Tag: sourcing

Building a Resilient Supplier Cyber Risk Management Strategy | Blog

Sharing sensitive data with outsourcing providers in today’s interconnected digital world has increased organizations’ vulnerability to cyberattacks, making it more important than ever to have an effective supplier cyber risk management strategy. To protect against threats, read on to learn the best practices for supplier cyber risk management.  

In today’s risky and interconnected environment, it has become essential for organizations to have a supplier cyber risk management strategy to identify, protect, detect, respond, and recover from supply chain cyberattacks.

The critical importance of relationships with outsourcing service providers has been amplified by the pandemic and recent geopolitical turmoil due to the Ukraine-Russia crisis. Outsourcing suppliers now play a vital role in running business operations, and these partnerships have grown more sophisticated.

With data sharing between the two parties increasing multifold, organizations have greater exposure to ransomware attacks, phishing, denial-of-service, and other cyberattacks.

Depending on the sensitivity of data shared with suppliers, the potential risk of data loss can impact an organization’s business operations – making it essential to develop a supply chain cyber risk management plan to protect from significant financial and operational impacts.

Not having a formal supplier cyber risk management strategy can cause compliance issues. With scrutiny on global supply chains intensifying, a lack of supplier insights can lead to government regulation violations, resulting in financial losses and tarnishing an organization’s brand.

As suppliers have access to sensitive and business-critical information, managing permissions and protecting data from unauthorized access, misuse, and data loss become crucial.

Further, many other risks exist from a supplier’s operational perspective, including issues related to geopolitics, bankruptcy, and macro risks. Organizations should have complete supply chain visibility to rapidly respond to susceptibilities and disruptions at the supplier’s end.

All of these factors can have a long-lasting impact on an organization’s image and reputation, potentially deteriorating customer loyalty and trust. Hence, having a resilient supplier cyber risk management strategy that includes visibility, transparency, clear communication, and collaboration has become non-negotiable for organizations.

The Everest Group risk management matrix

Let’s take a look at the different risk scenarios and their remedial measures below:

Picture2 1

Exhibit 1: Everest Group Supplier Management Toolkit: Risk Management in Outsourcing

Best practices for developing a supplier cyber risk management strategy

Developing a Supply Chain Risk Management (SCRM) program is indispensable for organizations as they become increasingly vulnerable to supply chain attacks.

Currently, the risk management focus in outsourcing is limited to compliance requirements such as the Sarbanes-Oxley Act (SOX), Service Organization Control (SOC) certifications, industry-specific compliances such as Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST), and criminal background verifications.

Other vital factors such as geopolitical and offshoring risks have not yet become key executive priorities. Further, as more companies lean on service providers to drive digitalization and corresponding transformation in their outsourced processes, organizations rarely try to identify potential risks and establish associated mitigation/contingency plans.

Some industry best practices such as ISO/IEC 27036:2013 and the NIST Cybersecurity Framework have been updated to include information security for supplier relationships, highlighting the importance of SCRM in corporate security. In terms of cyber security, this involves:

  • Defining cyber security requirements and measures that apply to suppliers based on their risk category
  • Enforcing these requirements via formal agreements (e.g., contracts) to ensure suppliers enter a binding commitment
  • Verifying and validating communication and access from and to suppliers
  • Ensuring effective implementation of cyber security requirements
  • Managing and supervising the above activities periodically

To optimally engage with and manage suppliers, the entire supplier life cycle should be organized into these three phases:

  1. Before and during the contracting phase – Screening suppliers before onboarding is essential for organizations to assess financial, operational, and reputational aspects. Procurement heads need to carry out background checks to ensure suppliers’ compliance status and performance viability. An exhaustive contract with legally binding responsibilities related to cyber security for both the organization and its suppliers should be created. This contract should define fundamental and high-level security requirements and privacy-based controls for supplier relationships at every point in the life cycle
  2. During the ongoing relationship – Once suppliers are onboarded, organizations must track all assets suppliers can gain entry to in a central repository. Customers should categorize suppliers into different risk classes based on how critical the information is to further define appropriate cybersecurity controls. These controls should be continuously evaluated to ensure adherence
  3. After the termination of the relationship – Offboarding a supplier requires disabling its logical and physical access, removing access to any data, and destructing it to ensure the supplier doesn’t hold any sensitive data. This phase also requires ensuring no severity incidents are pending and facilitating proper handoff between suppliers

Prevalence of risk management processes in the supplier life cycle

How common is it for organizations to have established risk management processes in each of the third-party life cycle steps? Our polling results show while most organizations have these safeguards in the first stage, fewer use them in later phases, as illustrated below:

Picture1 2

Exhibit 2: Everest Group’s Webinar Quick Poll (Could Your Business Partners Be Offering More Risk than Support?)

The supply chain for almost any organizational procurement activity can be the target of cyberattacks, either by going after the supply chain or the supplier’s/organization’s systems, once they are integrated.

More complex and sophisticated attacks are often left undiagnosed or unreported, making them potentially more disastrous for enterprises. At different points in the supplier management life cycle, stakeholders across organizations will have the primary responsibility for establishing and maintaining effective supplier cyber security controls.

