BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Similar documents
BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

White Paper on Financial Institution Vendor Management

ARAVO WHITE PAPER. Best Practices for Supplier Risk Management: Measure, Monitor and Mitigate

Vendor risk management leading practices Glenn Siriano KPMG LLP DRAFT

De-Risking the Supply Chain: Cisco s Risk Intelligence and Analytic Tools

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

REPORT 2015/112 INTERNAL AUDIT DIVISION

Why you should adopt the NIST Cybersecurity Framework

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

Supply Chain Management Build Connections

Consumer Goods and Services

Building Value from Visibility

BMUSF Marine Seminar. Project Cargo Panel. May 4, 2012 San Francisco, California

RiskAstute. Prepared for When.

The PNC Financial Services Group, Inc. Business Continuity Program

How to Develop Successful Enterprise Risk and Vendor Management Programs

Moving Towards Integrated Operational Excellence Matthew Littlefield President and Principal Analyst

A Case Study in Global Supply Chain Risk Management: How AGCO Implemented an SCRM Solution to Save Millions

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Information Security Management System for Microsoft s Cloud Infrastructure

RISK MANAGEMENT REPORT (for the Financial Year Ended 31 March 2012)

S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

APICS 2012 SUPPLY CHAIN RISK INSIGHTS AND INNOVATIONS Digging Deeper into Real-World Practices in Supply Chain and Operations Management

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

SALES AND OPERATIONS PLANNING BLUEPRINT BUSINESS VALUE GUIDE

ENTERPRISE MANAGEMENT AND SUPPORT IN THE AUTOMOTIVE INDUSTRY

Supply Chain Risk Management and the Role of Resilinc

Why you should adopt the NIST Cybersecurity Framework

A proven 5-step framework for managing supplier performance

Placing a Value on Enterprise Risk Management ADVISORY

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Accenture Risk Management. Industry Report. Life Sciences

Aon Risk Solutions. Life Sciences Practice. Providing End-to-End Solutions for Life Sciences Companies. Risk. Reinsurance. Human Resources.

Cisco Network Optimization Service

Next-Generation Supply Management

How to Leverage SRM for Supply Chain Resiliency. How to Leverage SRM for Supply Chain Resiliency

Enterprise Information Management for the Food and Beverage Industry

E2 COLLABORATIVE INVENTORY MANAGEMENT

Risk-Based Supply Chain Auditing

How To Save Money At The University Of California

OBIEE 11g Pre-Built Dashboards from Oracle Courtesy: Oracle OBIEE 11g Deployment on Vision Demo Data FINANCIALS

MANAGING RISK IN OUTSOURCED MANUFACTURING. An E2open White Paper. Contents. White Paper

Addressing Risk in Partner / Contractor Selection and Onboarding. Michael Davidson VP Quality Systems and Compliance March 2014

BlackStratus for Managed Service Providers

Managing Risk in the Global Supply Chain

Dynamic Simulation and Supply Chain Management

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Metrics by design A practical approach to measuring internal audit performance

FOOD FOR THOUGHT Topical Insights from our Subject Matter Experts

Domain 1 The Process of Auditing Information Systems

CLICK TO OPEN FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD

nfx One for Managed Service Providers

How ERM programs evolve

Waste Fleet Safety: Tips and Tools to Ensure Safe Driving. White Paper.

The Path Ahead for Security Leaders

Factoring Risk into Transportation and Logistics Sourcing

Optimizing ROI: The Business Case for Cloud-Based Unified Communications. CapEx

The Fulfillment of AS 9100 Rev C Requirements by EnterpriseIQ

Evaluation Guide. Sales and Operations Planning Performance Blueprint

Privacy by Design Setting a new standard for privacy certification

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

APICS INSIGHTS AND INNOVATIONS SUPPLY CHAIN RISK CHALLENGES AND PRACTICES

fs viewpoint

Maintenance, Repair, and Operations (MRO) in Asset Intensive Industries. February 2013 Nuris Ismail, Reid Paquin

ON Semiconductor identified the following critical needs for its solution:

DOUBLECHECK VENDOR MANAGEMENT

E-Commerce at Wells Fargo. SF IIA/ISACA Presentation

Business Continuity Management

Microsoft s Compliance Framework for Online Services

Corporate Performance Management Framework

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

pg. pg. pg. pg. pg. pg. Rationalizing Supplier Increases What is Predictive Analytics? Reducing Business Risk

