RISK AND COMPLIANCE STRATEGY DRIVERS: CHANGING …...RISK AND COMPLIANCE STRATEGY DRIVERS: CHI THE ME I ICI PROCUREMET A TALE OF TWO RISKS — INTERNAL VS. EXTERNAL SUPPLIER RISK &

RISK AND COMPLIANCE STRATEGY

DRIVERS: CHANGING THE GAME IN

F INANCIAL PROCUREMENT

WHITE PAPER

WHITE PAPER

: : 2

RISK AND COMPLIANCE STRATEGY DRIVERS: CHANGING THE GAME IN F INANCIAL PROCUREMENT

EXECUTIVE SUMMARYTHE CHALLENGE

Today, risk to your institution can come from anywhere. Procurement processes, and the supplier relationships inherent in them, are no exception. In the past you could rely on internal controls to manage rogue spend, and on simple sourcing due diligence to identify potential supplier risk. However, it’s no longer sufficient to rely on risk measures focused primarily on evaluating supplier financial stability and collecting insurance certificates. New risk and compliance drivers such as OCC 2013-29, the Bribery Act of 2010, the Foreign Corrupt Practices Act, and the impact of supplier actions on brand reputation, have changed the game by dramatically expanding the risk profile of supplier relationships.

THE ANSWER

Financial institutions in every market are realizing the old rules of risk management are no longer sufficient to protect their organizations. The result is a renewed focus on supplier and counterparty risk assessment and mitigation strategies that are “regulatory aware”; consider the impact of third party policies, actions, and inactions on the reputation and financial exposure of the institution. However, creating new internal risk management solutions and processes is time consuming and prohibitively expensive in today’s rapidly evolving business environment. As a result, most institutions are looking to strategies that combine comprehensive software solutions with best practice business processes to not only minimize risk, but also provide competitive advantage in the marketplace.

This white paper will examine the changing risk profile of the market, the financial services industry, and counterparty and supplier relationships. Further, it will provide a new perspective on today’s P2P solutions and their role in providing automated supplier compliance and risk management tied to mitigation strategies.

As a result, readers will be able to:

• Realistically assess their own internal and external P2P risk management performance

• Define strategies and processes to identify and predict sources of risk

• Implement regulatory compliance plans

• Minimize the financial and reputational impact on the organization

WHITE PAPER

: : 3


TABLE OF CONTENTS

WHAT’S DRIVING THE CURRENT FOCUS ON RISK AND COMPLIANCE? 4 A TALE OF T WO RISKS — INTERNAL VS. EXTERNAL 6 PROCUREMENT & RISK IN TODAY’S INSTITUTION 7 PROCUREMENT & RISK — THE EXTERNAL PERSPECTIVE 9 WHAT SHOULD YOU DO? 14

WHITE PAPER

: : 4


WHAT’S DRIV ING THE CURRENT FOCUS ON RISK AND COMPLIANCE?LOOK NO FURTHER THAN THE HEADLINES

Data breaches and other failures are driving up costs and risks globally across industries. According to new research from PwC and the UK Department for Business, Innovation and Skills (BIS), cyber-attacks are costing businesses as much as £1.15 million per breach in the UK alone.1 In the US, it seems every week brings another occurrence of a Target-sized failure; note Home Depot’s latest report of 56 million cards hacked.2 In fact, 2013 saw 800 million records lost.3

The cost to the financial services industry is staggering. A report from the US Consumer Bankers Association (CBA) concludes that costs for replacing cards affected by the Target data breach have already reached $200 million, and they will continue to rise.4 Across the Atlantic, the payment processor Worldpay reports nearly seven million UK credit and debit cards have been compromised over the last three years, resulting in nearly £1 million of net costs for each affected.5

The rise in commercial breaches of credit and debit cards is not the full extent of new risks facing financial institutions. They must also account for the growth in regulatory exposure from new and expanding legislation across countries including the UK Bribery Act of 2010, the US Foreign Corrupt Practices Act, US OCC 2013-29, and others. For example, in 2013 the United States Department of Justice (DOJ), arrested employees of a New York broker-dealer and a Venezuelan state development bank official on criminal charges related to bribes.6 At the time, a DOJ attorney said that this action, the first major FCPA enforcement related to financial institutions, represented “a wakeup call to anyone in the financial services industry.”7

1 2014 Information Security Breaches Survey, UK Department for Business Innovation and Skills, BIS/14/766. Survey Conducted by PwC. http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf

2 Press release: The Home Depot Completes Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores, September 18, 2014. https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf

3 2013 Data Breach QuickView, February 18, 2014, by Risk Based Security and the Open Security Foundation. https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf

4 2013 Data Breach QuickView, February 18, 2014, by Risk Based Security and the Open Security Foundation. https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf

5 http://www.scmagazineuk.com/card-fraud-costing-small-businesses-dearly-says-research/article/366472/

6 Press release: Two U.S. Broker-Dealer Employees And Venezuelan Government Official Charged In Manhattan Federal Court For Massive International Bribery Scheme, May 7, 2013, by US Attorney’s Office Southern District of New York. http://www.justice.gov/usao/nys/pressreleases/May13/ClarkeetalComplaintPR.php

7 Press release: Two U.S. Broker-Dealer Employees And Venezuelan Government Official Charged In Manhattan Federal Court For Massive International Bribery Scheme, May 7, 2013, by US Attorney’s Office Southern District of New York. http://www.justice.gov/usao/nys/pressreleases/May13/ClarkeetalComplaintPR.php

WHITE PAPER

: : 5


But wait, there’s more! Reputational and brand risk has now become as much of an issue for financial institutions as it has been for product companies. The action, or in some cases inaction, of a supplier or third-party partner anywhere in the world can have a direct impact on an institution’s reputation and global brand. This problem becomes increasingly complex as one considers the depth of related supplier to supplier interactions.

YOUR CIO IS CONCERNED

Your CIO is concerned with the impact of risk and its subsequent effect across the institution. In particular, he/she deals with supplier and third party interactions, and the subsequent impact on your data and systems, on a daily basis. “Stop Ignoring Third-Party Risk” is a recent Forrester Research report that surveys both North American and European IT decision makers. According to the results, when asked about data security and the supplier relationships around “as a service” offerings from decision makers, nearly 40 percent agreed or strongly agreed with the statement “We do not have a clear way to assess the risk of using third-parties”. In addition, over a third of respondents claim they “have no way to manage how the providers are handling our data.”

These are sobering numbers from executives charged with data privacy, accuracy and integrity. Considering CPO research suggests one of the major obstacles in managing supplier risk is obtaining timely and accurate information from suppliers, the veracity of the Forrester Research report is confirmed.

The result is that your institution, your employees and your bottom line are at increasing risk from procure-to-pay relationships and processes.

PAY ATTENTION — THE IMPACTS ARE HUGE

How big is the risk? On one hand, there are the hundreds of millions of dollars, pounds, euros, etc. in cost related to the aforementioned credit and debit card breaches. And while the cost of the breach is often incurred at the retail or online vendor level, financial institutions are faced with significant costs nonetheless. Some processors impose penalties to attempt to recoup some of this expense, but the cost is expected to grow.

Lastly, if you believe reputational risk is low or difficult to measure, a PwC report, “From vulnerable to valuable: how integrity can transform a supply chain”, states the average share price drops 9 percent on the announcement of a supplier failure. Don’t think that applies to financial institutions? Think again. Commercial entities continue to see the actions of suppliers and third parties have a direct impact on everyone within the relationship.

WHITE PAPER

: : 6


A TALE OF T WO RISKS — INTERNAL VS. EXTERNALSUPPLIER RISK & COMPLIANCE

A convenient way to begin categorizing risk in financial institutions is internal vs external. With the Venn diagram pictured below, we can demonstrate internal vs. external factors and the resulting overlap. Directly managed factors are inadequacies that result in internal risk. Today, they are often either actively managed or are on the radar of financial institutions’ risk management programs.

External factors have their roots in relationships or business factors beyond the figurative four walls of the institution. Whether regulatory or third party-related (or both), they represent risks that are less likely to be clearly understood or effectively managed by the organization.

Overlap of traditional internal with newer external elements:

A CHANGE IN THE BALANCE OF RISK

Traditionally, most organizations develop a strong internal risk management infrastructure. In financial institutions these processes typically encompass asset protection and management, fraud prevention, and industry-specific/relevant regulatory requirements. However, external risks have often been a small or nonexistent part of the risk framework.