Vigorous governance is required to ensure relevant stakeholders are responsible at the right time to guarantee optimal and best efforts are made to combat any cyber threats. To complement this governance, a strong collaborative culture across different departments is needed to drive continuous improvement.

Learn how to create an effective program for your organization in our executive brief on Cybersecurity Risk Management in the Supplier Life Cycle, part of our supplier management toolkit.

Please reach out to [email protected] to gain further insights on supplier cyber risk management or Contact Us.

Discover even more about cybersecurity in our current environment in our webinar, Cybersecurity: What You Need to Know to Find the Right Partner and Price.

Sourcing Professionals Have a Tough Job | Sherpas in Blue Shirts

If you are a sourcing professional, you have our deepest respect, because now, more than ever, your job is a tough one. The sourcing industry is changing fast, disrupted by emerging technologies, shifting talent requirements and evolving service provider capabilities. Moreover, fluctuating geopolitical and legislative issues are causing enterprises to rethink substantial, long-held sourcing strategies and provider relationships. Sourcing professionals face formidable challenges in the global economy as the new year approaches and they look for better strategies in an industry experiencing unparalleled turbulence.

Technology is Changing the Game

It used to be that a sourcing professional’s No. 1 responsibility was finding a way to get the work done as cheaply as possible. Not any more. Technology has changed the game. In nearly every industry, digital technologies are driving the development of innovative products and services and improved customer experiences. To keep pace in this digital world, enterprises are now pursuing a digital-first rather than arbitrage-first strategy. In fact, the global services market has seen a threefold increase in digital-focused deals.

Automation, once merely a service delivery tool, is now “front end,” with enterprises demanding strategy, vision and strong Proof-of-Concepts (POCs) for advanced automation in 33 percent of all application services contracts in 2016. Similarly, artificial intelligence, cognitive computing and robotics will soon begin to pervade the enterprise portfolio and will eventually become mainstream in sourcing landscape.

Talent Requirements Are Shifting

The increasing adoption of digital strategies is changing the workforce skills that enterprises seek, and, in turn, forcing sourcing professionals to revamp their location portfolios in the midst of a dynamic landscape. Location options for traditional global sourcing continue to expand, and new locations are emerging for unique talent demands, such as digital capabilities.

Geopolitical Disruption Adds Complexity

Sourcing professionals also must anticipate and react to numerous geopolitical disruptions that keep the sourcing landscape shifting like windblown sand. In the past year, for example, we have seen a significant decrease in demand from the United Kingdom given the uncertainty with Brexit; uncertainty about healthcare legislation in the US has dampened the healthcare sourcing market; and the uncertainty due to visa reforms has led to increased local hiring and onshoring in the U.S.

The Provider Landscape is Constantly Changing

Sourcing professionals also are challenged to stay abreast of changes in the provider landscape. Mergers and acquisitions are on the rise, and leading providers are making fundamental changes to their talent and service delivery models. Between April of 2016 and March of this year, Everest Group witnessed 40 acquisitions to expand digital capabilities, 140 alliances between providers and technology providers or startups, and the setup of 35 new centers and digital pods to help clients rethink their digital strategies.

Data for Sound Decision-Making

In the midst of this complexity, buyers of global services are tasked with making critical decisions. Recompeting an outsourcing contract, selecting a location for a global in-house center, or contracting for new tech services—these are the types of decisions that can significantly impact an organization’s performance and an executive’s career.

That’s why Everest Group has announced that it is doubling down on its commitment to provide fact-based comparative assessments. We’re consolidating our comparative analysis offerings – previously offered under a variety of product names – under our flagship PEAK Matrix brand, which will now evaluate services, solutions, products and locations. Additionally, we’ll be expanding the market segments addressed to include new functions, processes and industry verticals. Read more about it here.

In the midst of all the complexity and change that sourcing professionals face, one thing remains the same: Everest Group is your source for the fact-based analyses you need to make informed decisions that deliver high-impact results.

Capital Markets BPO: Provider Selection Pricing Considerations | Sherpas in Blue Shirts

Capital markets BPO (Business Process Outsourcing) is one of the fastest growing industry-specific verticals within the BFSI segment, with a market size of over $2 billion in 2016. Investment banking is the largest line of business within the capital markets BPO. Asset management, custody and fund administration, and brokerage are the other key lines of business in this space.

Enterprises typically look to partner with third-party pureplay service providers such as Cognizant, EXL, Genpact, Infosys, and TCS to remain competitive in the marketplace, and simultaneously manage their regulatory, risk, and cost concerns. But the BPO majors are facing stiff competition from specialist capital markets BPO providers such as Avaloq, eClerx, and Xchanging, which are more focused and have deeper domain expertise.

Against this backdrop, what pricing considerations should enterprises take into account when selecting a specialist or a pureplay Business Process Outsourcing provider?

