It has become the norm that most organisations perform comprehensive due diligence on new suppliers and vendors as they go through an onboarding process. However, with constant changes to the business environments, and especially supply chains, it is surprising that the same amount of effort is not spent on continually monitoring suppliers for changes that may impact their ability to perform their critical roles.
The world’s economy has taken hit after hit in the last 2 years, so how can we still be sure our suppliers are who we think they are?
You might be aware of your industry and the businesses within it and your supply chain, but you don’t have access to see the health of their businesses and you can’t assume that your Procurement team are as aware of any one of a myriad of changes that may negatively affect your critical suppliers.
Can you ever really be across all that is happening outside your organisation that might have an impact on your suppliers and supply chain?
One such example is the collapse of Construction company ProBuild – credit checks would have raised red flags in October, the story only hit the media in February. Rumours were abounding for a while before, but nothing was certain, and rumours are not an easy thing to act on.
In another example, in December of last year, a company one of our customers dealt with for many years, who had a good record and credit history suddenly went into administration.
There were no indicators of this event until the ASIC (Australian Securities and Investments Commission) papers were lodged.
This happened right before Christmas. What would happen at your business if this was one of your suppliers?
Would you be able to catch any outgoing payments? What would your exposure be if you had any open contracts or purchase orders but did not respond in time? Would you be able to find new suppliers?
It is most likely that many of the customers of this company were already on leave and became aware of the situation much later, when it was already too late to stop payments or put invoices on hold, even more so to assess the impact on the current projects or to take care of the supply chain disruption.
You can see the number of credit inquiries for the supplier increased significantly in December, the risk score rating dropped and external administration was appointed.
In this case study, continuous monitoring highlighted that the vendor was in trouble through credit checks, flagging the change. It was clear that something was awry a full month before, with credit checks dramatically increasing. This could have been caused by slow bill payments for other companies, credit cards or other suppliers to this organisation.
What helped our customer to identify the issue early enough is through the ongoing monitoring of metrics such as tracking ASIC enquiries, payment defaults and ultimately the supplier credit risk rating which is calculated using sophisticated techniques.
Sometimes, there are too many factors to consider to manually assess whether a supplier poses a significant risk.
The drop in the risk score can be caused by a simple increase in credit enquiries or court actions but also by a combination of a few less significant factors which might seem innocent but together lead to a higher risk.
Collusion & Conflicts of Interest
A similar approach helps to identify potential collusion between suppliers and employees or a conflict of interest (an employee who is also a supplier) by cross-checking employee and supplier details or even director details from external data sources.
In one of the implementations of our COI monitoring solution, we initially focused on the core COI tests around matching employees to employees and employees to suppliers based on bank accounts, names, addresses and telephone numbers to identify relationships that might be potential conflicts of interest.
It is important to mention that data matching across multiple data sets can be a challenge due to the inaccuracy or incompleteness of data. This can be done through sophisticated fuzzy match technics instead of using exact matching.
Normally most of the matches identified are not issues if declared on the conflict-of-interest register. But how do you know that everything is being declared?
This was exactly the case for this company – no significant issues were identified.
However, eventually, the customer updated their HR (Human Resources) system which meant all employees needed to update their details and populate some new mandatory fields – the next of kin and their contact details – meaning that the algorithms started using this data too.
This new data gave us a hit. One of the employee’s next of kin matched with the contact for the recruitment company on the telephone number.
This was an undisclosed relationship – not a big deal as it seemed initially but the further investigation showed that:
- the recruitment company was paid currently 2% more than any other agent for the recruitment (this started as 4% less a but had slowly increased over time)
– their share of recruitment had gone up from 10% to over 74% of all recruitments
– they were promptly paid on offer of position (7 days), which was contrary to all other recruitment contracts in place
Other external data to use in a comparable way can be public information available through the Australian Business Register to check whether the ABN (Australian Business Numbers) status of the suppliers is active, ABN is valid, and the supplier is still registered for GST.
Or changes in ASIC status (application to deregister a company or notices of external administration) or a change in ownership or directors
Or politically exposed person or sanction lists as well as Adverse Media to check the company and its directors. This information is especially valuable when combined with the information available internally such as
- Current invoices – do we have any outstanding invoices for the risky vendor? Or if the vendor deregistered for GST, do they still charge us GST?
- Open purchase orders
- Average spend and frequency of spend – is it high enough to worry about a minor drop in the risk rating?
- Complaints, returns, disputes
- New contracts or prepayments
Due to increased levels of scrutiny over reputational risks, ongoing supplier risk monitoring becomes crucial to reduce exposure to supplier risk and conflict of interest.
