suppliers - Blog - Global Risk Community2024-03-29T12:26:23Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/suppliersValue Grid Model vs. Value Chain Analysishttps://globalriskcommunity.com/profiles/blogs/value-grid-model-vs-value-chain-analysis2021-06-01T15:53:49.000Z2021-06-01T15:53:49.000ZMark Bridgeshttps://globalriskcommunity.com/members/MarkBridges<div><p><a href="{{#staticFileLink}}9020351661,original{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}9020351661,RESIZE_400x{{/staticFileLink}}" alt="9020351661?profile=RESIZE_400x" width="350" /></a>A traditional <a href="https://flevy.com/browse/marketplace/value-chain-analysis-262">Value Chain</a> involves a linear sequence of activities—from conversion of raw materials into components which are assembled into products. The products are then distributed, marketed, sold, and serviced. Management plans and execute strategies and operations based on this sequence.</p><p>This set of activities worked well for organizations in the past. However, this linear progression does not encourage <a href="https://flevy.com/browse/stream/innovation">Innovation</a> and provides little protection from the risk of being outperformed by rivals in today’s disruptive markets. Such a competitive environment calls for implementing more robust ways of managing Customer Demand and <a href="https://flevy.com/browse/stream/value-creation">Value Creation</a>.</p><p>An effective approach to deal with this challenge is the <a href="https://flevy.com/browse/flevypro/value-grid-analysis-5661">Value Grid Analysis</a> Model. The Value Grid approach provides a perspective beyond traditional linear progression of activities, where organizations need to balance equilibrium between suppliers and manufacturers aside from concentrating only on reducing lead times. It outlines new opportunities and risks for organizations.</p><p>The Value Grid Analysis provides a number of routes to <a href="https://flevy.com/browse/stream/performance-management">improve Performance</a> and reduce risks. It encompasses the following 3 pathways—or dimensions:</p><ul><li>Vertical pathway – using traditional Value Chain, companies find opportunities upstream or downstream from adjacent tiers in the existing Value Chain.</li><li>Horizontal pathway – companies look for opportunities from similar tiers in multiple (parallel) Value Chains.</li><li>Diagonal pathway – explore opportunities to create value across multiple value chains and tiers.</li></ul><p>The Value Grid Framework necessitates diverting leadership attention towards 3 key opportunity areas to create Competitive Advantage:</p><ol><li><strong>Customer Demand</strong></li><li><strong>Information Access</strong></li><li><strong>Multi-tier Penetration</strong></li></ol><p><a href="https://flevy.com/browse/flevypro/value-grid-analysis-5661"><img class="aligncenter size-full wp-image-9221" src="https://flevy.com/blog/wp-content/uploads/2021/06/Value-Grid-Analysis.png" alt="" width="1002" height="752" /></a></p><p>Let’s dive deeper into the 3 opportunity areas.</p><h3><strong>Customer Demand</strong></h3><p>The first opportunity area to drive competitive advantage pertains to controlling internal and external customers’ demand. It warrants a company to manage customer demand upstream (suppliers and companies that supply to suppliers) as well as downstream (customers). By managing customer demand downstream, organizations control the decision makers responsible for the purchase decision. When companies are unable to control the decision makers, they look for levers across the Value Chain to influence decisions. These levers include direct advertisements to the end users, focusing on distributors, or incentivizing retailers to recommend a product. Organizations also try to influence upstream, e.g., their R&D units, to create products which can be used in conjunction with the existing product range to boost their efficacy and benefits for the end-users, ultimately influencing consumers’ decisions downstream.</p><h3><strong>Information Access</strong></h3><p>The 2<sup>nd</sup> opportunity area involves linking information sharing to influence decision making. A few manufacturers prefer to partner with those suppliers who openly disclose the information (capabilities, flexibility, and pricing structures) of their 2<sup>nd</sup>-tier suppliers with them. This assist them in planning and helping the suppliers manage materials and prices better.</p><p>For instance, with increased tariff on imported steel and price of steel continuously going up, car manufacturers like Honda purchase steel in bulk and sell it to their suppliers at a reduced rate. This helps them keep the prices of their cars down and compete better.</p><h3><strong>Multi-tier Penetration</strong></h3><p>Nonlinear thinking (Value Grid Model) enables the organizations to determine innovative solutions beyond the scope of traditional Value Chains. To manage excess demand organizations take on multiple Value Chain tiers to control demand and buyers’ power.