But the balance has begun to shift. External risks are becoming more visible and have a greater potential negative impact on the organization. Third party and counterparty relationships are a growing part of the strategic framework for financial institutions, and their complexity continues to increase. “As-a-service” vendors are progressively taking over

WHITE PAPER

: : 7


more business process management, as well as responsibility for the data supporting them. The growing global regulatory environment has resulted in an explosion of overlapping reporting and tracking requirements. Simultaneously, the accelerating evolution of business models that drive entry into new markets, as well as the introduction of new services products, means the intersection of external risk factors is growing exponentially.

Ignoring these warnings could be perilous. While some of these external risks get attention from various parts of the institution, there is a need for a centralized, concerted effort to understand and manage them institution-wide. The balance is shifting, and your risk management strategy must shift as well.

PROCUREMENT & RISK IN TODAY’S INSTITUTIONA TRADIT IONAL CENTER OF RISK

You don’t have to look very far to understand the dramatic impact of risk and compliance issues related to procure-to-pay (P2P) processes and supplier relationships. Procurement and sourcing are responsible for an overwhelming proportion of an organization’s external spend. As a result, there is a well-defined understanding of internal P2P risks, as well as a longstanding set of internal controls. These internal controls are designed to monitor and manage P2P spend in order to minimize the risk to cash and misuse of funds. Unfortunately, while financial institutions have robust asset management controls, the implementation of these P2P management processes is too often incomplete or out of date. The set of P2P tools and solutions continues to grow, and controls must evolve as well.

Let’s take a look at some of the key internal P2P risk areas:

• Off-Contract or “Maverick” Spend – Off-Contract spend is frequently responsible for the largest share of overspending within the institution, especially across business units and facilities. Many institutions have implemented formal sourcing processes to negotiate the best prices for goods and services. However, if end users are not buying against the resulting contracts, the organization is not realizing the negotiated savings. Solving the maverick spend challenge requires institution-wide processes supported by technology that directs requisitions to the approved vendors and the agreed upon pricing for every transaction.

• P-cards – Purchasing cards, or P-cards, are effective in providing a frictionless way for users to make prescribed low value, low volume purchases without a lot of process overhead. P-cards can improve efficiency and reporting through detailed analysis from the card providers. However, because of their flexibility, they also introduce additional risk of fraud and misuse. Systems must be implemented to monitor usage and integrate card reporting with internal spend analysis.

WHITE PAPER

: : 8


• Travel & Entertainment (T&E) Spend – T&E is often one of the last areas in P2P to be addressed by strict internal controls and a risk management framework. T&E policies typically have little or no integrated technology solutions to back them up. Manual T&E spend processes can be easy to circumvent, and recovery of out-of-policy spend is difficult. When combined with maverick T&E spending (non-approved vendors), the dollar impact can be high. As a result, top performing companies are adding integrated T&E spend management technology solutions that automate T&E policy enforcement.

• Accounts Payable (AP) Management – AP represents not only multiple opportunities for risk of fraud, but significant efficiency impacts as well. Duplicate payments (unintentional as well as fraudulent), incorrect payments due to out of date supplier banking information, and frequent supplier status inquiries, all contribute to potential risk and inefficiency. AP must be a tightly integrated part of P2P solutions, from initial vendor approval through comprehensive supplier information management.

• Spend Analytics – P2P spend data is spread throughout your institution’s systems. Sourcing, procurement, P-card, AP (manual and automated) and other areas all contain elements of spend data. In order to properly understand institution-wide spend and identify risk as well as savings opportunities, you need the visibility available through a spend analysis solution.

• Single Source of Supplier Truth – Like spend data, supplier information can be found everywhere in your organization. This results in out-of-date and often inaccurate supplier information at the point of execution driving up risk and costs. Best in class institutions have addressed this need with integrated supplier information systems that act as a central point of timely, accurate and complete supplier information driving all P2P systems.

IMPACTS OF INTERNAL P2P RISK

There is a significant risk in implementing poor or inadequate internal P2P controls. By following best practices and recognizing the risks, financial services institutions can limit the impact of risk.

The consequences of internal risk include more than paying too much for goods and services. Internal P2P failure impacts also include:

• Reduced margins and EPS

• Business interruption from failed suppliers

• Additional costs to replace resources

• Increased management time

• Loss of customer goodwill

• Reputational damage

• Adverse stakeholder reactions including analyst downgrades

WHITE PAPER

: : 9


Positive impacts from proactively managing Internal P2P risk can include:

• Increased contract compliance and lowering of expenses

• Improved efficiency from process automation and controls through technology

• Improved negotiating leverage with suppliers

• Improved payment accuracy and supplier satisfaction

• Reduced losses from fraud and P2P mismanagement

• Increased ROI from technology investments

The good news is that the proper controls are well understood and defined. Institutions must compare their framework against best practices, and implement the technology solutions necessary to put them into action.

