 for Connect series, leading the digital supply chain. My name is Ira Sager. I'm Vice President of Global Learning Initiatives for the Center for Global Enterprise. This is the sixth and final session in our webinar series of Expert Connects on the Digital Supply Chain. Today we explore two vital topics, risk and competitive advantage, or one single topic. But before we start, as some of you have joined us in the past, a few housekeeping notes. Today's session, as with all the sessions in this series, will be recorded and posted on the CGE YouTube channel. At the end of the presentation, we will have a slide with a link to the Digital Supply Chain Institute website for more information. On our website, you will also find links to the previous Expert Connect webinars. And each one is linked, and we'll take you to the CGE YouTube channel so you can view the previous sessions. We'll leave approximately 15 minutes at the end of this session for audience questions. We'll also take questions during the presentation. So if you have a question for our presenters, at the bottom of the screen, you will see a Q&A feature. Please submit your questions using that function. We will try to get to all the questions time permitting. As mentioned, today's Expert Connect is about risk and competitive advantage. The Digital Supply Chain provides new, more sophisticated ways to manage risk by using technology and data to shift from a reactive mode to preventative control of risks. So in this session, we're going to explore how companies can mitigate risk more effectively, potentially turning risk into a competitive advantage. Leading our final Expert Connect in the series is Craig Moss, the director of CGE's Digital Supply Chain Institute, and the chief operating officer of the Center for Responsible Enterprise and Trade. And joining Craig is Dr. Dave Peres, a research fellow for the Digital Supply Chain Institute, and a clinical professor in the Management Department of Drexel University's LeBeau College of Business. And with that, I'll turn it over to Craig. Thank you. Thanks very much, Ira. Welcome, everybody. Really excited to have you join us for this session. Next slide, please. So as Ira mentioned, the learning objectives for today are really to help you to understand risk in the Digital Supply Chain and what that entails. Two, we want to look at visibility as a very specific issue, and around how you can use improved visibility to look at both performance and compliance of suppliers and reduce the risk there. We want to talk about shifting from reactive to proactive and the use of big data and analytics to accomplish that. And then one risk that clearly is escalating rapidly is around the cybersecurity and the loss of intellectual property, whether it's trade secrets or confidential information. And finally, as Ira mentioned, we want to talk about how you can turn risk management into a competitive advantage and strategically how you would go about doing that. Next slide, please. So first, we're going to start off by looking at risk in the Digital Supply Chain and give you a little background here. I want to start off and really define Digital Supply Chain. This came out of the original work that we did at the Institute, a paper called the Frontside Flip, which if you haven't seen it, you might want to take a look at that. And we really looked at Digital Supply Chain as being a customer-centric platform that was using data and really focused on demand stimulation, which is unusual and kind of a new thought for supply chain. And also then how do you minimize risk in this as you're growing the supply chain and integrating it more into the marketing and sales of the organization? How do you start to mitigate risk more effectively? And that's what we'll be covering today. One of the things that we think about always at the Institute is we broke the framework that we use is really looking at demand, people, technology, and risk. And those are the four issues or buckets that we always think about. And all the work that we do, that's the context for it. Demand, people, technology, and risk. And through this series, we've had other sessions on demand, people, and technology. And today, we're going to zoom in and really take a careful look at risk. But in all the work, the customer really needs to be at the center of your thinking around this. So just to set the stage here, when we think about supply chain risks, I like to bucket it into two broad categories. So one is business performance risks. And clearly, you can see here that these are the types of things that procurement departments typically are very focused on. Things like getting paid, of course, making payments, setting price, on-time delivery. These are all classic things that, from a business performance standpoint, that supply chain people are very focused on and are a risk area. If you look at some of the natural disasters recently, huge disruption, huge issues with business continuity. But then increasingly, over the last 20 years, we have more and more compliance and regulatory risks. And these risks are really driving a lot of behavior in how companies are sourcing. And it really started, I think, probably about 25 years ago, was the first big wave of issues around labor compliance. And that started to come up. And some of the companies in the apparel industry were attacked for using what were called sweatshops in different developing countries. So that's something that, over the years, what's happened is that there's more and more regulation related to it. So now there's regulations in the US around human trafficking, around conflict minerals. All of these things drive behavior in the supply chain and create a new risk between the buyer and the supplier. Recently, as I mentioned before, the things that have really escalated now are things like data privacy, IP protection, and cybersecurity. Europe, with their general data privacy regulations, which went into law in May, has very, very stringent requirements around data protection and data privacy that not only is applicable to your company, but you're responsible for cascading some of this through your supply chain. That's another thing. If you think about this, IP protection, cybersecurity, no company is an island today. And every company has to think about the interrelationship between your organization and other organizations. And