How Financial Services (FinServ) Companies Can Best Mitigate Supply Chain Risk
We asked 18 financial services, security and risk management experts how financial services companies can best mitigate risk in the supply chain.
18 Experts Reveal How Financial Services Companies Can Best Mitigate Their Supply Chain Risk
Financial services companies are faced with balancing strict data privacy rules (such as PCI-DSS and GDPR) with the growing need to leverage customer data. And with more regulations looming on the horizon, companies must constantly keep up with the latest legislation, guidelines, and best practices to keep pace with compliance. Alongside these pressing demands, financial services companies must also find ways to better mitigate their supply chain risk.
It often seems like companies are being pulled in multiple directions at once, making a holistic approach to financial services security a must. To help you determine how supply chain risk fits into the overall security puzzle and steps you can take to mitigate those risks, we reached out to a panel of financial services pros, security and risk management professionals and asked them to answer this question:
"How can financial services companies best mitigate their supply chain risk?"
Meet Our Panel of Financial Services, Security & Risk Management Experts:
Read on for expert tips and advice from our pros on how financial services companies can best mitigate their supply chain risk.
Scott is the CEO and co-founder of Consero Global which is a Finance as a Service (FaaS) firm. Consero runs the finance function for over 250 companies nationwide and has assessed over 1,000 finance departments over the last 12 years.
"Unlike manufacturing, where the supply chain consists of moving physical objects, financial services supply chain issues..."
Revolve around information and knowledge transfer. This knowledge is most often held by the human capital of a company. Losing information, knowledge and experience to turnover and attrition is a key risk of human capital. Others include complacency and fraud. Risks associated with human capital can be mitigated with data and analysis tools, including emerging automated technologies, that collect and organize a company’s vital information. Outsourcing provides another option to keep an information supply chain running around the clock. While these solutions will help mitigate risks, of paramount importance are adequate internal financial control and information integration to assure a financial services company runs as it should.
Anna is the managing director of financial advisory firm M&A Solutions. She is a consultant to small to medium enterprises in the private sector in more than five countries. She has published papers in capital and finance, as well as complexity reduction, and has carried out ongoing research on model simplification with help of data analytics. She holds a CFA charter, and is a Fellow of Australian Institute of Actuaries.
"Financial services companies can mitigate their supply chain risk through..."
- Due diligence. Companies (brokers/asset managers) that have a very long cash cycle are a bigger risk and typically a bigger investment, too (since the balance is effectively your short-term investment into them).
- Credit rating. Good credit rating (if available) signals financial health of an organization in a broad way. Not too much debt, so as not to constrain the cash flows; robust risk policies; plenty of liquidity if needed.
- Cash reserves. As above, these are a good indicator if a partner has the capacity to invest in a new capability in crunch time, and/or will have the fat to last through the lean times.
It's important to keep in mind that risks are about opportunities as well as threats. All of this can be used as an advantage if you are customer-facing: identify the opportunity before others, pitch it upstream, and watch your partners help you realize it.
Charles Thomas is director of anti-bribery and corruption for LexisNexis Risk Solutions, a global data and analytics company, which helps corporations manage third party risk and comply with global anti-corruption and bribery legislation.
"For years, the global supply chains of corporations have been a murky business..."
Many companies have little knowledge of who they are really doing business with. Transparency is key. Better due diligence on third-party relationships improves transparency within the supply chain. But for many corporations, conducting this due diligence efficiently and effectively is a challenge; multi-national corporations may have tens of thousands of third parties and vendors. Just conducting a simple internet search on each of these vendors would take thousands of working hours, and even then might not be fully compliant with anti-bribery and corruption legislation.
By deploying accurate, efficient, automated screening led due diligence and machine learning algorithms to speed up this process, a financial services company can reduce the cost and timeframe of conducting due diligence on a large number of third-party suppliers. Ongoing monitoring programs can automatically flag if a third-party supplier is connected to criminal activity or Politically Exposed Persons (PEPs), who pose a greater risk of corruption and bribery. Furthermore, global databases can link information, including names and addresses, to the right persons and entities, so a corporation can verify the identities of the suppliers they are working with. This enhances transparency within the supply chain without draining a corporation’s time or resources. Greater transparency then protects corporations from potential financial and reputational recriminations, and enables them to operate more efficiently.
Eyal Katz leads marketing for Namogoo's GDPR Insights, which maps personal data processing.
"In the age of GDPR in particular and privacy regulations in general, one of the biggest risks in the supply chain is..."
