Modeling the Chain
When the massive Tohoku earthquake erupted off Japan’s coast in March 2011, the ensuing tsunami took thousands of lives and more than 125,000 buildings, and caused nuclear meltdowns.
Tucked inside the death and destruction was an issue that spurred a more focused look at using data analytics in supply chain risk management: a shortage of specialty pigment in Japan. That forced automakers — including Chrysler, Ford, Toyota and GM — to temporarily restrict orders on vehicles in certain shades of black, red and other colors.
The pigment, called Xirallic, at the time was produced at only one factory in the world — the Merck KGaA Onahama plant near the Fukushima-Daiichi nuclear power station. The plant quickly was evacuated and shut down. It took months to restart manufacturing and resume deliveries, according to reports.
In the four-plus years hence, the use of data analytics is starting to get traction due to both improved technology and the risk complexity inherent in the supply chain process — as the Japan paint pigment scenario clearly demonstrated.
“Applying analytics to assess supply chain risk is relatively new,” said Erika Melander, manufacturing industry lead at Travelers. “Of course, the main challenge is trying to predict the future in general. We can try and make assumptions about what might happen based on historical data and the trends we expect to see going forward, but nothing is guaranteed.”
Travelers, which has a strong book insuring manufacturers, surveys thousands of accounts each year and analyzes claim trends on a regular basis, said Melander. That process helps Travelers understand how it can help insureds protect their brand and reputation, manage their supply chain risks and keep their employees safe, she said.
“The marketplace is constantly changing and it is crucial for manufacturers to be poised for change so that they can adapt to new laws, materials or customer demands,” she said.
“We can try and make assumptions about what might happen based on historical data and the trends we expect to see going forward, but nothing is guaranteed.” — Erika Melander, manufacturing industry lead, Travelers
Marc Paasch, global head of alternative risk transfer solutions with the Willis Group, said the challenge in using predictive analytics for supply chain risk is taking a very granular approach and quantifying it.
He breaks the process down into hazard risks (CATs, political disruption, etc.), operational risks (key suppliers failing to deliver for one reason or another), financial risks (taking a lean stock approach and running out of inventory due to a
supplier issue) and strategic risks (acquisition of a supplier, resilience of supply chain, etc.).
Anthony Moraes, managing principal at Integro Insurance Brokers in San Francisco, noted that predictive analytics for supply chain is becoming a much
larger factor in his business, which mainly focuses on Silicon Valley.
“We are very involved in tech companies that primarily outsource their manufacturing, so they have large, often complicated supply chains,” he said. “Where they can identify and quantify risks, we can place the coverage, take it to the markets.
“If I had to tell a tech company anything about this issue, it’s that we can get better at supply chain risk management using predictive analytics. That’s the good news,” Moraes said. “The bad news is gathering the best data you can to predict your risk.
“It comes down to, do they really know their own supply chain? If so, good. If not, predictive analytics are not going to be much help to you.”
Hurdles to Overcome
It is all about the data, which is not only difficult to get, but can be subjective and hypothetical.
“A supply chain has a lot of people, places and things associated with it,” said Ben Fidlow, global head of core analytics at Willis Group. “The data is out there, but it may be in 20 different places. Getting an organization to collaborate and offer up their information when they have a siloed view is very difficult.”
Apart from up-to-date, usable data, Willis’ Paasch said, another hurdle is insight into the “elasticity of the flow and price of goods.”
For example, any specific incident may change the whole microeconomic view of the prices of goods and services. The end state of the elasticity of the customer might be fine if delayed a week, but the company could lose customer base if that delay stretches to eight or 10 days.
Organizations need to have someone close to all of the factors so there is a true feel for the potential consequences.
That requires modeling the whole chain, from raw materials to final product. Once the chain is mapped, the organization must focus on every single segment, such as impact on price because of a change in raw materials, impact of delayed transportation or strikes, border issues, and property damage risks.
One large client using a supplier in Indonesia, he said, was discovered to be using children in the production line. It had to close the plant, which created a significant disruption.
Property risks are easier to model, but the impact of compliance risks and unexpected events make modeling supply chains challenging, Paasch said.