Even though most companies have a mature and comprehensive onboarding process, it only involves a once-off checking of the critical details of new suppliers such as ABN and ASIC records, bank account details, directorship, credit score rating etc as part of the onboarding.
It is not easy to risk assess the vendor once they have been onboarded as the risk is changing based on other circumstances, very often out of your control or knowledge. The challenge is also to know when to recheck/re-assess your suppliers.
It is almost impossible to monitor potential changes of, say, 5,000-50,000 active suppliers even once a year which might still be too infrequent.
How can you be sure your suppliers are still who they were at the time of the onboarding?
One of the classic examples is a change of directors.
The suppliers should let you know about the change but very often they don’t. The change may mean this is now a different company to the one you onboarded years ago and may change the relationship that has been originally established. Ongoing monitoring of the directorship data can help to prevent potential issues caused by the change of directors.
Another example is bank account validation – normally there is a thorough check during the onboarding but what happens when your supplier sends an invoice with the new bank account – is it validated? This check can be done automatically through open banking as soon as the bank account is updated in the Vendor Master file.
Q: How does one go about prioritising which vendors are important to monitor to make this process more manageable?
A: By combining the external vendor monitoring process with monitoring of our procurement process, we can prioritise a subset of suppliers based on actual data points such as:
- Volume and frequency of spend with the supplier
- This can be coupled with trending this over time
- Open invoices, purchase orders and contracts
The important thing is to make sure that the process is manageable. Too many highlighted supplier changes with little or no consequence to you, will cause people to ignore these alerts. It is better to start off with a few critical notifications and expand these as you become more comfortable in your team’s capacity to deal with the exceptions
Q: Is it possible to do these exceptions in other countries?
A: It depends on the country. Currently, Satori can provide the full credit/insolvency check in Australia and New Zealand. However, when looking at director changes and conflict of interest, this is available for Singapore, Malaysia, China, and Vietnam. Sanctions/PEP/Adverse Media monitoring is available globally. We are continually incorporating new sources of data including new countries, so best check in with us for any specifics.
Q: How can we manage the case of a low-risk local supplier whose origins of his own supplier’s products is in a sanctioned country or entity?
A: We will always be limited by the data which is available to us. If you have requested your local suppliers to provide a list of their key suppliers, we can ensure these are monitored as well. Alternatively, you can request that they attest to the fact that they are not purchasing from such entities which discharge your legal obligations to monitor for this. In our experience, most organisations are not even monitoring their own direct suppliers, so it is always best to start there.
Q: Fraud risk or third-party risk is more about behaviour patterns than control testing. Does your toolset consider the behaviour and structures within the client organisation?
A: Absolutely. One can test for behavioural indicators such as excessive leave, frequent sick leave or patterns of work/leave which are outside the norm. For example, active directory logins at unusual hours. However, these must be combined with controls monitoring which acts as the foundation defence mechanism. For example, did we apply the correct approval processes? Is the supplier registered for GST and therefore entitled to charge it, etc.
Q: Are credit risk scores available publicly? If yes, where.
A: For private and public organisations, this information is not available publicly. At Satori, for Australia/New Zealand customers, we work with CreditorWatch and bring this data as part of our VRM (Vendor Risk Management) solution. There are others available in other countries which can be integrated into a monitoring solution. However, all attract a fee.
Q: How do you manage false positives?
A: This is a critical question that needs to be addressed for a CCM (Continuous Control Monitoring) solution to be implemented and adopted effectively. Too many false positives can overwhelm the organisation, leading to a loss of confidence in the results and ultimately the service being switched off. Our advice is to ascertain the organisation’s capacity for dealing with exceptions and ensure only material exceptions are being reported and escalated. Where false positives are being encountered, it is important to continually refine the rules/algorithms to correct these so that only valid results are returned. This must be part of any CCM process.
Q: How can you become aware of a supplier who suddenly opens a bank account in a suspicious country different to the country of registration?
A: There are several rules that can be created for this scenario. For example, any banking details different to the country of registration should be flagged, investigated, and followed up. Additionally, any bank account changes should be subject to verification and approval before being updated with the vendor master file. If these processes are not followed, a rule can be created that highlights that the process has not been complied with and should be followed up.
In conclusion
The volumes of internal and external data companies are dealing with today are increasingly growing – too many records, too many transactions, too many changes happening every day and too many things to check.
How can we be confident we know who our suppliers are at any point in time?
The three key components to shine a light on your suppliers are:
– An up-to-date vendor master file that is continuously checked with ongoing monitoring
– Leveraging the external information and using it in conjunction with various internal data
– Sophisticated Artificial Intelligence and Machine Learning techniques to connect multiple data sets in an unexpected way to discover the truth.
Learn more about Satori’s Vendor Risk Management Solution here