Establish Collaborative Strategies to Better Manage a Global Vendor Network Devise a Proper Float Plan

Five keys to a more secure data environment

Expense Management Strategies for an Economic Downturn. Report prepared by Accenture in collaboration with American Express

A Forrester Consulting Thought Leadership Paper Commissioned By Zebra Technologies. November 2014

Mitigating and managing cyber risk: ten issues to consider

Smarter Supply Chain The Role of Advanced Analytics in Optimizing Supply Chain and Managing Complexity

Companies turning to Trade Credit Insurance in an unpredictable and debt-laden world

Trends in Global Employee Engagement

The Future of Investment Compliance for Asset Owners: The Next Great Transformation

High Performance in Procurement Risk Management

The expression better, faster, cheaper THE BUSINESS CASE FOR PROJECT PORTFOLIO MANAGEMENT

BlackBerry Reports Strong Software Revenue and Positive Cash Flow for the Fiscal 2016 First Quarter

Optimize Application Performance and Enhance the Customer Experience

manageservices Managed Services for Intelligent Infrastructure

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

Achieving Competitive Advantage Through Supply Chain Excellence. Jim Webb, Senior Vice President of Operations, Provista

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

A To Do List to Improve Supply Chain Risk Management Capabilities

Wealth management offerings for sustainable profitability and enhanced client centricity

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Supplier Strategies for e-tailing Success A Fresh Look at e-tailing, Online Shopping And the Aftermarket

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

White Paper from Global Process Innovation. Fourteen Metrics for a BPM Program

Supplier Relationship Management Tools

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Transcription:

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT John Deere Supply Chain Risk Management INTERVIEWS Glen Schwab Director of Supply Management Robert Smola Manager, Supply Chain Risk

The Next New Things in Supply Chain Risk Management John Deere is integrating data, some of it drawn from proprietary surveys, into a supplier risk management tool. It is using big data analytics to make supply chain risk management pro-active and predictive. Deere s Enterprise Supply Chain Risk Council brings global supply chain leaders from different divisions and regions together to establish risk management processes across the company. This creates opportunity to pilot new tools and practices locally. A key advantage is that the council creates a network in which successful factory pilots can be captured and shared globally. Company Overview From its birth in 1837 in a blacksmith shop in Illinois, John Deere has evolved into a global brand with one of the most recognized trademarks in the world. The company has operations in more than 35 countries with annual revenues in 2014 of more than $36 billion. John Deere offers construction, agriculture, and forestry equipment, as well as parts, financing services, and other support on six continents. It distributes its products and services to customers through independently owned dealerships. As a company, Deere focuses on reputation and trust, and its core values of integrity, quality, commitment, and innovation. 2

Organizational Approach to Supply Chain Risk Management Risk management is part of John Deere s corporate culture. Every quarter, the company s board of directors receives a briefing on a particular segment of risk exposure and management. Once every two years, the board closely examines supply chain continuity, and compliance and mitigation actions. The Enterprise Supply Chain Risk Council is a voice for different divisions and regions of the company. It promotes common tools to manage, mitigate, and rate capacity planning or financial risks across all platforms. Each division has the freedom to develop and experiment with new tools. Deere strategically decided not to centralize the risk program. They wanted to allow organic development of best practices and learn from pilots in different divisions. The risk council believes that good ideas, risk-based or otherwise, are not limited to a central business unit. Our best practices and tools get better because every division is out tinkering with these processes and making them better, said Glen Schwab, supply management director for John Deere. The critical advantage is that the Supply Chain Risk Council network creates the capacity to capture that knowledge and extend it across the company. One of the unique aspects of the Deere supply chain risk management program is the ability of its leaders to communicate swiftly up and down the management chain. Whether there is a powerful new tool or an emerging risk coming from a factory, the risk council can quickly review the proposal with leadership. What makes us unique is that, even though our company has almost 60,000 employees, we have the ability to reach out to the factory floor or the right leaders instantaneously for emergencies, and in a timely manner for less critical decisions, said Bob Smola, John Deere s supply chain risk manager. Business Case for Supply Chain Risk Management Supply chain risks are tied directly to financial outcomes. The two main risk management metrics are supply chain continuity and compliance. Both consider the likelihood of an occurrence and its impact. Risk managers measure continuity risk and compliance risk by the potential impact on operating income and market capitalization. 3

