See this on-demand webinar on Supplier Risk, "What Every Procurement Professional Should Know About Supplier Risk Management: The IBM Story." You will learn: -Precise framework around supplier risk management and why and where it’s needed -How IBM manages supplier qualifications, compliance, financial continuity and supplier code of conduct -Common mistakes made and solutions to supplier risk management View here: http://procureconwest.wbresearch.com/the-ibm-story-mloc-h-iframe

1. © 2014 IBM Corporation
What Every Procurement
Professional Should Know About
Supplier Risk Management:
The IBM Story
Presented by :
Lou Ferretti, Project Executive, Product Environmental Compliance &
Supply Chain Social Responsibility
Bill DeMartino, Practice Executive, Supplier Management

2. © 2014 IBM Corporation© 2014 IBM Corporation
Meet our speakers for today
2
Lou Ferretti is the project executive for developing and leading these global and
strategic programs within IBM’s Integrated Supply Chain and across IBM’s
global supplier network. He is also ISC’s representative to IBM’s Corporate
Crisis Management Team. His work has received numerous external and internal
awards. Prior to Lou’s current work, he was on assignment in Singapore as
director of Production Procurement’s Outsourced Supply Chain Operations,
overseeing IBM’s $6 bn “buy/sell” procurement spend. Before this Lou was
named to IBM’s Executive Pandemic Steering Committee – developing policies
and implementation plans. And just prior to that, Lou headed up Procurement’s
end to end Y2K supplier global readiness program. Lou has held senior
management/executive positions in Engineering, Procurement, Materials
Management, Supply Demand and Operations.
Bill DeMartino, as a Practice Executive for IBM Emptoris, Bill leads the
company's efforts to bring world-class Strategic Supply Management solutions
including Supplier Lifecycle Management and Spend Analysis to the
marketplace as well as working with its clients to ensure the success of their
initiatives. While with IBM, Bill has been in charge of the delivery organization for
the Spend Analysis solution, held a leadership role in Product Management as
well as heading the efforts to bring Supplier Management solutions to market,
giving him a unique insight to the solution space. Prior to Emptoris, Bill held
leadership positions in Product Management and as a Technical architect for
leading Product and Services organizations.

3. © 2014 IBM Corporation© 2014 IBM Corporation
Agenda
 Introduction of supply risk management framework
– Challenges
– Solution
 IBM Best Practices of Supplier Risk Management
 Q&A
3

4. © 2014 IBM Corporation
Risk Management is an Imperative
4
• Global Sourcing
• Deeper Outsourcing
• Lean Operations
• Emerging Markets
• More Volatile World
• Increasing Regulatory
Requirement
• Surging Social Media
Business
Environment
• Supplier Compliance
• Supplier Financial
• Contract/Legal Risk
• Supply Chain Risk
• Social Stability
• Natural Disaster
• Sub-tier Supplier Risk
Increased
Risks
Weak
Programs
Procurement
failed as
Gatekeeper
World
Class
Programs
Procurement
protects
shareholder
value
Poor performing risk management
programs can impact share value as
much as 8%

5. © 2014 IBM Corporation
Supplier Failure
Currency
Political
Fuel Costs Social ResponsibilityIntellectual Property
Attrition Rates
Labor Disputes
Environmental Regulatory Compliance
Product Safety
Taxes Responsiveness
Brand Impact
Labor Costs Geophysical
Varied & Growing Risk Exposure
5

6. © 2014 IBM Corporation
RISK
MANAGEMENT
GLOBALIZATIONINCREASING
CUSTOMER
DEMANDS
60% 56%
43%
Customers have
increased demand
for more: right
product, right
place, right time,
right price, sooner.
Process, data, and
technology are
identified as the
roadblocks to good
risk management,
yet they are the
key enablers.
Lead times,
delivery, and quality
are top challenges,
but overall
globalization has
been a positive
boon for the
leaders.
SUPPLY
CHAIN
VISIBILITY
70%
Supply chain
visibility is inhibited
by a lack of timely
data and too much
data to digest.
COST
CONTAINMENT
55%
Fighting integral
costs might be
futile, but being
flexible can
identify cost
savings
elsewhere.
Source: IBM Institute for Business Value
IBM Chief Supply Chain Officer Study:
Identified Five Top Challenges
6