most of the regulations require you to cascade it in some fashion to the companies that you work with in your supply chain. Dave, anything you want to add to here? Yeah, well, Craig, I wanted to mention that it's interesting. We started off our conversation by talking about how you can gain performance improvements in your supply chain by having better understanding about customers, by focusing on customers. We can achieve better forecasts. We can meet customer demands more effectively by having increased visibility and information into what customers are doing. But I think what you're also saying is that there's been a rise in some of these regulatory issues around the use of that customer data that we have to be aware of. So yeah, I was going to ask you about GDPR is what you were talking about, that general data protection. That's a fairly recent entry into the regulatory arena. Isn't that right? Yeah, absolutely. It's a European Union law. It was approved about 18 months ago, and then it went into effect in May of this year. So companies had a period of time to try to prepare for it. But some of the things that it does is it, one, it requires an organization to give people the ability, especially consumers, the ability to erase all data that the company holds, which from a technology standpoint is a very difficult task. As you replicate customer data across different analytics platforms, I imagine that you need to be able to trace all of that. Yeah, that sounds like a challenge. Do you think companies are ready for this? I mean, I guess they have to be, right? Yeah, there's been a big push. A lot of the major companies that we've talked with have been making a big push over the last 18 months to try to get ready for it. So we'll see how it goes. And the other thing it requires is an organization to actually have what we'll call a data privacy management system or a set of controls internally that will help them to better manage and mitigate the risk. I think we can go on to the next slide. So there's some critical trends that make all of this more difficult for organizations. So starting at the top, there's more and more sensitive data and confidential data as assets. A lot of companies right now are calculating that probably 75% to 80% of their value as a corporation is in intangible assets and intellectual property. I was just last week working with a major manufacturer. And even though they're a manufacturer, they still count 80% of their value as being tied to IP. The next thing is expanding devices and access points. And this really goes with the next one around dispersed personnel and third parties. If you think about working with, you might have hundreds or thousands of employees and contractors. You could have hundreds or thousands or tens of thousands of third parties you're working with. All of those are points in your supply chain or your overall value chain that have sensitive data and confidential information from you. So that makes it harder and harder. There's more and more endpoints in each company's network or in their supply chain. The other thing that we see is disjointed responsibilities in companies. And I'm going to come back to this in a bit, but it really is there are too many silos in companies. And that's one of the things where we think that the risk mitigation and more effective risk management really entails breaking down silos and creating cross-functional teams. And I'm going to come back to that in a couple minutes. And then finally, as I mentioned before, there's a more and more complex regulatory environment. And so companies now, you might not think that the GDPR laws would be applicable to you, but they might be because you might be sharing information. You might be a US company, but your information is being shared with a supplier in Europe that is covered under those laws. So you would actually be liable for that. And the other thing that overrides risk on the compliance and regulatory side is that in almost all the categories we talked about, you are liable for the actions of third parties. So if we think about corruption risk, for example, most of the cases brought to court and most of the criminal and civil cases involve third-party actions. So that's another thing to keep in mind is the liability that you have for the third parties in your network and what they do. Hey, Craig, quick question. I was just thinking when you had that example of a company that you maybe didn't even know was domiciled or had a nexus in another country, is there a reliable source of information about the domain, I guess, drivers for the different partners that we engage with? We have a value chain. How would we know exactly what the legal nexus or domain of a value chain partner would be to make sure that we're not inadvertently getting ourselves into an out-of-compliance situation? It's a challenge, Dave. And one of the things that companies that we've talked to through the Institute often tell us is visibility is one of the things that they really struggle with. So not only the visibility of your direct suppliers, but then the tier two or tier three. And so it really is a challenge. And one of the things where I think that enhanced technology helps is to increase visibility. But it's a very, very difficult thing. I mean, if you think about like, do you know where your data is stored? If you go in and ask a lot of different companies that, do you know where your data is stored? Many, many companies have no idea. They know it's in the cloud. Some clothes, they don't know where exactly. Yeah, I was going to say maybe that's part of what cloud services needs to adapt to is to be able to identify some kind of residency of where this information is stored. Absolutely. And certain, some countries now are putting in laws related to that is that they want the data to be stored in their country. Interesting. Wow. You can go to the next slide. So just the basics on risk management, I'm sure to many of you, this is very familiar, but really the whole process of risk management is to identify the risks, to assess how serious they would be. And in the assessment, typically, you wanna look at the likelihood or probability of it happening and then how serious the impact would be. So if you balance those two, you could find some risks that are very, very likely to happen but would have a low impact. In other cases, there