Supply Chain Overview John Deere s approach to supply chain risk management can be understood in the context of its four supply chains: The indirect materials supply chain includes contracted services from building services to construction to capital equipment. Because of their relatively high availability, these services have lower risk to impact the continuity of manufacturing operations. The external supply chain includes parts purchased from third-party suppliers for use in Deere factory operations. The inter-factory supply chain includes the parts that Deere factories produce for other Deere factories. These make up the highest volume of direct materials used by Deere for production. John Deere Electronic Solutions (JDES), which was founded in 1987 and fully acquired by John Deere in 1999, produces electronic components for use in Deere equipment. While it is a global supply chain, the nature of the components and fabrication are quite different from the rest of Deere s products. JDES is one of the primary suppliers to the inter-factory supply chain with products like electronic circuits and control modules. Guiding Principles of Supply Chain Risk Management Throughout all supply chains, common processes are used to guide common tools. The company attempts to use the same risk processes, but adjusts the criteria for what constitutes a risk and how it must be mitigated based on the four unique supply chains. Primary Risk Assessment Tools Division Dashboards Third-Party Financial Analysis Compliance Verification Supplier Capacity Evaluations Project Tracking Lean & Quality Risk Plans for Strategic Suppliers Supplier Risk Module Assessment 24/7 Event Alerts Impact Factory & Product Line 4

There are five major categories in John Deere s Supply Chain Risk Management program: 1. Performance Risks: The company examines data on quality and delivery, and identifies trends that might indicate that suppliers are going off track. 2. Financial Risks: John Deere engages an independent company to analyze the financial health of its private and public suppliers. 3. Event Management Risks: John Deere constantly monitors weather events, geopolitical issues and other incidents that could have a continuity impact. 4. Compliance Risks: The compliance category ensures that suppliers meet basic requirements and comply with appropriate standards and documentation requirements. In early 2014, Deere launched a pilot program that increased its scrutiny of supplier practices that could affect Deere s brand and reputation. 5. Strategy Risk: The strategic risk category assesses risk before a supplier or product is chosen. It is often prohibitively expensive to mitigate a risk (such as having a single supplier, or choosing a part from an unreliable supplier) after the production process is put into place. Strategic risk extends risk assessment into the product design and component sourcing phases. We re thinking ahead and moving toward a more proactive strategy in which risks are identified and rated before decisions are made. Our product lines are always advancing in technology and one of the distinguishing features of that innovation is that there s not a lot of competition, said Glen Schwab. From a company perspective, that s exactly where you want to be. But, from a supply chain perspective, it means single sources and increased risk. So, we re beginning to ask, What is our risk exposure if we single source this technology and take it across different product lines? Do we need to develop an alternative technology to mitigate that risk? That early stage assessment of risk is new for us. Managing Supply Chain Risks: With the broad scope and scale of John Deere s business, managing and prioritizing external supplier risk is conducted primarily through the lenses of capacity, financial, quality, and compliance risks. How risks are prioritized often depends on specific geographies and the timing of the business cycle. For example, compliance becomes a major risk in emerging economies like China. When the business cycle is on an upturn and demand is expanding, supplier capacity becomes the number one priority risk. But, in the current global agricultural downturn, the financial health of the supply base has become a top concern. 5

Supplier Data for Analysis Annual sales Factories supplied Facilities supplying Deere Competitive position Business with Deere Performance metrics Future business opportunities Strengths Gaps & challenges In the past year, Deere surveyed the majority of its direct suppliers in detail about their other customers and market segments to identify any supplier dependencies on a single industry (large agricultural, construction, etc.) and/or John Deere itself. The intent was to get more clarity on revenue exposure based on the industries they served. More than 90 percent of the suppliers responded to the survey. Deere used Pareto analysis to analyze the data and identify critical market segments to monitor for available short- and long-term capacity. Today, John Deere uses its big data capabilities to share 18-24 month demand forecasts with its suppliers, so suppliers can plot Deere s demand by part number. They can model the impact of John Deere s demand schedules on their own production. Deere can see those models and, in turn, verify the capacity and flexibility of the suppliers to meet that demand. Deere actively monitors its suppliers financial health. To do this, it uses an outside service that solicits financial information directly from suppliers because many of them are privately held. For the publicly held companies, Deere uses a third party to collect financial data. When a supplier exceeds a certain level of financial risk, Deere sends a specialist on-site for a deep-dive risk review, and the supplier will be closely managed until they come back within the acceptable risk tolerance level. Financial Risk Assessment Criteria Low or negative EBITA profitability Higher levels of debt versus total assets Low or negative working capital Low sales efficiency High levels of liabilities versus equity High levels of inventory Interest coverage is low or negative 6