The transfer of personal data between supplier and vendor. Compliance tools can help find data leaks before hackers do and before they turn from leaks into full blown breaches. This is especially poignant due to the large fines produced by GDPR and the tenacity by which it is expected to be enforced.
Harry John is features writer at Procurement Leaders. Harry draws on five years' experience researching and writing about procurement, two of which were spent focusing exclusively on issues facing procurement functions in the financial services sector.
"Cyber risk is fast becoming a top priority for procurement and supply managers, particularly in financial services organizations..."
Which hand over large amounts of potentially sensitive data to third parties for processing. The protection of information that pertains to customers is of paramount importance to FinServ firms. As was seen when Equifax – a consumer credit reporting agency – was hacked in 2017, the fallout from data breaches can be ugly.
Yet procurement and supply managers cannot mitigate supply chain cyber risk alone. We spoke to Christos Dimitriadis, director at IT governance association ISACA and group director of information security, Intralot, and he said mitigating supply chain cyber risk requires buyers to cooperate with experts from IT and compliance during supplier evaluation and selection. "Their knowledge should feed the procurement process."
Gary aims to take technology to the next level using Distributed Ledger Technology. Gary is a seasoned technology executive with over twenty years of senior-level digital transformation experience. Yotta Laboratories was the brainchild of Gary, a firm whose mission is to create tomorrow’s technology today.
"Money does not grow on trees..."
In good times, risk creates a better return on investment; in bad times, risk is to be blamed. There is not an endless supply of money; there is a real supply chain of money in the UK and globally.
Banks hold our money, lend us money, and act as a profit center, but few actually understand risk. They deploy ‘clever software’ or algorithms to decide how much they can lend to businesses or individuals. The money might come from the savers within the bank, or even in the short term from other businesses within the bank, it might be a bank bond to support extra lending, other banks, or even the central bank based on a loan.
Enter blockchain. No trade is lost, no trade can be changed. Same-day reporting and the option of seeing those smart contracts behind the trade could be a reality. The bank will know its true worth, which in turn affects the tier one capital ratio, as part of a stress test. The lenders can feel happy about supplying overnight or ongoing support to the bank. Blockchain in a financial supply context will present an immutable truth. Cryptographically hashed transactions will allow for total transparency between financial institutions and regulators. The technology to mitigate risks in a financial institutions supply chain is ready, the question is, are the banks ready to reveal all?
Jackie Rednour-Bruckman is the CMO of MyWorkDrive.
"To best understand how to mitigate risks, you first have to identify the biggest threats..."
A cyberattack resulting in data theft and data security breaches is the number one critical potential catastrophe that keeps CIOs and IT Directors up at night. Banks, mortgage lenders, and brokerage houses are the main drivers of the financial service industry and that’s why FINRA exists. FINRA stands for Financial Industry Regulatory Authority and it’s a non-governmental agency regulating major sectors of the financial industry, primarily stock exchanges. FINRA reports to the SEC. Having a regulatory agency making sure stock brokers play fair still doesn’t protect data that’s being transmitted over the internet.
Cloud-based platforms are no help either, ultimately because their very nature means a company doesn’t truly own their own data if they are migrating it to someone else’s server. What to do? Financial services companies have to treat their data like it’s the gold bars locked up in Fort Knox. You need added layers of security much like armed guards, cyclone fences, alarms, and thick steel doors. You would be amazed at how many companies are still uploading critical digital assets to a public drive or a cloud based file share service assuming that they are protected from cyberattacks. One wrong click on an email via a cell phone and a so called impenetrable wall is rendered to a flimsy piece of tissue paper offering no barrier to a well planned hack.
John Klassen is Product Marketing Manager at Authentic8, maker of Silo, the compliance-ready browser in the cloud that provides security, efficiency, accuracy, anonymity, and auditability for the nation’s most demanding enterprises and federal agencies.
"One first step financial services companies need to take towards minimizing their vendor risk is to..."
Disconnect from the web. Sounds radical? You may be surprised to learn that this process is well underway in some of America’s largest banks and investment firms. Let me explain.
IT security researchers agree that roughly 80 percent of data breaches and malware incidents are web-borne and in some way browser-related. The regular browser has become the main gateway for attacks on the local IT infrastructure of firms (not only) in the financial sector. Locally installed browsers – including those labeled “secure” by their makers – indiscriminately process all content from the web on the user’s computer or mobile device. This opens the door for data exfiltration and for malicious code to infiltrate the corporate network, for example through infected vendor websites or compromised third-party business apps.
The finance sector’s growing reliance on external services and third-party web apps has resulted in a steady increase of attacks exploiting the inherent security vulnerabilities of the traditional browser. So what are financial services company to do, remove the browser?