7. © 2014 IBM Corporation
Risk Management Paralysis
7

8. © 2014 IBM Corporation
Risk Management Approach
8
#1 Supplier Compliance
Focused on the first tier supplier
Ethics Sustainability
#2 Supply Risk Measurement
Score suppliers, category and regions
#3 Supply Chain Risk
Focused on parts, logistics, n-tier
Comprehensive Risk IndexingRisk Measurement
Contingency Quality
Finance Regulatory
Sub-tier Critical partsLogistic hubs

9. © 2014 IBM Corporation
Supplier Compliance
9
Policy & Regulations
 BU/Category
specific
assessments
 Approval based
on business
requriements
Performance Management
 Cross-functional
evaluation
 Determines strength
and weaknesses for
comparison
Supplier assessed on: Supplier evaluated on:
 CSR & Code of Conduct
 Environmental & Conflict
Minerals
 Financial
 Contingency
 Quality
 Logistics
 Technology
 Ability to Ramp Output

10. © 2014 IBM Corporation
Control: Ensure only approved suppliers are utilized
Supplier on-boarding and SIM
Registrations
and assessments
Supplier master
and control center
3rd party
data provider
Master
Registered
Suppliers
Contracted suppliers
Approved
suppliers
Supplier Compliance
10
Sourcing
Execution
systems
Contracts

11. © 2014 IBM Corporation
Supply Risk Measurement
11
Supplier Risk
 Real-time flexible
risk models
 Internal specialists
or 3rd party feeds
 Monitoring &
alerting
Supplier assessed on:
 Labor & Health
 Physical Security
 Ethics
 Strategic Importance
Compliance

12. © 2014 IBM Corporation
Supply Risk Measurement
12
Category assessed on:
 Special handling /
packaging / dangerous
goods
 Pricing escalation, volatility
 Upstream / raw material availability
 Legal regulations (conflict minerals)
Category Risk
Region assessed on:
 Corruption perception
index ranking
 Social, civil, political unrest
 Currency Stability
 Country economic trends
 Country infrastructure
Region Risk

13. © 2014 IBM Corporation
Supply Risk Measurement
13
Compliance
Supplier
Risk
Category
Risk
Region
Risk
Total Supplier Risk
Overall risk score for a supplier

14. © 2014 IBM Corporation
Supply Chain Risk
14
Multi-tier
Incident management
Logistics
Part / Ingredient
Tracking of risk on
transportation hubs
Track disasters and risk events
Manage scope and mitigation
Assessment & monitoring
of sub-tier suppliers
Critical part management
Part impact analysis

15. photo of the "Ital Florid by NASIM4248
© 2014 IBM Corporation 15
What Every Procurement Professional Should
Know About Supplier Risk Management
Louis Ferretti
IBM Iintegrated Supply Chain, Project Executive
Product Environment Compliance & Supply Chain Social Responsibility July 24, 2014