PROCUREMENT & RISK — THE EXTERNAL PERSPECTIVE WHAT’S DIFFERENT TODAY?

Internal risk will always be an invasive and prevalent quality of financial services institutions. To combat internal risk, a comprehensive risk management strategy must be implemented using the aforementioned best practices. In addition to internal risk, external risks pose a serious threat to the health of institutions. External risks include supplier financial health, third party payment fraud, and many others. Unfortunately, avoiding negative exposure from these risks has become difficult. The combination of an increase in external P2P risk factors (with a drive for institutions to focus on core competencies) and the outsourcing of many P2P-related functions have intensified an organizations exposure to external risk.

SPECIF IC EXTERNAL RISK ELEMENTS

External P2P risk factors include expansion in already existing risk areas, as well as the addition of new risk elements. Organizations that rely solely on existing risk management frameworks and infrastructure are putting their assets and institutions at a significantly increased risk. To anticipate new risks, organizations must become thought leaders; they must be able to predict which risks will have a major impact on their institution. Today, the new or expanded drivers of increased external risk include:

• Regulations & Compliance – Regulations have been a risk factor for all institutions since oversight began. What’s different is that both existing and new regulations have been promulgated, which include the actions and inactions of suppliers and third parties. As a result, institutions must now expand their risk purview to include a much deeper set of relationships and impacts. More on this in the next section.

WHITE PAPER

: : 10


• Economic, political, and environmental risk – As institutions expand their global footprint via M&A as well as organic expansion; they are much more exposed to economic, political and environmental risk. This new risk is not only from their own operations, but also from the increased number and complexity of supplier relationships.

• Data Privacy & Security – Data privacy and security is becoming difficult to implement. With the growing trend of outsourcing operations, many organizations enterprise data and P2P functions must reside outside of the firewall. This introduces not only additional regulatory risk, but risks associated with third party data breaches.

One of the results of this augmentation in third party related risk is a focus on the supplier network. Institutions find themselves faced with a new list of supplier issues including:

• How stable are your suppliers?

• What happens if one fails?

• What happens if one defrauds you?

• How do you mitigate legal, insurance and ethical risks associated with your suppliers?

• Are you collecting data on the actions and policies of 3rd/Counter Party Relationships?

• Do you understand the multiple layers of supplier interactions of these parties?

• Do you have policies that address compliance due diligence, and do you communicate these policies to suppliers and 3rd parties?

For many, the viability and performance of their supplier base is the foremost risk to ongoing business operations. And there is more at risk in external relationships than cash. Many regulatory failures provide for criminal prosecution as well as fines, and the impact on brand reputation can be severe. The list of risk impacts continues to grow and includes:

• Compliance fines & penalties

• Brand & reputational damage

• Competitive losses

• Criminal prosecution of executives

• Loss of government preferences

• Lost revenue & liquidated damage claims

• Increased management time & effort on risk mitigation

• Adverse stakeholder reactions including analyst downgrades

REGULATORY COMPLIANCE

This paper has already explored the dramatic expansion of global regulatory compliance requirements, but as external risk factors grow, it becomes increasingly important to narrow our scope and gain a deeper understanding of several significant risk factors.

WHITE PAPER

: : 11


OCC 2013-29

In 2013 the US Office of the Comptroller of the Currency established OCC 2013-29, a reactive measure against the dramatic surge in risk to financial institutions from third party relationships. OCC 2013-29 is an influential document and provides a valuable framework for our discussion; it directly addresses the impact of external risk mitigation on an institution:

“The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”

This graphical representation provides a visual of the Risk Management life cycle as defined by OCC 2013-29:

FOREIGN CORRUPT PRACTICES ACT (FCPA)

The FCPA is a US federal law enacted in 1977. Its primary purpose is to prohibit companies from paying bribes to foreign government officials and political figures. Violations are subject to both criminal and civil actions, resulting in fines and prison sentences. Foreign companies and nationals violating the act while doing business in the US are also liable. There are two main provisions of the act: the anti-bribery provision and internal records and process standards. Anti-bribery provisions prohibit companies from giving money, gifts, or anything of value to obtain or retain business. Internal records and process standards require companies to keep accurate records and maintain clear, accurate, and adequate controls with employees and trading partners (including suppliers, intermediaries and subsidiaries) to protect against improper payments or influence.