</p><p>Leading manufacturers evaluate multiple value chain points for their participation in order to scale. They sell not only to Original Equipment Manufacturers but also in the aftermarket. Supplying to more than one Value Chain tier allows organizations to withstand pressure from OEMs to reduce costs, demand shifts, and offers attractive margins.</p><p>Interested in learning more about the 3 opportunity areas of the Value Grid Analysis Framework? You can download <a href="https://flevy.com/browse/flevypro/value-grid-analysis-5661">an editable PowerPoint on <strong>Value Grid Analysis</strong> here</a><u> </u>on the <a href="https://flevy.com/browse">Flevy documents marketplace</a>.</p><h3>Do You Find Value in This Framework?</h3><p>You can download in-depth presentations on this and hundreds of similar business frameworks from the <a href="https://flevy.com/pro/library">FlevyPro Library</a>. <a href="https://flevy.com/pro">FlevyPro</a> is trusted and utilized by 1000s of management consultants and corporate executives. Here’s what some have to say:</p><blockquote><p>“My FlevyPro subscription provides me with the most popular frameworks and decks in demand in today’s market. They not only augment my existing consulting and coaching offerings and delivery, but also keep me abreast of the latest trends, inspire new products and service offerings for my practice, and educate me in a fraction of the time and money of other solutions. I strongly recommend FlevyPro to any consultant serious about success.”</p><p>– Bill Branson, Founder at Strategic Business Architects</p></blockquote><blockquote><p>“As a niche strategic consulting firm, Flevy and FlevyPro frameworks and documents are an on-going reference to help us structure our findings and recommendations to our clients as well as improve their clarity, strength, and visual power. For us, it is an invaluable resource to increase our impact and value.”</p><p>– David Coloma, Consulting Area Manager at Cynertia Consulting</p></blockquote><blockquote><p>“As a small business owner, the resource material available from FlevyPro has proven to be invaluable. The ability to search for material on demand based our project events and client requirements was great for me and proved very beneficial to my clients. Importantly, being able to easily edit and tailor the material for specific purposes helped us to make presentations, knowledge sharing, and toolkit development, which formed part of the overall program collateral. While FlevyPro contains resource material that any consultancy, project or delivery firm must have, it is an essential part of a small firm or independent consultant’s toolbox.”</p><p>– Michael Duff, Managing Director at Change Strategy (UK)</p></blockquote></div>What Can CISO’s Do to Mitigate Security Risks Posed by Third Party Suppliers?https://globalriskcommunity.com/profiles/blogs/what-can-ciso-s-do-to-mitigate-security-risks-posed-by-third2020-01-21T06:31:36.000Z2020-01-21T06:31:36.000ZKirsty Donovanhttps://globalriskcommunity.com/members/KirstyDonovan569<div><p>In today’s hyper-connected digital age, it’s not unusual for medium to large-sized companies to have hundreds, or even thousands, of third-party suppliers.</p><p>This can range from product suppliers, to billing processors, to cloud providers, and a variety of different services.</p><p>This large volume of suppliers can pose a challenge for Chief Security Information Officers (CISO) to properly manage risk, especially when personal or confidential data is shared.</p><h3>A Risky Misconception – Understanding Supplier Risk Profiles</h3><p>Many businesses think that if they outsource the service, they automatically outsource the risk too. This simply isn’t true.</p><p>The procurement and security departments need work together to:</p><ul><li>understand what the risk profile of the supplier is</li><li>ensure that the risks are carefully translated into contracts, on-site audits</li><li>identify and monitor how the supplier can manage risk to the required level.</li></ul><p>We’ve identified 5 steps to help companies mitigate the risk caused by outside suppliers.</p><h3>1. Build a Structural Picture of the Organisation</h3><p>According to Nick Frost, Director of CRMG, all too often security providers get distracted by the main security challenge – i.e. the immediate risk to the primary business. To mitigate supplier risk, they need to gain a deeper understanding of the business processes, the services the business uses and how data is handled across the supply chain.</p><p>This can be a complex process, especially when there are multiple levels of suppliers. CISOs need to know whether the risk lies in a tier 1, 2 or even tier 3 supplier. To do this, a full structural outline needs to be drawn up that charts the flow of data and information all the way through the various supply chains.</p><p>As companies and suppliers become increasingly more interconnected through network sharing, cloud storage, API’s, etc., the need for security oversight becomes even more critical.</p><p>CISOs need to nail down exactly what type of data is being shared and where it is going. For instance, if Personally Identifiable Information (PII) or confidential business data is being shared, it can create a huge risk if left unmanaged.