16. • Business processes in the Cloud
• Mobile/ubiquitous computing decreases
reliance on people creating information
• Analytics gives rise to intelligent systems
that make decisions automatically
• Unprecedented interaction/collaboration
• Mega cities, mega regions and mega
corridors; where most business will
occur
• Globalist employees replace less effective
approaches
• Technology rules and understanding of
intersection between physical and virtual
worlds increases
• Managing market and political
uncertainty is more complex than ever
• Accelerating global shifts pose new
risks; resiliency/responsiveness
differentiate
• Evolution to a holistic view of risk
management
• Risks can be hedged through intelligence
Technological
Progress
Risk
Complexity
• Sustainability is an imperative
• The future sustainable enterprise provides
significant and measurable benefits to
operational efficiency, growth & the brand.
• Consumer demand & government
regulations mandate product lifecycle
GHG, energy, water, waste mngt
Sustainability
Imperative
• Economic power shifts to Asia
• The development of Growth Markets
lead the world’s growth
• Real time business to business decisions
and collaboration in an open environment
• Outsourcing will continue to accelerate as
businesses seek to optimize operations
Globalization
Redefined
• Customers thrive on knowledge and
wield unprecedented power
• Consumers are busier and are demanding
– and receiving – more information before
making their decisions
• Consumers have more power to reward or
punish and want their consumption to
match their values
Informed
Customer
Informed Customer
Population
Migration
Source: IBM Institute for Business Value
16
Major factors affecting the enterprise today
Six mega-trends impacting enterprises around the world

17. External Environment
Senior
Leadership
Approval and
Ownership
Business Strategy
Operational Model
Financial Model
Emerging
Risks
LowMedium-LowMedium-HighHigh
HighMedium-HighMedium-LowLow
 Sample
 Sample
 Sample
 Sample
 Sample
 Sample
 Sample Sample
 Sample Sample Sample
 Sample
 Sample
 Sample
 Sample Sample
 Sample
 Sample
 Sample
LowMedium-LowMedium-HighHigh
HighMedium-HighMedium-LowLow
 Sample
 Sample
 Sample
 Sample
 Sample
 Sample
 Sample Sample
 Sample Sample Sample
 Sample
 Sample
 Sample
 Sample Sample
 Sample
 Sample
 Sample
Impact
Likelihood
Reputation
Board / Audit
Committee
Review
Relationship with critical suppliers:
Ability to manage the end-to-end supply chain,
including the dependency on critical suppliers
Risk
Management
Competitive
Advantage
Enablement
Effectiveness
Program
and Practices
Leadership
Report Communicate
Monitor Implement
External
Research
Executive
Interviews
 A systematic approach to Identify, Assess and Address risk
 Enterprise-wide view
 Focus on both hazards and missed opportunities
 Improve business results and drive competitive advantage
17
IBM has developed a robust Risk Management program
– and Supply Chain risk management is an important focus area

18. 18
How “Risky” is the Supply Chain ?
Supply chain failures continue to be the top concern for
US and Canadian business leaders. …
The CHUBB Multinational Risk Survey finds that
 ….. Businesses cite supply chain failure as the top
concern. …
 ……[only] 56% of the companies report having a
business continuity plan..
… The lack of continuity plans … is disturbing
From Inside Supply Management – June/July 2014
Global Trends – news in a changing world

19. Risk Management Model
- Optimize risk management with lowest TCO
19
Prevent MitigatePlan
Understand
Analyze
Evaluate
Communicate
• Supplier
Selection
• Supplier
Evaluation
• Supplier
Monitoring
Risk Possibility Risk Impact
• Supply
Chain
Remediation
Actions
Supplier Compliance
Supplier Financial Risk
Contract / Legal Risk
Logistics Risk
Commodity Risk
Foreign Trade Risk
Country Corruption
Social Stability
Labor Market Risk
Natural Disaster
Sub-tier Supplier Risk
Supplier Risk
Common Supply Risk
Supply Chain Risk
Risk Landscape Procurement
Managed Risks
Unpreventable
Risks
Total Cost of Ownership
Supply Chain Vulnerability
System Maturity
Supply Chain Resiliency
Desirable
Risks
Continuously Manage and Monitor

20. 20
Initial and On Going Risk Compliance – to legal and internal policies.
• Ethics, Bribery and Corruption
• Import / Export & Embargoed Country Restrictions
• Environmental, Product Safety, Electromagnetic Compatibility (EMC)
• Chemical Management and clean up
• Quality and defective products reporting, corrective action and recalls
• Diverse business relationships
• Data security
• Sustainability and code of conduct
• Financials
• Supply chain risk / business continuity planning