WHITE PAPER

: : 12


There are regulatory fines and potential prison terms for executives convicted of violating anti-bribery and corruption laws. For example, Germany-based Allianz SE agreed to pay more than $12 million in fines to settle US SEC FCPA charges and avoid any potential criminal prosecution.

THE BRIBERY ACT OF 2010

The UK Bribery Act of 2010 provides a regulatory and compliance framework that goes beyond both the US OCC regulations and the US FCPA. These key differences include:

• Private Individuals vs. Governmental Officials – FCPA addresses bribery of government officials, whereas the Bribery Act covers any form of bribery including the receipt of a bribe.

• Extended Liability - The Bribery Act creates a strict liability for failing to prevent bribery. Companies will be liable if anyone acting under its authority is involved in bribery. This can include employees, consultants, agents, subsidiaries and joint venture partners.

• Entity Coverage – And perhaps most importantly, the Act has extra-territorial application, applying not only to UK corporate entities, but also to overseas companies who carry on business in the UK.

EVEN MORE — ALPHABET SOUP

And of course, there is a long list of other related regulations financial institutions have been dealing with for many years that address bank secrecy, money laundering, unfair and abusive acts, etc. (Gramm-Leach-Bliley Act (GLBA), Bank Secrecy Act (BSA), Anti-Money Laundering (AML), Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), etc.). Their relevance to this discussion relates to the overall impact of external risk and, as we will see, the particular role that supplier and third party relationships play.

REGULATORY COMPLIANCE — IMPACT ON RISK

While OCC 2013-29, the FCPA, and the Bribery Act of 2010 provide a critical element of a risk management framework from a regulators perspective, it’s important to note the role of the procurement organization in building, managing and reporting on these elements. Third party relationships represent large potential risk across the entire institution, and procurement owns or should own, the lifecycle of these relationships. As such, it is procurement that must expand its definition of risk to include the related compliance components.

PROCUREMENT EXTERNAL RISK — DIFFERENT ILLNESS, DIFFERENT CURE

When it comes to external P2P and institutional risks, organizations are faced with a key difference as compared with internal risk: visibility. Internal factors are almost completely transparent and under the institution’s control, external risk introduces significant opacity, less visibility, and demands ways to increase control. External risk is less about developing and implementing new policy and more about driving visibility into partner business practices, environments and actions in order to replace direct control. This requires introducing new frameworks and tools into the institution to augment or replace existing risk management infrastructure. Primary considerations should include:

WHITE PAPER

: : 13


• New Tools & Processes – Any extension of risk management to include significant external factors requires a change in risk technology perspective. Some institutions have deployed solution suites from Governance, Risk and Compliance (GRC) vendors to help them manage internal risk. While these suites do address traditional risk elements, their extensions for supplier and third party risk are typically incomplete and not well integrated with other enterprise infrastructure. A serious approach to external risk, and P2P risk in particular, requires a comprehensive supplier information management system that combines robust risk and compliance process management capabilities with deep internal and external system integration. Partner risk data often comes from third party sources and must be easily integrated into an overall risk perspective.

• Risk Framework – The core of a successful P2P risk management approach is a robust risk framework that identifies a risk hierarchy comprised of individual risk elements, their characterization based upon impact analysis (how big is the impact of a failure), vulnerability analysis (how likely is the risk to impact the organization), measurement criteria (can it be quantified and a metric assigned to it) and its relationship to other risk factors within a given risk category or profile. This framework must be flexible and easy to evolve as the business environment evolves.

• Mitigation Plans – Understanding and quantifying what is necessary but not sufficient. The institution must use the risk framework to build risk mitigation plans that can then be linked to each significant risk element. These plans will be triggered by the risk management system as appropriate in order to improve reaction time and reduce the impacts of a failure.

• Automation – The risk framework must also be tied to monitoring of the key risk indicators and metrics with automated management alerts, mitigation plan triggers, and clear process workflows to manage the implementation of risk avoidance and mitigation activities.

• Management Dashboards & Predictive Analytics – Risk monitoring must be easy, focused and preventative in nature. Risk dashboards that provide both summary risk performance metrics as well as the ability to drill down into more granular metrics and factors will give both senior executives and line managers the visibility they require to effectively identify and manage risk, even across external factors. Predictive analytics are a relatively new risk management capability that builds on the risk framework and the collection of real-time data to predict the probability of a risk failure before it happens. This allows the institution to adjust its activities to avoid or mitigate a failure accordingly.