“There typically isn’t enough bandwidth or cost justification to be as rigorous with the long tail of other indirect suppliers.” — Kevin Brooks, executive, Ivalua
Kevin Brooks, an executive with Ivalua, an international spend management and procurement solutions provider, cited a study by PricewaterhouseCoopers that found that companies that treat their supply chains as strategic assets achieved 70 percent higher performance in key financial and operation metrics. Yet, the study found, only 45 percent of businesses view their supply chains in this way.
Companies that have experienced a significant supply chain disruption or problem are much more attuned to the issue of supply chain risk than others, he said.
For many, it is a question of both definition and probability, Brooks said. What kind of risk, exactly? Quality? Financial? Performance? And how can the organization adequately assess the likelihood or severity of something happening?
“Most feel they are already capturing some level of risk screening during strategic sourcing, and nearly all manufacturing companies maintain a level of ongoing scorecarding and performance assessment with their top tier suppliers,” he said.
Non-manufacturing companies, however, are less defined about their risk programs unless they are in regulated industries such as health care or banking. And even there, risk assessment happens only with the most strategic tier of suppliers.
“There typically isn’t enough bandwidth or cost justification to be as rigorous with the long tail of other indirect suppliers,” Brooks said.
Solutions Are Improving
Bindiya Vakil, CEO at Resilinc, a cloud-based supplier of supply chain risk and resilience intelligence and analytics, has spent the past decade studying supply chain dynamics. For many companies, she said, supply chain complexity is the No. 1 challenge.
The first step is to identify the most impactful suppliers and part numbers. So, if a supplier delivers 50 parts across 40 products and the result is a billion dollars in sales, it obviously has a major impact should problems occur. On the flipside, you could have a supplier whose revenue impact is high but risk score is very low (financially healthy, good continuity plans in place, safe locations, etc.). That would lessen their risk profile.
“What we find with supply chain is managing risk has been a core goal, but the problem lies in the inefficient processes that cause information to be sketchy and incomplete,” Vakil said. “They say they do supply chain risk management, but once you peel back the onion you will find they are not doing a very thorough job.”
A thorough job requires reaching out to suppliers, including Tier 2 suppliers and maybe beyond, to get information about global locations, the parts being built, and recovery time should problems occur.
“What we find with supply chain is managing risk has been a core goal, but the problem lies in the inefficient processes that cause information to be sketchy and incomplete.” — Bindiya Vakil, CEO, Resilinc
Vakil said Resilinc sees supply chain analytics more as a proactive tool than a predictive one.
“We are not trying to predict the next event, but we can say that’s the right or wrong thing to do should an event happen,” she said. “It’s about discovering where the biggest impact is along the chain and how to manage if something should go wrong.”
At the same time, she added, it’s about being ready to act because there is no way around it: Supply chains are truly risky and the next problem can come from just about anywhere.
“We do an event watch, 24/7 monitoring of the global supply chain with thousands of sources including social media, and anything that can shut down the supply chain,” she said. “No matter what it might be, the issue is: Are you prepared?”
At Travelers, the carrier offers a supply chain pressure test that helps manufacturers identify the links in their supply chain that may be most at risk.
At the end of the test, results are compared to a peer group, and Travelers makes specific resources available based on the test results. According to Melander, some of the latest advances in using analytics to manage supply chain risk include traceability/tracking, demographics, key performance indicator (KPI) reports and big data.
“I would consider supply chain a function of liability and property risks versus a stand-alone exposure,” she said.
“We capture data points that are industry-specific so that we have information that will be helpful to not just food manufacturers, but also at a more granular level, for businesses such as bakeries, dairy product manufacturers or craft breweries,” she said.
“Of course, industries with more complex supply chains will need more analytics.”
Melander cited a large manufacturing insured that used analytics to help identify a weakness in its supply chain with respect to product quality. As a result of tracking warranty claims, the insured noticed that one of its models needed to be serviced more frequently than it would have expected.
While the manufacturer was investigating this, a customer submitted a claim because the product failed and ultimately caused severe bodily injury to one of the customer’s employees.
Because the insured had already identified a potential issue, Travelers’ forensics lab looked at the model in question and identified a specific component that was causing the model to fail. The supplier it had used for the component was the low-cost option.