21. 21
- successfully uncover and manage supplier and supply chain risk
• Well defined “on boarding” check list and tool
• Risk profile assessment
• Documented process, line ownership and management system
• Data base / tool to house data and perform computations
• Impact / likelihood weighing algorithm
• Risk ranking methodology
• Mitigation and business continuity plans
• Real time alerts
• Experienced cross functional, multi cultural core team
Key ingredients necessary to

22.  IBM Procurement has always conducted some level of supplier risk assessment
 Financial, single source, logistics – no consistency of assessment one category to another
 Increased global sourcing drove need for a more comprehensive means of assessing
risk especially in view of increased complexity of supply chain and cumulative nature of risk
 Set off to buy tool and service
 RFIs to leaders in supplier risk management – primarily financial, logistics, single sourced
 No one else in industry, asking for a view of total risk (2009)
 Engaged procurement council and several commodities
 Ran pilot with prototyped tool – lessons learned from user team incorporated in final design
 5 Elements: Country, Hub, Supplier, Supplier Site, Commodity
 Use of External Data Source Provider as trusted data source for country, region, hub
 Sourcing provide input on suppliers, supplier site and commodities
 Incorporated iLog Alert feature and Lotus Notes data base for Mitigation Plans
 Deployed to Production Procurement Dec 2010
 Integral part of management system and executive reviews with associated metrics
 Runs 2x/year for existing suppliers
 All new suppliers evaluated at time of on boarding
 All high risk suppliers to have mitigation plans in place
22
Setting the Context – Getting Started and Beyond

23. Our objective is not to eliminate risk, because without risk there is no progress.
Instead it is to ensure we can manage and mitigate risks.
Social
Listenin
g
Market
Intelligence
Social
and
Environmental
Leadership
Business
Analytics
Supplier Total Risk Tool & Process
Risk
Assessme
nt
Risk
Mitigation
Planning
On-going
Risk
Monitorin
g and
Control
• Comprehensive risk assessment
• Ongoing mitigation
Protections against loss of
revenue and profits by minimizing
likelihood and severity of supply
chain disruption
Solution
ISC Risk Management Tools
Managing market and political uncertainty is
more complex than ever
Risks can be hedged through intelligence and holistic view
of risk management
1. Incorporating key
information about
global supply chain
from market
intelligence
communications
2. Augmenting
existing information
not available via
current market
intelligence
processes
3. Listening for
sentiment and
trends for critical
items and events
Recognition
•IBM Outstanding Innovation Award
•Patent for impact likelihood algorithm
•CSCMP finalist for Supply Chain Innovation Award
23
Uncovering and Managing Supplier / Supply Chain Risk

24.  2 x year complete Supply Base Assessment
 Country / Hub / Supplier / Supplier Site / Commodity
 External and Internal Market Intelligence
 4 x year Supplier Cluster Assessment
 Political, Environmental, Terrorism, Labor Risk
 External Market Intelligence
 Real Time Alerts
 Critical elements of the Supply Chain fot Countries,
Hubs, Supplier, Commodities
 External and Internal Market Intelligence
 Additional Market Intelligence Feeds and Actions
 White Paper, Advisories, Weekly Reports
 Bi-Weekly Updates to the Management Team
 Quarterly Briefing to IBM‘s Chief Risk Officer
 Central Repository (aka community) for all Risk Related Topics
 External Data Source focusing on selected growth market countries and hubs
 Providing specialized alerts
 External Data Source Provider searching upstream supply chain re.
 Conflict minerals and rare earth metals
24
Highlights - Risk Process and Management System