could be risks that would be very rare occurrence but would be a total fiasco. So if we think about it from a health and safety standpoint, for example, having a huge explosion at a chemical plant is probably a very low likelihood but the negative impact is absolutely enormous. Other things there, somebody slipping and falling and spraining their ankle or breaking their wrist is probably very likely to happen over the course of a year. But the impact other than to the individual is relatively minor. And even to the individual, it's a minor thing. So in all of the risk categories, that's the way that we think you should be thinking about it. And this sort of classic enterprise risk management, likelihood and negative impact. And then from there to prioritize those and then to think about how are we gonna manage these risks? So what controls are we gonna put in place? What kind of systems are we gonna put in place to either reduce the likelihood of it occurring or to reduce the negative impact if it does occur? Craig, quick comment. So looking at this assess piece in the middle, I was having a conversation with a doctoral student recently who's doing some research on this likelihood of an organization taking proactive measures to prevent cyber risk or prevent cyber breach, I guess. And one of the things that was shocking in listening to some of her early research is that there are so many examples that she was able to find of companies that just let certain breaches go because the dollar impact of them was so small. I mean, relatively small. I mean, small for some companies might be $100,000. You know, that sounds like a lot. But I'm curious for your take on this, I thought of you immediately when she talked about this, is this common, do you think, that there are many breaches that are occurring that just are, that they don't achieve this, the threshold of costs for taking action and organizations are letting them go? I would think that that's accurate. And the reason for that is a couple of fold. One is if you start to, if you publicize every breach, one, you're gonna become more of a target. Other people are gonna say, well, so-and-so got in there or people are getting in there, I'm gonna try to get in there too. The other thing is you think about reputational damage from that. So I think in some cases, because any company that reports a large breach suffers reputational damage. Yeah, for sure. I mean, you look at Equifax, you look at Target when it happened to them. And so it really is something that would not be surprising at all. Were you gonna mention the source of the target breach? I thought that was a fascinating story. Yeah, for any of you that are not familiar with it, the target breach occurred through one of their HVAC vendors. So the hackers went into the vendors of the HVAC company's system and through that, because the HVAC company was tied into the target systems, was able to penetrate the target system through there. The other thing that, I mean, for people that are maybe not that familiar with this is that on average, hackers are inside a network for eight months before they're discovered. Because that's what they wanna do, is they wanna penetrate the network and then stay in stealth mode as long as possible to move around and see how far they can get and what information they can gather. Before the actual breach comes when somebody would notice that they were there. So you think about somebody breaking into your house and being in your house for eight months, going from closet to closet and drawer to drawer. They don't want you to know they're there until they figure out where all the good stuff is and then they're gonna grab it and run and then they don't care if you know they're there. So you can go to the next slide. So I wanna throw a question out to the group now as to where do you stand in this? And if we think about risk management, where do you stand? Next slide. What we found in a survey that we did recently, when we asked the question, where is your transformation to a digital supply chain furthest ahead and furthest behind? 64% said they were furthest behind on a risk. So we'll use that as a context setter for the next slide. And I want each of you to think this through. And if you want, you could send in a chat with where you are. That might be interesting, send in a chat to Dave or a question to Dave and Ira about where you are. But the following best describes how we manage supply chain risks. So the first one, we're primarily reactive and address problems in our supply chain as they arise. That clearly is an older way to do it. A lot of companies are still there. Next would be companies that have established a program to address the more common risks and they're starting to think about how to utilize data and technology to improve efficiency. A lot of even leading companies, this is where we see them being is more in this middle level of maturity. And then finally would be where the last point, we use data analytics to seek patterns in our risks and adjust our risk management to reduce or prevent recurrence. So that really is that whole preventative and proactive approach to risk management. Not many companies are here yet, but I think that this is a goal for what companies should be seeking to do. Dave, any comments from you on this one? Well, I think when I look at a maturity model like this that you're sharing, I think in terms of kind of a stage one, phase one, and then another horizon, maybe where we're trying to improve our situation and maybe there's some future state where we have a really satisfactory kind of risk management program. So I guess just from your experience, Craig, when you see companies that are in that first stage, that reactive mode, but they have a desire to move to a more sophisticated kind of mode. How long does it typically take? Is this a matter of months? Is this a matter of years? Just to set expectations for what does good really look like and how long does it take to get there for just on average? Well, one of the things that we advocate with companies and at the Digital Supply Chain Institute, we actually have a transformation accelerator program that anybody who's interested could get in touch with us about. But what we advocate when you're making that transformation from the first level to the second level of maturity is not just tackle everything at once. Oh, right. But