That’s precisely what I’m suggesting. It’s already happening. Banks, accounting firms, Big Law, federal and state regulators, even the nation’s largest supply chain operator – the Department of Defense (DoD) – all have arrived at the same conclusion: Remove the browser, remove the attack surface. By disconnecting the browser from the local IT and moving it into the cloud, they are creating an additional layer of security, without any of the tradeoffs associated with other approaches to solving the browser crisis.
Colton DeVos is the Marketing and Communications Specialist at Resolute Technology Solutions Inc.
"As part of mitigating supply chain risk, a large part of that comes down to..."
Your IT security or cybersecurity. When it comes to managing cyber risk, we often recommend three types of approaches. Looking at your technology, processes and people to identify any gaps in your IT security – then work on remediating them and updating your processes to prevent them from reappearing.
- For your technology, this means conducting a vulnerability assessment to scan devices connected to your network, your websites, apps, and firewall configurations.
- For your processes, you want to make sure your IT practices are in line with industry standards so that you aren't unintentionally opening yourself up to new risks.
- For your people, invest in security awareness training so that you can enable your staff to identify and avoid cyber threats like phishing, malware, and scams.
There are a number of security tools you can add to your business to scan emails, manage communications, and better quarantine any malicious threats if they happen to make it through.
Robin Abrams is finance director at Trade Finance Global (TFG). He was previously an equity research analyst at Berenberg and Citi.
"To mitigate supply chain risks, you could..."
- Have diversified suppliers and alternate suppliers who can replace parts of your supply chain in the event of a disruption;
- Work with businesses in a number of different jurisdictions; and
- Have diversified funding sources, so that parts of the supply chain can be funded appropriately while shifting them across to new jurisdictions.
The key accounts of the company and financial structures are key here. We're seeing quite a bit of this repositioning as the trade war heats up.
CEO and Co-Founder of PayPie, Nick is a serial fintech entrepreneur and a member of the Forbes Technology Council. His more than 20 years of experience work with small businesses and the accountants who serve them informs his frequent speaking engagements and underscores his commitment to providing better solutions.
"The siloing of information has plagued financial services like lending for much too long..."
When information isn’t easily shared the results are duplicated efforts, a mountain of manual data entry, a higher error rate, and general lack of transparency. This is why blockchain is more than just a buzzword. It has the potential to shatter silos by letting all the relevant parties access the same documents and any updates or changes to these documents at the same time, from any location or software application. It’s like giving everyone access to the same file cabinet and when a change is made or transaction is completed, all the participants will be able to see it. Instead of passing information back and forth, reinventing the wheel each time, participants simply access the information they need when they need it.
Katherine Moore wrote the analytics that found fraud for the BP Deepwater Horizon Settlement. Since that time she has consulted on a number of fraud and risk control reviews for like corporations and entities.
"I believe data analytics are necessary part of any risk mitigation for financial companies..."
I simply refer to what I do as risk analytics/fraud analytics. The financial industry is an industry of numbers both in the products it yields and the services/supplies it consumes. Risk analytics takes those numbers, analyzes them and discerns insights that indicate risk of loss and outright fraud in the services and/or supply chain. Effective metrics and analysis can even provide predictive insights. Risk analytics are perfectly suited to industries that produce large amounts of data like the financial industry. As with any analysis, the larger the population, the keener the insights and the better the predictive abilities. In this way, risk analytics not only alert a company when something is wrong, but they can also be utilized to highlight when something is right. These insights can then be utilized to implement efficiencies and cut costs.
Yael Tamar is a blockchain strategist, storyteller, speaker, advisor and mentor. In 2017, she founded TopOfBlockchain.com, making sense of blockchain technology and ventures with the right story, business and token models. She also serves as the CMO at iOlite and the CCO at VeganNation.
"For financial services companies, expanding efforts to include their supply chain, minimizing supply chain risk means..."
Effective supply chain management and building resistance to ensure the whole operation works in sync in anticipation of potential challenges. Strategies include diversifying suppliers - as over-reliance on a few major suppliers greatly increases risks of delivery failures and reduces price negotiation vantage points - maintaining higher inventory for operations flexibility, and creating partnerships, or possibly investing in, or acquiring suppliers.
Dr. Nabil Abu El Ata
Dr. Nabil Abu el Ata is a risk and business process management visionary with over 15 years of experience building industry-leading companies and bringing innovative products to market. As the founder and CEO of URM GROUP, Nabil’s team delivers the consultative services and technologies that brands depend on to comprehensively control risks across diverse business and IT systems. Nabil holds over a dozen patents for predictive emulation technologies and is the inventor behind URM Group’s predictive risk intelligence platform, X-Act®.