25. Risk Mitigation Plans
(via Lotus Notes database)
Plans formulated to address
identified risk
Plans reviewed and approved by
management
Total Risk Assessment Tool
Supplier Financial Risk
Assessment (SFRA) Tool
Supply Chain Risk Entities:
• Commodity
• Supplier
• Supplier Site
• Country
• Hub
Risk Categories:
• Disaster
• Political, Legal & Social
• Supplier Financial Stability
• Security
• Country Economic & Financial
Stability
• Infrastructure, Logistics & Energy
• Environment & Natural Hazards
• Labor & Health
Supplier-Site & Pandemic
Questionnaires
Commodity
Lead
Council Lead
Supplier &
Commodity
Questionnaires
Country & Hub
Questionnaires
Market
Intelligence
External Data
Source Provider
Country & Hub
Questionnaires
Cognos BI Reporting
• Risk ratings by …
Country
Hub
Supplier
Supplier Site
Commodity
• Reports Generated …
Global View
Supply Chain Report
Questionnaire Report
Pandemic Questionnaire
Report
Risk
Identified
SFRA
Total Risk
Assessment Tool
(Determines Risk Rating for
combination of all entities and risks)
Automated email alerts via ILOG
Business Rules
Business Continuity
Planning Supplier
Assessment Ratings
Real Time Alerts from External Data Source Provider
– anytime, re. potential disruption threat
Supply Chain Social
Responsibility Audit
Compliance Reference
25
Total Risk Tool and Process Landscape

26. Categories Supplier Site Supplier Commodity Country Hub
Pandemic 
Disaster Production Stoppage,
Pandemic related
Raw Material
related
War and Civil
Unrest related
Shut Down
related
Communication &
Cooperation 
Environment &
Natural Hazards   
Economic /
Financial  
HR  
Infrastructure,
Logistics & Energy    
Labor & Health  Includes
Pandemic
Political, Legal &
Social   
Product & Market
Requirements 
Quality 
Security 
Strategic
Importance 
26
Categories and Types of Risk Evaluated

27. Supplier Risk Assessment
0.000%
10.000%
20.000%
30.000%
40.000%
50.000%
60.000%
70.000%
80.000%
90.000%
100.000%
0.00% 20.00% 40.00% 60.00% 80.00% 100.00%
L
I
y = 1 / (10 * (x + 0,05)) + 0,1 y = 1 / (10 * (x + 0,20)) - 0,1 Supplier
High Risk
Medium Risk
Low Risk
Impact
Likelihood
27
Look into Risk - Impact & Likelihood

28.  Real time alerts from External Data Source Provider of specific aspects as events
unfolded provided an assessment damage and how quickly supply could be restored
 Based on tool out put, immediately knew number of suppliers in Japan, which
categories affected (e.g. commodities, logic, memory) and what tier supplier impacted
 Able to immediately contact suppliers and understand
- Extent of damage
- Whether in exclusion zone or not
- Ability to produce / maintain measure of supply continuity
- Supplier contingency plans
- Mitigation Actions (e.g. moving manufacturing to alternative locations)
 Can look for supply continuity down through multiple levels of supply chain where IBM
has qualification / sourcing relationships with sub tier suppliers
- Through use of related tool and process
 12-24 hour head start in securing supply and implementation of mitigation actions
28
2011 Japan Earthquake / Tsunami and Thailand Flooding
- Demonstrated value of tool and process

29.  Likelihood Impact Model
 Risk = Probability of Risk Event x Impact to Business
 Heat Map with modified Thresholds
 Thresholds set to capture 10 – 15% High Risk Supplier
 ~95%+ Spend Coverage ($12bn)
 ~650 High to Low Impact Suppliers
 ~2400 Supplier Site-Commodity Combinations
 Main driver Component and Memory
 Subtier Supplier include certified FAB locations
 Differentiation between Fab, Assembly and Test
 Components, Logic, Microcomponents, test
 ~ 60 Commodities Tracked
 From finished Boxes to Assemblies to Chip Families
 ~50 Country and Regions Tracked
 All Growth Markets covered
 ~50 Key Transportation Hubs Tracked
 ~ Main Country Entry and Exit Transportation Points
 ~3000 Supply Chains captured
29
Factoids