</p><h3>2. Create a “checklist” Triage Approach to Risk Management</h3><p>CISOs can be overwhelmed with the amount of information that comes in from suppliers. A system needs to be devised to assess the risks posed by suppliers, especially when handling sensitive data. Red flags need to be raised when suppliers handling the riskiest data don’t meet certain levels.</p><p>When there are 1000’s of suppliers in the supply chain, CISOs need to hone-in on the priority ones, i.e. the suppliers that can cause the most disruption to operations or pose the greatest data risk. Andrew Wilson, a Principal Consultant at CRMG, suggests a triage approach, with a checklist of security requirements drawn up for each critical supplier.</p><h3>3. Risk-aware Onboarding</h3><p>The best way to mitigate risk from the outset is to make sure that contracts reflect the security issues at hand. It’s a good idea for CISOs to establish close relationships with the legal and procurement departments.</p><p>For instance, the procurement team can say “Here, we have this MSA (Master services agreement), this is the type of product or service on offer.” CISOs can then do their risk assessment based on that information, then sit down with procurement and highlight which controls are missing, which aren’t necessary, etc.</p><p>It’s important to remember that when the legal team goes into discussions with a potential supplier, there will be a contract negotiation. There will be certain clauses that the supplier will want to redline out. It’s important that the legal and procurement team know exactly which are the “nice to have” clauses (i.e. can be sacrificed) and which are the non-negotiables – the must-have clauses to ensure that the required security level is met.</p><p>This avoids the situation where CISOs are brought in too late, i.e. after the contract is already in place, and they realise that the vendor has poor security posture. It’s far better to realise this before the product or service is purchased and contracts drawn up.</p><h3>4. Update Risk Profiles as Services Change</h3><p>Services provided by suppliers can easily change over time. This means that the type of data being shared may change too. Often, business people aren’t aware of the consequences that adding different data types can have.</p><p>For example, cloud providers are great for storing general data and information, but if you start to store confidential data, PII data, information about mergers and acquisitions, etc. the risk profile changes drastically. The original contract may not address this risk. Therefore, periodic risk profile assessments are a good idea.</p><h3>5. Consider “Exit Strategies”</h3><p>Organisations also need to consider exit strategies, or “divorce arrangements”. When companies finally part ways with a long-term supplier, they may hold a lot of sensitive data. CISOs need to find a way to mitigate this risk. They need to come up with a way of staying on good terms with the supplier and managing a secure transfer of data to the new party. Again, a checklist approach can work here, to ensure that all potential risk is carefully managed.</p><p></p><p>To find out more about Third Party Risk, you can listen to this podcast<span> </span><a href="https://www.crmg-consult.com/2019/11/27/crmg-podcast-how-to-manage-third-party-risk-when-you-have-thousands-of-suppliers/">here</a>.</p><p></p><p><strong>About the author</strong></p><p><img class="alignnone size-full wp-image-285" src="https://www.crmg-consult.com/wp-content/uploads/2019/08/Nick-Frost.jpg" alt="" width="112" height="112" /><br /> <strong>Nick Frost<br /></strong> Director, CRMG</p></div>How to Manage Third Party Risk When you Have Thousands of Suppliershttps://globalriskcommunity.com/profiles/blogs/how-to-manage-third-party-risk-when-you-have-thousands-of2019-12-30T16:07:09.000Z2019-12-30T16:07:09.000ZKirsty Donovanhttps://globalriskcommunity.com/members/KirstyDonovan569<div><div><div><span lang="en-us" xml:lang="en-us">Not so long ago, the idea of outsourcing critical business functions or IT systems</span><span lang="en-us" xml:lang="en-us"><span> to a </span><span>third party</span><span> supplier would have been off limits for many organisations because of the level of risk involved. However today, the use of </span><span>third party</span><span> suppliers </span></span><span lang="en-us" xml:lang="en-us">has</span><span lang="en-us" xml:lang="en-us"> increased exponentially, with many </span><span lang="en-us" xml:lang="en-us"><span>organisations</span></span><span lang="en-us" xml:lang="en-us"> outsourcing even core functions of their business. Why? Outsourcing can be financially attractive, efficient and provide competitive advantage.