phase - Pre-Activation, Activation, Critical Operations,
Full Recovery, Post Recovery and Reference Attachments for applicable locations.
(Claims BCP.pdf, Financial Reporting BCP.pdf, ITBCP General.pdf, IT BCP Hot-Site
Implementation Team.pdf, ITBCP Alternative Office Support Team.pdf, ITBCP
Telecommunication Recovery Team.pdf) A Confidential Crisis Management Plan
also exists and was examined with management. Hard-copy binders are kept by key
executives at off site locations. The IT department also maintains BCPs for
significant systems/applications and databases on the company's Sharepoint portal
(BCP System Recovery Procedures.Sharepoint Folder.pdf, BCP Zeus Recovery
Procedures Folder.pdf, BCP Oracle Financials Recovery Procedures Folder.pdf).
The system BCPs outline specific procedures for recovering the system after a
disaster (Control Procedures IT - BRP Zeus Checks.doc, DBA BCP Procedures.doc,
Forms_10_BCP_Documentation-v3.doc, R12 OAP BCP Process.doc).
PaceMaker Initial Screen.pdf
Claims BCP.pdf
Financial Reporting BCP.pdf
IT BCP General.pdf
IT BCP Hot-Site Implementation
Team.pdf
IT BCP Alternative OfficeSupport
Team.pdf
IT BCP Telecommunication Recovery
Team.pdf
BCP System Recovery
Procedures.Sharepoint Folder.pdf
BCP Zeus Recovery Procedures
Folder.pdf
BCP Oracle Financials Recovery
Procedures Folder.pdf
N Based on the information provided, this
control appears to be at CobiT Maturity
Model Level 4 - Managed and
Measurable.
None None
N/A N/A N/A 1b) Management indicates that a comprehensive business impact analysis (BIA) has
been performed for significant business areas and are maintained and saved to
Pacemaker (PaceMaker Initial Screen.pdf). The documented BIA examins areas
such as: Background Information - General, Process Description, Operating
Locations, Peak Operating Times & Cycle Time, Annualized Return, Annualized
production Output; Resource Requirements - General Resource Requirements,
Notes, Key Records, Data, Intellectual Property & Documentation and Records
Management Process, Disaster Preparedness/Work From Home Capabilities,
Dependencies - Key Customers, Service Level Agreements w/ Customers, Process
Dependencies, Product Dependencies, Technology Dependencies, Vendor/External
Dependencies, Regulatory Requirements - Regulatory Considerations, Reporting
Requirements and BIA- Recovery Objectives, Reputation Impairment - Customer
and Stakeholder Considerations, Employees, Cash Flow Interruption, Financial
Control and Reporting Exposure and Contractual Noncompliance (Claims BIA.pdf,
Financial Reporting BIA.pdf). BCP-System RTOs.xls documents the Recovery Time
Objectives for IT Supported Business Applications per Department/Functional area.
Control Procedures IT - BRP Zeus
Checks.doc
DBA BCP Procedures.doc
Forms_10_BCP_Documentation-
v3.doc
R12 OAP BCP Process.doc
PaceMaker Initial Screen.pdf
Claims BIA.pdf
Financial Reporting BIA.pdf
Claims BIA.pdf
Financial Reporting BIA.pdf
N/A N/A N/A N/A
© 2015 Ariba – an SAP company. All rights reserved.37
38. #AribaLIVE @ariba
Frameworks and Standards
• ISO Version 2013
Not a Assessment tool more a ISMS but some have changed it
• NIST
• PCI Version 3
• HIPAA update 2014
• Shared Assessment
Licensed version 2015
© 2015 Ariba – an SAP company. All rights reserved.38
Ques
Num SIG Question Text Response Additional Information
AUP 2015
Relevance
ISO
27002:2
013
Releva
nce
COBIT
4.0
Relevan
ce PCI 3.0 FFIEC
COBIT 4.1
Relevance
Shared Assessments Program Cloud Computing
White Paper Description
SIG Lite
A. Risk Assessment and Treatment
SL.1
Is there a risk assessment program that
has been approved by management,
communicated to appropriate
constituents and an owner to maintain
and review the program?
A.1 IT &
Infrastructure Risk
Governance and
Context
5.1
6.1.2
Leadership &
Commitment,
Information Security
Risk Assessment 12.2
IS.1.3.1
BCP.1.2.1
BCP.1.3.5
MGMT.1.6.1.1
OPS.1.3 PO9.4
B. Security Policy
SL.2
Is there an information security policy
that has been approved by management,
communicated to appropriate
constituents and an owner to maintain
and review the policy?
B.1 Information
Security Policy
Content &
Maintenance 5.1.1
Policies for information
security PO6.1
IT policy and control
environment
5.4,
12.1 IS.1.4.1
PO6.1, PO6.2,
PO6.3, PO6.5,
DS5.2, DS5.3,
ME2.1
SL.3
Have the policies been reviewed in the
last 12 months? B.1 Procedure: d 5.1.2
Review of the policies
for information security PO3.1
Technological direction
planning 12.2.b IS.1.4.2.7
PO3.1, PO5.3,
PO5.4, PO6.3,
PO9.4, DS5.2,
DS5.3, ME2.2,
ME2.5, ME2.7,
ME4.7
SL.4 Is there a vendor management program? 12.8N/A N/A
C. Organizational Security
SL.5
Is there a respondent information
security function responsible for security
initiatives?
C.3 Security
Organization
Roles/Responsibili
ties 6.1.1
Information Security
Roles and
Responsibilities PO3.3
Monitoring of future
trends and regulations 12.5
IS.1.7.4
MGMT.1.6.1.6
PO3.3, PO3.5,
PO4.3, PO4.4,
PO4.5, PO4.8,
PO6.3, PO6.4,
PO6.5, DS5.1
SL.6
Do external parties have access to
Scoped Systems and Data or processing
facilities? 15Supplier relationships 12.8N/A
PO6.4, DS5.5,
ME2.2, ME2.5,
ME4.7
D. Asset Management
SL.7
Is there an asset management policy or
program that has been approved by
management, communicated to
appropriate constituents and an owner to
maintain and review the policy?
D. Assessment
Management 8.1
Responsibility For
Assets N/A N/A
PO4.14, PO6.4,
PO8.3, AI5.2,
DS2.2, DS2.3,
DS2.4, DS5.1,
ME2.6
SL.8 Are information assets classified? D.1.c.6 8.2.1
Classification of
Information PO2.3
Data classification
scheme 9.6.1 N/A PO2, AI2, DS9
E. Human Resource Security
SL.9
Are security roles and responsibilities of
constituents defined and documented in
accordance with the respondent’s
information security policy?
C.3 Security
Organization
Roles/Responsibili
ties 6.1.1
Information security
roles and
responsibilities PO4.6 Roles and responsibilities 12.1
IS.2.M.15.1
MGMT.1.6.1.2
WPS.2.2.1.3.1
PO4.6, PO4.8,
PO6.3, PO7.1,
PO7.2, PO7.3,
DS5.4
39. #AribaLIVE @ariba
Value of a Remote Assessment
• Audit Trail
Sales or CSO completing the assessment
• Delegation Functionally
Vendors Vendor!
• Procurement Contract
RFI
• Provides Attachments
• Questions Scored
• Questions and Sections Weighted
• Cheaper to perform over 100s of Vendors
© 2015 Ariba – an SAP company. All rights reserved.39