What to consider when selecting a Business Process Outsourcing provider

  • Specialists come at a premium: Specialist providers typically charge a premium price. The premium is nominal for low complexity processes such as static and dynamic data management, client onboarding, low value reconciliations, trade capture, and exception matching. Yet, it rises considerably for high complexity capital markets BPO processes such as OTC derivatives, syndicated loans, and alternative investments. Specialist capitalist providers’ expertise in niche and complex services gives them significant pricing power leverage over pureplay BPO providers.
    BPO-Business-Process-Outsourcing
  • Pureplay BPO providers on the move: However, pureplay BPO providers over the last couple of years have moved swiftly, and gained meaningful ground in terms of building competence in high value services. This increased, more head-on competition has reduced the pricing differential to some extent.
  • Pricing model induced rate differential: FTE-based pricing is most common in capital markets BPO contracts, closely followed by the transaction-based model. Typically, contracts with transaction pricing have a higher Annual Contract Value (ACV) per FTE, as the service provider agrees to share some of the buyer’s risk, and thus bakes the risk premium into the pricing. Additionally, the scope of work for capital markets BPO deals with transaction-based pricing is usually higher value and more complex, pushing up the average ACV per FTE further.

Pureplay BPO providers VS. specialists

Net-net, specialist providers, which at least as of today handle more high-value services, come at a higher price than their pureplay BPO peers. And, at least as of today, buyers appear ready and willing to pay this premium.

Enterprises in this space typically tend to value and favor specialists when it comes to finding a partner for their capital markets BPO operations. And they tend to be particularly selective, as most service providers –  both pureplay and specialist— do not play in all the segments, but instead focus on building deep capabilities around one or two of the four key business lines.

Are you working with a pureplay or specialist provider in the capital markets BPO space? To what extent did pricing play into your provider selection? Do you think specialists have an edge over pureplay BPO providers in terms of capabilities?

 

Reimagining Global Engineering Services – a Hierarchy of Needs | Sherpas in Blue Shirts

The engineering services industry is one of the most interesting segments in the global services landscape today.

Compared to IT and business process services, the global engineering services market is much smaller, at approximately US$ 90 billion. It is also growing much faster, at approximately 15 percent per year.

The bulk of the growth is going to be driven by a need to reimagine global sourcing of engineering services, in line with the progression of enterprise digitalization strategies.

Everest Group believes there are four distinct objectives behind digital engineering strategies:

Hierarchy of Digital Engineering Services Demand

Global Sourcing of Digital Engineering Services

  1. Crushing spend: Arguably, there’s nothing new about leveraging a global sourcing model to reduce spend. However, the optimization levers go well beyond arbitrage, extending into the realms of analytics, the IoT, and automation. We are beginning to see enterprises contracting not just for cost savings, but for specific details around how cost savings are being achieved (e.g., success of automation projects, and ongoing commitment for automation.) Digitalization can often achieve breakthrough spend reduction outcomes (e.g., maintenance of oil refineries leveraging IoT technologies), well beyond the traditional arbitrage levers.
  2. Transforming experience in plants or mines: The experience is typically optimized across a bunch of typical considerations such as safety and accessibility, speed, and convenience. For instance, using design thinking principles in plant assembly line design, IoT implementation in mines for health and safety related use cases and medical device companies are using digitally reimagined techniques to create improved patient care outcomes.
  3. Accelerating product innovation: Sophisticated enterprises realize they can’t do it well enough or fast enough unless they embrace a broader innovation ecosystem. Globalization is a major driver of demand, as is the need to accelerate and contextualize cross-industry innovation. For instance, automotive OEMs realize they need to embrace a broader ecosystem of talent and technology providers to create differentiated infotainment offerings.</>li
  4. Disrupting the business model: Business model disruption comes about as a natural progression through the first three levels of the hierarchy, coupled with a disruptive idea. For instance, automotive companies the world over are waking up to the potential of a new business model that is built on asset sharing as opposed to asset ownership. Utility companies are creating parallel energy sharing models using blockchain. Medical diagnostic companies are reimagining their business model by experimenting to service-led, as-a-service models.

Everest Group recommends enterprises follow a “3E” approach to shaping their engineering services global sourcing strategy:

  • Evaluate the current state of your digital engineering journey against the strategic objectives of efficiency, experience, innovation, or disruption. The way you measure success in the short term should derive from where you are, and your longer-term strategy should stem from a broader industry vision.
  • Evolve the ER&D sourcing model in line with your aspirations. If you are trying to drive strategic business impact at the higher reaches of digital engineering maturity, you should be able to use objective data to benchmark the impact on business processes. For instance, your ER&D sourcing models should be linked with improvements in supply chain metrics, experience, accelerated time to market, or an increase in digital-led revenues.
  • Enrich the sources of engineering and R&D innovation by engaging with service providers, start-ups, academia, designers, social scientists, etc. Such an ecosystem should transcend the traditional enterprise-partner model, and requires a central orchestration function for scalability.

Visit our engineering services page for more insights on engineering services global sourcing strategies.

Request a briefing with our experts to discuss the 2022 key issues presented in our 12 days of insights.

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

"*" indicates required fields

Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.