Allianz

Trade
Contact us
Search
anti-fraud-corporate-culture

Blog Marcel: The weakest link: supply chain risks deserve our full attention

Companies and other organizations never stand alone but are part of a chain. All too often, the cliché "the chain is only as strong as its weakest link" rings true. Yet many companies focus primarily on their own internal environment. This must be in perfect order: adequate processes and procedures, a state-of-the-art administrative organization system, maximum cyber security, an optimal and fraud-proof corporate culture, a robust fraud risk analysis, measures that significantly mitigate fraud risks, and all possible lines of defense that, if necessary, sound the alarm bells quickly and loudly.

Nevertheless, things still sometimes go wrong. Because of an internal focus, external risks remain underexposed even though they do occur, with all the consequences that entails, such as financial and reputational damage. That is why I advocate paying more attention to what can go wrong in the chain, focusing on the supply chain in which suppliers and external partners can expose your company – consciously or unconsciously – to fraud risks, cyber attacks, AI fakes, reputational risks, and damage.

Example: cyberattack as a spanner in the works

It is a fact that companies – and the chains in which they operate – are becoming increasingly dependent on automated systems and information technology. In their production processes, inventory management, sales and booking processes, financial transactions, client and other administration, and many other areas. We no longer book airline tickets and hotel stays by visiting a travel agency, but via the internet. Many people bank with an internet bank. Repeat prescriptions for medicines are requested via websites and we no longer collect them from the counter at a pharmacy, but nowadays we get them from a machine that is accessible 24 hours a day. But what if the platforms and websites used by KLM, Booking.com, internet banks, and pharmacies are shut down? To what extent does this affect not only these companies, but also their chain partners? What preventive measures have your supply chain partners taken to mitigate the harmful effects of events elsewhere in the chain? Are they adequately insured, enabling them to limit the damage to themselves but perhaps also to you?

A targeted cyberattack on your company can also occur when cybercriminals infiltrate your business systems via a supply chain partner and shut them down, in what is known as a 'supply chain attack'. Attackers who want to attack your company—which you believe to be well secured—will seek out a weak link in the chain and attack via that partner. This is entirely possible if your systems are connected for efficiency reasons, information is exchanged, or you collaborate in other ways via ICT systems. Cyberattacks take place, for example, via Advanced Persistent Threat software, which detects weaknesses in systems, gains access to confidential information, and causes disruptions in production processes, for example.

Companies need to be alert not only to their own digital resilience, but also to that of their chain partners. Are there any weak links in the chain? What systems do chain partners use? How are they secured and tested? Is there a contingency plan with alternative scenarios in case systems are hacked or shut down? To what extent do such contingency plans take into account the effects on and interests of chain partners? Do they have fraud insurance and does it also apply to damage caused to third parties?

Example: corruption and fraud

Companies also face risks in areas other than cybersecurity. For example, when it comes to procurement processes and tenders, where fraud and corruption risks lurk. This involves buyers making choices and decisions regarding the products or services to be purchased and their suppliers. In tenders, projects are awarded to one or more parties after selection.

In procurement processes and tenders, there is a risk that suppliers (or their employees) will bribe purchasers and other decision-makers by giving them kickbacks. As a result, your company will not get the best deal—for example, by paying too high a price or obtaining a lower-quality product—which will cause damage. The supplier then makes extra profit because your company has paid too much, with part of that extra profit being paid to the purchaser or another person involved, who thereby receives a reward to which they are not entitled and which, in fact, is paid for by you without your knowledge. This is an obviously undesirable situation that you did not choose, in which you have no interest and which causes damage.

Another – unfortunately common – pattern of fraud involves fake invoices, where you receive a false invoice from an (existing) supplier for goods or services that have neither been ordered, let alone purchased and received.

Prevention is crucial, a fraud insurance can limit damage

My plea regarding the risks associated with suppliers is clear: don't get bogged down in getting your own house in order and optimizing it, but open the shutters and broaden your view to include chain partners.

This requires attention to matters such as:

  • Adequate due diligence in the selection and onboarding of suppliers. What is their reputation? How long have they been in business? Are they financially sound or vulnerable? What information is available from open sources? Have there been any irregularities in the past? How is governance organized and are there sufficient checks and balances in place? Are they open to providing (verifiable) information about their business operations, processes, systems, and incidents?
  • A risk assessment with regard to suppliers ('know your suppliers'). Do they have their house in order, just like you? What exactly does that mean? How can you test that (or have it tested)? What guarantees do they provide? Have there been any incidents in the past? If so, what exactly happened? What measures were subsequently taken and are they sufficient to prevent such an incident in the future?
  • Continuous monitoring and reporting. Risk assessment in particular is not a one-off activity but requires constant attention and maintenance, which requires vigilance with regard to changes (which must not be a weakening) and signs that indicate possible irregularities.
  • The application of test procedures, for example by simulating a cyberattack or hacking. Or – although this is a dubious method – test purchases in which a proposal is made to an employee of the supplier to provide a kickback.
  • Assessing alternative scenarios to fall back on in the event of incidents. Both suppliers and your company should have these at their disposal.
  • Agreeing on contractual arrangements regarding, for example, guarantees, indemnities, costs, and compensation in the event of (unforeseen) incidents.
  • Conducting audits and other control measures. For example, with regard to the existence, design, and operation of internal control measures at suppliers, insofar as their effectiveness is crucial to your business operations. Or assessing the fraud risk analyses carried out by suppliers.

Such preventive measures are necessary to make organizations more resilient. However, they do not completely rule out incidents, nor can they prevent all damage. It is therefore wise to consider taking out a fraud insurance. It can ease the pain if you are unexpectedly the victim of chain partners who have not got their affairs in order, or have not done so sufficiently.

marcel-pheijffer

About Marcel Pheijffer

Allow me to introduce myself to the reader: Marcel Pheijffer, professor of (forensic) accountancy at Nyenrode Business University and Leiden University. At an early age, I was gripped by the 'fraud virus'. As a 17-year-old, I started training as a deputy accountant at the National Audit Office, part of the Tax and Customs Administration.

With a wealth of experience on fraud and fraud prevention, Marcel writes a quarterly blog on corporate fraud. Because he believes it is important to create even more awareness about fraud risks.
inschrijven-nieuwsbrief-euler-hermes

The latest news and tips in your mailbox every 8 weeks?

Then sign up now for our newsletter Allianz Trade Magazine!

We will then send you the latest developments on the economy, sectors, bankruptcies and tips for optimal debtor management every 8 weeks.