30.  Past & Current (examples)
 Bangkok Political Unrest 2009 / 2010
 Russia – Ukraine Gas Dispute 2009 / 2010
 Japan Tsunami and Reactor Melt Down 2011
 Thailand Flooding 2011 / 2014
 Super Typhoon Haiyan – Philippines 2013
 Hynix Wuxi, China DRAM plant fire 2013
 Thailand State of Emergency 2014
 Ukraine political unrest 2014
 Madagascar hurricane 2014
 Chilean earth quake and tsunami 2014
 Mexico City earth quake 2014
 Current and Following
 WTO ruling and China Appeal re. Rare Earth Metal ruling
 Export of ore restrictions
 Continued Focus on Youth Unemployment in Europe
 Youth Unemployment trigger to Social Unrest
 Sanctions on Russia
 Vietnam roits against Chinese businesses
 Thailand Martial Law
Source
http://www.abc.net.au/news/20
14-01-10/fresh-protests-at-rio-
expulsions2c-
demolitions/5193272
Source
http://en.wikipedia.org/wiki/Typhoon_Haiyan
30
Assessment of Major Risk Events

31.  Supplier Sourcing
 Consider Supplier Risk in Sourcing Process
 Use as decision support tool to award
business
 Business Continuity Planning
 Consider BCP Readiness into Supplier Risk
 Inadequate BCP Readiness require Mitigation
Action to Improve Risk Score
 Risk of Flooding
(under development)
 Multiple input parameters like topography,
historical weather pattern, soil type, ...
 Selected Countries
 GPS tagging of Supplier Location
 Publicly Available Data Maps
 Views provided to Sourcing teams
 Use of Mobile Communication
(under development)
 Bi-directional Communication with Suppliers
 Share Risk Events
31
Pro-Active Elements of Risk Management

32. Executive Interest and Support
Vice President and Controller –
 In response to the IBM Board of Directors Audit Committee Meeting, acknowledged our current work is the
right strategy and vision. “The Data Analytics presentation was very well received by the Audit Committee. I
walked them through our strategy, … and wrapped up by outlining the impact of Analytics on the
Enterprise Risk Map. The Audit Committee was very engaged throughout the presentation and
acknowledged that this was the right strategy and vision”
IBM Chief Risk Officer and Vice President Pensions Management –
“I personally reference the tool internally and externally as a prime example of IBM's use of Analytics to
support risk management initiatives which clearly underscores our thought leadership in this area. ”
IBM Corporate Office, Director, Global Risk and Insurance Management –
“This tool has been a huge differentiator for IBM when we present our risk profile to the property
insurance underwriting community. Business Interruption and Contingent Business Interruption are ever
expanding exposures to an organization and not only can impact income to the organization but also our
ability to meet our commitments to our customers.”
IBM VP & Chief Procurement Officer –
“Managing and reducing risk in the supply chain … will be key to IBM’s global growth in the future”
32
Corporate-wide Supply Chain Risk Assessment - viewed as the right
strategy and vision, key to global growth and a differentiator

33.  Risk management is a fundamental building block to a supply chain strategy
 Supply Chain Leaders are integrating process controls in their logistics and
operations, supplier compliance programs and planning process
 Procurement can deliver true value using an intelligent and comprehensive risk
assessment program with suppliers
 A strong supplier / supply chain risk management program, can
- demonstrate to clients that IBM can be a reliable supplier, and
- be a key factor in preserving and growing revenue
- be featured to insurance underwriters as rationale for reduced
premiums
 Objective of these processes is not to eliminate risk
- without risk there is no progress
- instead it is to ensure we can manage and mitigate risks
 “Managing and reducing risk in the supply chain …
will be key to IBM’s global growth in the future”
- John Paterson, IBM VP & CPO
33
Supply Chain Risk Management
– Key Takeaways

34. Q&
A
Lou Ferretti
Project Executive,
Product Environmental Compliance
& Supply Chain Social Responsibility
ferretti@us.ibm.com
Bill DeMartino
Practice Executive,
Spend Analysis & Supplier Management
billd@us.ibm.com
Thank You!
For more information, please visit:
www.ibm.com/procurement-solutions