Adding New Suppliers: In 2013, Deere developed a supplier add process as a risk tool. In the past, there were few limits on adding new suppliers to the approved supplier list. Now the process is formalized to limit the number of suppliers added and ensure risks are addressed. The process includes a compliance check, financial audit, advanced quality audits, and assessments prior to onboarding. These are a deterrent to adding new suppliers that have not been vetted. This rigorous process requires material managers to meet with a ratings company. Suppliers must identify risks based on likelihood and impact, and determine applicable mitigation plans. The process is applicable to all four supply chains, includes financials and compliance, and serves as a deterrent to adding excess suppliers. When a supplier risk is identified, the risk is rated and the supplier is expected to develop a mitigation plan. At a quarterly meeting with each division, suppliers are reviewed to ensure the risk was mitigated. In addition, scorecards help the mitigation efforts and make reporting a closed-loop process. John Deere s supply management professionals have received financial risk education and have been trained to ask their suppliers financial questions. Employees learn how to read a balance sheet so that they can rely on their own financial acumen. Managing Internal Factory Risk: Deere has an enterprise supply management organization and a factory supply chain organization. Nevertheless, they consider themselves one organization, with shared strategies where it makes sense. Common processes and tools are developed to enable a factory in Asia to operate almost exactly like a factory in North America, South America, or Europe. Internal and external supply chains are governed by Supply Management directors who set sourcing policies. Supply Chain Continuity John Deere s corporate business continuity team works with the company s factories on basic program elements like business continuity plan development, fire protection, and redundancies. One of its redundancy strategies is to implement standardized operations throughout its factories. The company can quickly move a part to an alternate manufacturing location if the factory that normally produces the part is unable to produce it. Deere expects suppliers to develop their own business continuity plans; it has a closed-loop risk mitigation review plan. Identified risks are discussed, and Deere and a supplier must jointly agree whether a risk is monitored, mitigated, or accepted. Divisions are held accountable for the process that has been decided. Impact and likelihood estimates help guide the decision. 7

Cyber Risks IT has revolutionized the agricultural industry in the first decade of the 21st century. Agricultural equipment is now connected to an entire network of information from GPS systems that enable precision farming, to information on crop prices and commodity futures, to RFID tag readers to track hay bales. With that tremendous contribution to productivity and optimization comes new cyber risks as well. John Deere has addressed cyber supply chain challenges quite differently than its competitors. When it acquired John Deere Electronic Solutions (JDES), the company gained the capability to develop and manufacture advanced, rugged, integrated electronics for its equipment. JDES does not produce all of its own components; it strategically outsources parts. Because of the special cybersecurity challenges, JDES manages its supply chain risks differently than the company does its other supply chains. It maps supply chain down to the second- and third-tier levels and can identify its suppliers by GPS coordinates. It requires dual sourcing of key parts and places additional compliance requirements on its suppliers. Standards John Deere requires that all suppliers comply with a Supplier Code of Conduct that includes a number of supplier expectations, including employment fairness (compliance with non-discrimination, labor laws, protections against harassment); health and safety; environment protection; and anti-corruption. It also requires suppliers to: Protect all John Deere information, electronic data, and intellectual property with appropriate safeguards. Support a management system that ensures that they comply with applicable laws, regulations, and John Deere policies. Maintain supply chain transparency to confirm compliance to this Code of Conduct. John Deere reserves the right to request documentation, conduct on-site audits, review and approve corrective action plans, and verify implementation of corrective action. 8

Conclusion While John Deere is already a leader in supply chain risk and resiliency, the company plans to continue to build on existing efforts to gain a competitive advantage. The company is working on: Early engagement in product development Risk measured in supplier performance scorecards Extended tier visibility for supply chain partners Prescriptive/cognitive analytics Real-time alerts for potential supply chain disruptions Supply base self-managed risk There are a number of trends, including an emerging supply chain risk culture and alignment among divisions internally, that should help them achieve their goal. Externally cooperation and buy-in from suppliers, as well as new tools and processes, are also helping. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information