ARE WE THERE YET? WHO OWNS THE PROBLEM?

The short answer to the first question for most institutions is no. Everyone is on the road, but progress varies greatly. Many companies still see a great deal of risk: one risk management team does not communicate or integrate well with another (or more), manual spreadsheets for collecting and tracking risk information often weeks or months after the data has real-world significance, unbalanced risk management strategies that are heavily weighted to internal risk vs. external, or one geography vs. another, or one set of risk factors (e.g. P2P, or financial, etc.) vs. a holistic approach.

WHITE PAPER

: : 14


One of the barriers facing financial institutions in effectively managing risk, especially P2P risk, is defining who owns the problem. There are many functions across the organization that own or are impacted by P2P risk such as the COO, the CFO, the CPO, the CCO (Chief Compliance Officer) often under the guise of GRC solutions and others. While the CPO tends to have a vested interest in all of the external risk factors, the correct executive to address risk factors depends upon your organization. Key factors in making a selection include: ensuring the executive has sufficient power in the organization, this typically demands a c-level title; giving the executive a global risk purview since risks, especially external ones, come from around the global; understanding the executive will have a cross-functional impact that goes beyond procurement to touch all parts of the organization.

WHAT SHOULD YOU DO?We’ve touched upon some of the requirements for effective P2P risk management in other parts of this document, but let’s take a look at some specific actions you should be taking. We’ll begin with some overall considerations and then move to a few specific best practice items.

OVERALL P2P RISK MANAGEMENT CONSIDERATIONS

• Don’t wait until you’ve had a failure to create the business case for action on a comprehensive risk management strategy for your institution. You would rather be over-insured in terms of risk preparedness than under.

• Define your risk management gaps. All institutions are doing some risk management, so map your risk strategy goals against where you are today and build a prioritized roadmap to get there. This is where impact analysis and vulnerability analysis come into play.

• Keep your initial transition scope manageable to lead to early success and pave the way for follow-on phases. Remember, this will be a continuing journey.

• Establish the key risk metrics and related communication plans across the institution as part of your risk framework development. Involve all affected functions.

• Increase the priority of supplier and third party/counterparty risk management elements. Your biggest new risks are coming from this area.

BEST PRACTICE CONSIDERATIONS

• Select and implement a comprehensive P2P and risk management technology solution. You may be able to build on what you have, but remember supplier-related risk is the fastest growing area, so a single source of truth for supplier information management is crucial.

• Expand your risk information sources. Internal information is important and easy to gather, but external data from suppliers themselves as well as third party sources is the only way to get deeper visibility and ultimately move to predictive analytics. Also be sure to include subjective as well as objective measures. A survey of opinions regarding a supplier or a category/market can reveal information not yet available to objective measurement.

888.638.7322 : : sciquest.com

ABOUT SCIQUEST

SciQuest (Nasdaq: SQI) is the leading public provider of spend management solutions delivering value beyond savings. Through the continued release of key innovative technology and a fanatical drive toward making our customers successful, we deliver exceptional value in user experience, productivity and operational efficiency. Our cloud-based, mobile-enabled, source-to-settle platform addresses all stages of procurement from the automation of core processes to enabling sophisticated, strategic and multifaceted sourcing solutions. We specialize in handling simple procurement needs to the most advanced supplier and supply chain requirements. SciQuest serves a wide range of industries and organizations including many of the Global Fortune 500.

WHITE PAPER

: : 15

FOR MORE INFORMATION, visit www.sciquest.com.

TO JOIN THE CONVERSATION, please visit our blog at http://www.sciquest.com/blog or follow us on Twitter @SciQuest.


• Increase the granularity of your data gathering. Macro views are important, but don’t forget the value of individual data points.

• Link triggers and alerts to rectification and mitigation plans directly. Take the human delay out of the process where possible to improve response time and minimize negative impacts.

• Conduct regular internal and external audits of processes and facilities. Sometimes nothing beats boots on the ground.

• Move to predictive KPIs and best practices as they continue to evolve.

The bottom line on P2P risk in financial service institutions is to expand your definition of risk, embrace external risk factors as a major part of your P2P risk management strategy, and implement comprehensive risk management frameworks and software technology to keep your institution ahead of the risk curve.