The manufacturer then changed suppliers. It cost more up-front, but ultimately saved money from warranty servicing. Additionally, putting a safe product into the marketplace allowed the insured to protect its brand.
“Manufacturers especially should constantly use data to re-evaluate their operations and their supply chain practices,” Melander said. “They should also actively engage with their agent or broker and carrier in order to use data to stay apprised of trends and safety practices that are common in the industry.”
Willis’ Fidlow noted that businesses are crying out for expanded analytics tools to manage supply chain, which by its nature represents serious coverage gaps and has been an underserved market because of the previous limits on technology and predictive analytics.
To that end, Willis has been building a mapping solution that uses layered models to help clients manage supply chain risks over various financial periods.
“There definitely is no insurance product right now covering everything,” Fidlow said. “Some pieces are well covered and some fall into gaps.
“In the future, we will be trying to combine it all to increase the footprint of our solution. It’s an evolution, and with supply chain risk getting even more complex due to globalization, it’s also a huge opportunity.”
Insurance carriers are often a key resource for up-to-date data, said Travelers’ Melander, noting that larger carriers often will have information targeted to many industries across the United States and even the across the globe.
“If businesses do not use data available to help manage potential weak links in their supply chains, they are then at risk of losing ground to competitors that are using analytics to help with risk management, and not just for cost savings,” Melander said.
Closing the Data Risk Gap
Within the past year, health care insurers Anthem, Premara, and CareFirst Blue Cross Blue Shield all fell victim to hackers, with the attack on Anthem garnering the most media attention.
In the Anthem case, hackers obtained names, birthdays, email addresses, Social Security numbers or medical identification numbers, addresses and employment data, including income, from a database that had information on 80 million people across 14 states.
The weak upside to the hack was that no credit card or actual medical information — such as claims, test results or diagnostic codes — were stolen.
But to many observers, it comes as no shock that data security within the health care industry is vulnerable.
“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls.” — Graeme Newman, chief innovation officer, CFC Underwriting
“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls,” said Graeme Newman, chief innovation officer at CFC Underwriting, a specialty lines underwriting agency based in London.
KPMG recently reported that health care organizations are at increased risk for cyber attacks because of the “richness and uniqueness of the information that health plans, doctors, hospitals, and other providers handle.”
Its report, “Health Care Cybersecurity Survey,” found that 81 percent of health care executives said their organizations were compromised by at least one malware, botnet or other cyber attack during the past two years.
Only half of the respondents felt adequately prepared to prevent attacks.
“The magnitude of the threat against health care information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Michael Ebert, a KPMG partner and health care leader at the firm’s cyber practice.
The problem for risk managers is they have options, but little real authority, to deal with cyber security issues.
“A risk manager has the power to affect change, yes — ensure it, no,” said Ryan Kalember, senior vice president, product marketing, at Proofpoint, a cloud-based security and compliance firm.
Anthony Giandomenico, senior security strategist with Fortinet, a cyber security provider in Sunnyvale, Calif., said that an overall risk-based approach is necessary to build in information security and protect data assets.
Today’s sophisticated attacks, the complexity of networks, the volume of attacks and the fact that security budgets are always shrinking mean that standard best practices for security controls are insufficient, he said.
“There are many vulnerabilities within an organization — the key is for the security and risk management teams to understand the true risk to the business and make those vulnerabilities top priorities to address,” Giandomenico said.
Without a risk-based approach, there may be misallocation of security budgets, and ultimately, the company suffers because too much effort and spending was focused on an area that had very little impact to the overall business, he said.
“This leaves the bigger risk impacts neglected, leaving the company less secure and more open to bigger impacts when breached,” Giandomenico said.
He said risk managers have a big part in this, but it’s up to the chief information security officers (CISOs) to work with risk managers to figure out how to interweave the security program into the company’s risk management program.
This is challenging for some CISOs who do not possess a strong business or risk management background.
Protected Health Information
In the typical organization, ensuring that health care records are properly secured is a matter of implementing many processes and technologies, depending on the myriad ways that protected health information (PHI) is actually used, both inside and outside electronic medical records systems.
“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.Risk managers can play a key role in that,” Kalember said.