</span></div><div><span> </span></div></div><div><div><span lang="en-us" xml:lang="en-us">In delegating key processes to third parties, </span><span lang="en-us" xml:lang="en-us"><span>organisations</span></span><span lang="en-us" xml:lang="en-us"><span> </span>are potentially exposing themselves to huge amounts of risk, and while you might be able to outsource functions, you can never outsource business risks or reputation. It is common for information security to be last in the process of due diligence when selecting suppliers. So, when you have thousands of suppliers, and they have thousands of suppliers, how far should you go to assess and mange cyber risk?</span></div><div></div><iframe width="560" height="315" src="https://www.youtube.com/embed/I_mJ6rg-dUY?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></div><p><span>In this podcast, CRMG’s Nick Frost, Todd Wade and Andrew Wilson discuss the key risks associated with third party suppliers, how to manage the process of on-boarding suppliers. and how to filter through suppliers to assess those most critical to your business. Our team also discuss the importance of managing the relationships with third party suppliers and the need for an exit strategy in the event of a split.</span></p></div>The Purpose of an Organizationhttps://globalriskcommunity.com/profiles/blogs/the-purpose-of-an-organization2015-04-20T02:17:13.000Z2015-04-20T02:17:13.000ZEnrique Raul Suarezhttps://globalriskcommunity.com/members/EnriqueRaulSuarez<div><p style="text-align:center;"><a href="{{#staticFileLink}}8028231890,original{{/staticFileLink}}"><img width="720" height="420" class="align-center" style="width:475px;height:255px;" src="{{#staticFileLink}}8028231890,original{{/staticFileLink}}" alt="8028231890?profile=original" /></a>Henry Ford</p><p style="text-align:center;"></p><p>Edwards Deming described the purpose of an organization in New Economics, on page 51, as:</p><p></p><p>"The aim proposed here for any organization is for everybody to gain - stockholders, employees, suppliers, customers, community, the environment - over the long term."</p><p></p><p>Like so much of what Deming said that makes sense to me. It is my sense the "conventional wisdom" would state something more along the lines of the purpose of a company is to make money. I would not agree. Rewarding the owners is important, but other stakeholders should be included in the purpose. Even with a strictly legal argument it is not true that a company exists only to make money. The company enters into legal obligations to employees, suppliers, customers and communities.</p><p></p><p>Conventional wisdom agrees that a company must comply with the law. Many of those laws are requirements society has put in place to ensure that companies focus on obligations to their customers, community, suppliers and the environment (over the long term).</p><p></p><p>Some might chose to view those legal requirements as only a means to make money. That a company exists to make money and that so long as a law doesn't require something else; any decision should be based only on long term financial benefit. I would not agree. The laws are a manifestation of the belief of the society that other important considerations exists that must be considered.</p><p></p><p>In the early stages of capitalism the business world was largely seen as amoral. That is no longer the case (again as I see "conventional wisdom"). Most, though not all, believe that companies have moral obligations to the environment, community, customers and employees. Many of these obligations have been turned into laws (just as there are laws that require the interests of the shareholders to be cared for). Those laws set the minimum legal limit that must be met. And they seem to pretty clearly express the decision society has made that companies exist within a society and have a larger purpose than making money for the owners. One benefit of companies is that they reward those who invested in them. They also provide jobs to employees and products and services to customers.</p><p></p><p>How those interests are balanced is not such an easy issue to address. I think Deming's quote is a good starting point for discussion. Right now we have the balance pretty heavily in favor of the owners (and making profit). I personally, think it makes sense to have that as a very important factor, though I favor increasing the focus on some other factors than is the current normal practice. Most importantly, I believe we need to increase the importance of the purpose of providing good jobs for employees.</p><p></p><p>The marketplace does a pretty good job of asserting the importance of customers and suppliers. Even so, regulation and law enforcement are necessary actors in those instances where the free market is insufficient. The changes in the world are making it very difficult for the community interests to be respected. And I think that this trend with likely increase. I plan to think more about what this will mean going forward.</p><p></p><p>There is an important difference between those that see the only true purpose of a company is making money and those that see a variety of purposes that must be balanced. I hope we can move the conventional wisdom to a more balanced view of the importance of the various stakeholders from what I see now as the current unhealthy focus.</p><p></p><p></p></div>