"Financial services companies are well versed in managing risk for..."
All the distinct phases of the supply chain, from assessing credit risk to funding a loan, or managing loan delinquencies. But they often lack a clear picture of risk across the entire supply chain from back office, middle office, risk management, business developers, finance, and IT. All these departments work in silos to assess the risk of their individual areas of responsibility using their own methods, technologies, and biases. And yet none of the processes that support the supply chain operate exclusively within a silo. Which means the biggest risks are often left undiscovered until something goes wrong, at which point mitigation options are limited and can be very costly to implement.
Financial services companies can better manage supply chain risk if they close the gaps between domains and stop worry about the probability of a specific risk event occurring. It’s the impact of a potential failure at any point along the supply chain (such as a data center outage) that matters.
An Associate Director at Source One, a Corcentric Company, Jennifer Ulrich is recognized industry-wide as an authority on procurement transformation and category management. She has led large-scale initiatives for both direct and indirect spend categories in industries including: biotech, medical devices, pharmaceuticals, and consumer packaged goods. Clients trust her to provide the cross-functional procurement knowledge and innovative strategies necessary to develop transformation roadmaps and realize long-term savings.
"Your definition of and attitude toward supply chain risk will vary widely based on industry and business unit..."
In manufacturing, for example, it is fairly straightforward. What will impact our ability to make widgets for our customer base? Within financial services, however, risk impacts an organization's ability to support its customer base in more nebulous ways. Regardless of where specifically the risk sits or how it translates to the end user, supply chain risk is something that financial services organizations need to approach strategically and proactively.
There are two ways they can go about this. One takes an internally-focused approach; the other focuses on risk from the outside. The former starts at the core of business' hierarchy and organizational structure. Simply put, how do the different business units collaborate? Do they function independently with their own goals and objectives, or do they build links to each other in order to deliver on broader organizational goals?
Externally, having a robust, well-fitting supplier relationship management program can give the organization insight into what risks factors may be out there. This starts with a clear segmentation model and a methodology that aids the business in determining which suppliers are critical to their operations. These providers require more internal efforts to manage, but (with the right motivation) they'll also help the business innovate and develop competitive advantages. Such close relationships will prove essential when risk factors start to loom on the horizon. Critical suppliers won't hesitate to provide a heads-up. Through the length of an engagement, they'll make it easy to navigate and respond to anything that might stand in the way of meeting stakeholder and customer expectations.
Mark Hoekzema is the chief meteorologist and director of meteorological operations at Earth Networks. In this role, Hoekzema oversees meteorological content integration and acquisition across all product lines. In 2000, he joined the company to help manage the WeatherBug desktop application.
"Compared to other risk areas..."
Weather-related supply chain risks in financial services is not something that first comes to mind. This is because financial services products are mostly e-commerce/e-business and not affected much by weather. That said, there is some risk which is indirectly related to the financial service products.
The weather-related supply chain risk for financial services is primarily a business continuity issue relating to physical and personnel assets. Because of this, the risk from weather might be perceived as unimportant or inconsequential due to the e-commerce aspect of the financial business. A financial company's weather-related risk would include losing internet connectivity, physical property loss due to damage, business continuity disruptions due to loss of power, and personnel assets not being able to physically get to an office or telework. All of these could potentially have the same impact as a cyber security breach which might be seen as a more obvious supply chain risk.
Nishank Khanna is the CMO of Clarify and a serial entrepreneur with a knack for creating profitable startups.
"Financial services companies can mitigate supply chain risk by..."
1. Diversifying sources of leads with content marketing. Create valuable content that helps your target audience succeed. Nothing attracts new prospects better than providing them value for free.
2. Diversifying lender partnerships from the get-go. When financial markets are strong, it's much easier to create partnerships with multiple lenders. Having a single lending partner is a major risk.
Gabriela Paciu is the CEO of B4Finance. B4finance was founded in 2017 with the intention of providing cutting-edge solutions to the wealth and asset management industry. Their objective is to streamline the relation between investors and wealth managers and enact new technologies.
"Standard strategies to mitigate supply chain risk include..."
Diversifying suppliers, creating partnerships, or possibly investing in or acquiring suppliers. But you can also consider new technologies like blockchain as a very interesting alternative. Blockchain can help mitigate supply chain risks with smart contracts that will be able to manage contractual relationships with alternative suppliers, automatically dealing with supply chain issues such as interruptions in delivery and inventory maintenance, as well as monitoring movement of goods and services along the supply chain in order to ensure smooth operations.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business