“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.” — Ryan Kalember, senior vice president, product marketing, Proofpoint
He added that different PHI applications have different implications for risk, and risk managers should be aware of the proper technologies and processes to secure those applications.
For example, data masking and anonymization for group health care data are two protection strategies. However, he said, risk managers will typically have to work with their broader IT and IT security teams to ensure the appropriate technologies and processes are actually implemented.
The challenges are many, said CFC’s Newman.
The health care industry is riddled with legacy IT platforms, many of which were built years ago when security was not top of mind, he said. Furthermore, IT budgets are often restricted and gaining board approval for significant investments into information security is not an easy task.
“But fundamentally, it is important to remember that this is an industry where data security is not the primary purpose, which is saving lives and providing vital health care services,” Newman said.
Newman said risk management teams within health care rightly focus primarily on issues such as patient safety. At the same time, he noted, health care data is hugely valuable, adding that there is a thriving underground market for the resale of medical data and increasing levels of interest from state-sponsored hacking groups.
Cyber Policy Purchases
Newman said that more than 90 percent of the world’s cyber insurance is purchased in the U.S., but to date, cyber policies have been very generic — for example, a retailer typically buys exactly the same policy as a hospital.
“Fundamentally, this is not right,” he said. “There are many very specific differences in exposure and this is what our specialist product aims to address.”
Keeping IT security a core part of any selection of vendors or partners is also crucial, he said.
When it comes to information security, he said, most companies will only really take it seriously when they start to lose business because of it.
He recommended risk managers undertake regular audits of all suppliers as a key component within an overall risk management program.
“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.” — Graeme Newman, chief innovation officer, CFC Underwriting
“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.”
Losing these devices then results in serious financial loss, regulatory actions and significant reputational harm. In many cases, this can be mitigated by simply activating built-in encryption technology or installing one of the many third-party encryption technologies (at little to no cost).
Patch management is often neglected as well, he said.
Simply put, the vast majority of successful hacker attacks or malware outbreaks exploit known vulnerabilities. By patching systems on a regular basis and keeping applications up-to-date, these known vulnerabilities will be closed.
Risk managers also need to recognize that people generally are an organization’s biggest risk.
Data must be made available to employees to be useful, but all staff need to be made aware of the risks and trained on the steps that must be taken to ensure that data remains secure.
Austin, Texas-based Michael Bruemmer, vice president, consumer protection, at Experian Data Breach Resolution, said that sharing data with third parties is definitely a serious concern when it comes to data security.
To Bruemmer, the good news is there are steps risk managers can take to proactively plan for such an incident, including requiring vendors to have the same security standards in place as their own in-house security policies. “The recent proliferation of data breaches is spurring more companies to update contracts with third-party vendors to hold them liable in the event of a data breach,” he said. “And, specific to the health care industry, HIPAA and HITECH laws require any third parties handling protected health information to be liable.”
Since data breaches are not always preventable, Bruemmer recommended several strategies, in addition to having a data breach response plan.
First and foremost, he said, make sure vendors and partners are protected by a cyber insurance policy because that will indicate a high level of preparedness. Companies should also ensure third-party risks are accounted for within their own cyber insurance policy.
“Ideally, risk managers will have ensured in advance that third-party partners — such as their insurers — are abiding by the same data protection standards and their contracts hold them liable for data lost during a breach,” he said.
Another strategy is to conduct frequent security training for employees, and have regular communication with regulators about expectations.
“While it may be out of a risk manager’s control that employee data is lost in a breach, they should be prepared for how to respond to this type of incident,” he said, noting that cyber incidents can range anywhere from an “Anthem-type” data breach to a compromised implantable medical device.
Whether the entire workforce or just a small group are affected, a data breach is not a good reflection on the company and poses risks for lawsuits and regulatory fines.
To respond effectively, the response plan should especially consider how to communicate with and protect employees.
For example, Bruemmer said, employees are typically more active and engaged compared to customers after a data breach, so that requires risk managers be prepared to account for a higher volume of requests in their call center and online forums.
They should also account for a potentially higher redemption rate of identity theft protection services.
“It is definitely possible for an employee to file a lawsuit against their employer if they are impacted by a data breach,” he said. “As with any data breach, risk managers can account for this by having legal counsel available as part of their incident response plan.”
Banning the Box
Deciding whether or not to ask job candidates on an application form if they have been convicted of a crime typically has been an easy call for employers.
By using that little job-application checkbox, the thinking was that employers are helping to protect existing employees from potential harm (and avoiding litigation if workplace violence does occur) and, at the same time, reducing enterprisewide risk (mainly in some form of theft).
Until recently, that decision was fairly easy because in every state except Hawaii the checkbox was perfectly legal (Hawaii passed a law banning it in 1998). In recent years, that has been changing.
As of now, 18 states have adopted “ban-the-box” policies for public sector jobs.
Seven of those states have made private employers and government contractors remove the conviction history question on job applications as well.
The National Employment Law Project (NELP), a major advocate for making the change, also reports that currently there are more than 100 cities and counties that have adopted ban-the-box laws and 25 municipalities that have extended the ban to the private sector.
In NELP’s view, ban-the-box initiatives provide applicants a fair chance by delaying the background check inquiry until later in the hiring process. There are opponents, primarily some U.S. business and industry groups.
For example, the National Federation of Independent Businesses (NFIB), which counts mainly small employers among its 350,000 members, says on its website that ban-the-box laws would “unduly suppress relevant criminal record information” about prospective employees.
The NFIB added that without having that information, employers can’t protect their business from loss or secure the safety of their employees, vendors and the general public when making hiring decisions.
Opponents could be swimming against the tide. Apple, for instance, recently changed a policy that prohibited construction workers with felony convictions from working on its new campus construction in Cupertino, Calif.
Construction workers who lost their jobs because of felony convictions within the past seven years will now be evaluated on a case-by-case basis.
Wal-Mart, the nation’s largest employer, took the checkbox off its job applications in 2010. Target Corp. and Bed Bath & Beyond are other national retailers that stopped asking about an applicant’s conviction record during the hiring processes’ initial phase.
Laura Kerekes, chief knowledge officer at ThinkHR Corp., in Pleasanton, Calif., said the momentum for adopting ban-the-box legislation is increasing. Removing the box from the application allows organizations to focus on an applicant’s qualifications in the early stages of the hiring process.
It gives the applicant a fair chance to showcase his or her talents early and put the criminal infraction in perspective with the applicant’s potential to be a great employee.
“Not all of these laws apply to every employer,” Kerekes said.
“Most apply to public employers and government contractors receiving public funds, while some also apply to private employers.”
“Not all of these laws apply to every employer.” — Laura Kerekes, chief knowledge officer, ThinkHR Corp
She added that some of the laws are based on employer size, so small employers (10 employees or less) usually are exempt from these rules.
However, most ban-the-box laws today, though different from state to state and city to city, share features that either prohibit employers from asking job applicants about prior convictions or conducting criminal background checks on applicants prior to either a first live interview or a conditional offer of employment.
They also force employers to consider the amount of time that has elapsed since the conviction and what the applicant has done since, as well as consider only the conviction information that is directly relevant to the job being considered — such as credit or tax issues for positions in finance and accounting or offenses against children for teaching or child care positions.
Talent Shortage Plays a Part
“This issue has become a hot topic for our customers in some industries or regions, particularly in the financial services, hospitality and other services industries,” she said, adding that the job market is heating up, making the demand for key talent much harder to source and hire.
In addition to the hiring challenges they face, employers are focused on ensuring compliance with a myriad of regulatory rules, including negligent hiring and ban-the-box laws.
Sheryl Jaffee Halpern, a principal and chair of the labor and employment group at Much Shelist in Chicago, advises clients to eliminate the criminal question checkbox.
Instead, she said, job applications should include a statement that indicates the candidate consents to a background check as a condition of employment.
“It’s really accomplishing the same thing, which is finding out if there is a criminal history,” she said.
“But you are going about it in a way that doesn’t dismiss a job candidate for just admitting to having been convicted of a crime.”
Jaffee Halpern said the key is to tackle the issue candidate-by-candidate, conviction-by-conviction. For example, a 52-year-old job candidate could have shoplifted at 18, which means the information is pretty much irrelevant.
“If it’s a more recent, violent crime, that’s a different conversation,” she said.
Basically, she said, employers — both risk managers and HR leaders — must set a policy that determines if the decision to disqualify is “job-related and consistent with business necessity.”
“Just because an employer gets rid of the checkbox doesn’t mean they can’t do background checks and due diligence,” she said, adding that many times the decision to hire or not comes down to an instinctual comfort level.
“Just because an employer gets rid of the checkbox doesn’t mean that can’t do background checks and due diligence.” — Sheryl Jaffee Halpern, principal and chair, labor and employment group, Much Shelist
Bob Tice, an attorney in employment law at Collins Einhorn in Southfield, Mich., noted that along with ban-the-box laws there is an ongoing legislative trend to reintegrate ex-offenders into the workforce.
Nonetheless, Tice said criminal history questions can legitimately influence employment decisions, notwithstanding the Equal Employment Opportunity Commission’s efforts to rein in what it sees as discriminatory hiring patterns against black and Hispanic job applicants by the use of criminal background checks.
In 2012, the EEOC issued new rules around arrest and conviction records in employment decisions under Title VII of the Civil Rights Act of 1964.
Soon thereafter, it sued both BMW and Dollar General, saying both had discriminated against minority job candidates through criminal background checks, a broader scenario than just a checkbox.
IP and Cyber Security Risks
Both cases are pending, but the EEOC has suffered some setbacks in court — mainly one involving PeopleMark Inc., a staffing agency — in which the EEOC had to pay $750,000 in legal fees and other court costs to PeopleMark.
There are legitimate nondiscriminatory business reasons that employers have questions about honesty of employees, Tice said.
“It’s not just about stealing cash or materials, but today it’s also intellectual property, digital materials, cyber security, that type of thing.”
Tice’s ongoing recommendation is to take the box off applications and don’t automatically exclude someone. Then after the first interview, depending on the job, there may be a valid reason to exclude someone.
“One of the best things about that approach is you are only dealing with that one person,” he said.
James Reid, a shareholder at Maddin Hauser, also recommended doing interviews before any background checks.
“It is time for the checkbox to go,” he said.
He also advises employers to stay far away from social media to eliminate any possible bias until an interview is conducted.
“Anyone can get a misdemeanor charge and employers can be losing a huge talent pool. A person could have been in the wrong place at the wrong time.”
He noted that with the majority of the ban-the-box laws, employers are allowed to ask applicants about criminal records after the first interview.
That way, once they discover a person has a criminal record, they can find out what the crime was and the specific circumstances, and may end up hiring them anyway.
“It’s a good idea to use more than the checkbox before you throw their application on the junk pile,” he said.
ThinkHR’s Kerekes said the first step for organizations is to determine whether the ban-the-box laws apply to the organization.
Next, employers must consider each statute if it operates in multiple locations and determine whether to follow location-specific regulations or to consolidate the regulations into one “super policy” to be followed by the entire company.
In the latter case, the employer will need to follow the rules most favorable to the applicant. After all, she said, there is no real reason to wait for legal mandates to make the change and ban the box.
Once the strategy is defined, the regulations reviewed and rules developed, there are other critical steps for organizations to take, including:
- Revise employment applications and all other employment materials to ensure that they comply with the law and company policies.
- Review jobs within the organization to determine which positions require a criminal background check (those that require unsupervised access to sensitive work areas, handle sensitive or financial information, or work with children or the elderly, etc.) and how far back in the applicant’s job history to probe.
- Review and revise the background checking policy and practices to reflect the company strategy.
- Develop a process for notifying those applying for positions requiring criminal records check (both before the check and afterward, especially if the applicant will be rejected from the position).
- Determine when and who will ask the relevant questions about criminal backgrounds.
- Train all managers and those involved in the hiring process regarding employment and discrimination law and the process and timing for asking about criminal backgrounds.
- Conduct a thorough review and assessment of each applicant, based on objective criteria.
“Not all employers legally must ban the box,” Kerekes said.
“But every employer should follow the trend because it is gaining momentum, and also tighten up hiring processes to comply with legal requirements while creating a great user experience for all applicants.”