pick certain risk areas in that. So say, and typically what we see is on the compliance and regulatory side, companies are further ahead on labor, environment and health and safety because they've been dealing with those things for much longer. So they tend to have relatively strong or mid-level maturity programs in those. We see companies are relatively at an infancy stage on cyber and IP protection in particular, or two areas where we see a lot of weakness. So we would encourage them to pick some things and then start to use data and see how can we improve the efficiency of managing that risk? Whether it's a business performance risk related to like business continuity or something to do with delivery or demand matching and the risk associated with not matching demand or compliance risks is to pick something and focus on it, start to pull the data in there and use that as a stepping stone or a building block to go to the next level. Right, so be strategic about which areas you're investing in for the ones that have the highest risk and you can manage according to that plan. It's almost like a strategic plan of how to develop a risk management strategy. Yeah, very much so. And the sophisticated companies that we work with are really trying to integrate supply chain risk into the overall enterprise risk management framework. Next slide. Yeah, are supply chains behind relative to some of the other areas in organizations when it comes to risk? That's a good question. If you look at some of the risks, like a health and safety risk, there's really an internal risk, it happening in your own facilities or the risk of it happening in a third party. In that case, most companies are much farther ahead in managing it internally. And I think the same with cyber, they're much further ahead at managing it internally than they would be in helping to manage it or managing it in their supply chain. But I think supply chain is inherently an interconnected discipline. So I think that it's really kind of, there's some unique challenges there that they face. Craig, we've got a question coming in from Elizabeth who is asking about if you see certain industries being more risk, it says, do you have a certain industries that are more open to risk or have more risk associated with them from a cyber perspective? Yeah, I mean banking is clearly one of the top ones from a cyber perspective. And the credit card companies are another one that will get targeted quite a bit. And increasingly other companies that have types of intellectual property. So you might have heard about like the Sony breach. You think about a company that is really built on intellectual property. And people are increasingly trying to go at that and get at that intellectual property. So I was working with a manufacturer, very high tech type of items and people try to get at that intellectual, the trade secrets that they have. So I think banking would be number one comes to mind. And then from there is companies or industries where there's high value intellectual property that's in digital form. Right, right. Thanks for that question. By the way, others, if you have questions you wanna pepper those in, just use that Q and A window at the bottom of your screen and start tossing some over for Craig, that'd be great. And Elizabeth, if I didn't answer your question sufficiently if anybody asks a question and I don't answer it sufficiently or you have a follow-up question, just pop it in and we'll take care of it on the spot. So Dave, you mentioned this before what does good look like in risk? So what we think good is gonna look like is using data to reduce the business performance and compliance risk through predictive analytics to be able to predict instead of react. Special focus on cyber and protection of confidential information that's really gonna become more and more important. And if you think about some of the technological trends like think about 3D printing, okay? So suddenly when 3D printing becomes bigger and bigger if somebody can get a hold of your digital files that you're using to produce product through 3D printing they then can produce an identical product to you. Think about that. I mean, the impact of that and the need to protect your information is just going to accelerate through just the one application of 3D printing. And if we think through there's other situations like that that come up. The other thing is we want you to encourage you to strategically segment risks. And I'll end the conversation today with this is where do you want to manage them? And where do you want to excel to become a world leader in managing that risk and gaining a competitive advantage? And that I'm gonna come to a bit later and I'll give you some specific examples. And then finally, we have put together some digital supply chain essential risk metrics. So if you have any interest in that we can make that available to you also. Some of the things that we think companies may want to consider measuring in this new digital world from a risk standpoint. Dave, anything on this before we go to the next topic? Just one thing came up came to mind which is in a global environment, a global playing field. Are there certain countries where this IP risk is greater than others? So if I'm looking to move into a certain part or region of the world, are there additional risks associated with certain regions around, especially intellectual property? Yeah, clearly there are. One, you have to look at the laws that each country would have and then you have to look at the enforcement of the law in that country. And then in other cases, certain countries would require for you to invest in that country or to set up a joint venture in that country, you could be obligated to transfer some of your intellectual property to that country or to the local joint venture partner. How about that? So yeah, it's something that is very, it's not all countries are not the same in terms of IP risk or other risks. I mean, if you look at corruption risk, there it's more a case where the laws are becoming more uniform globally, but the enforcement of the laws is really, really inconsistent in many countries. Is there a good source of information to find out? So let's say I'm developing a globalization, global expansion strategy and I need to start thinking about these issues. Is there a reliable source of information about some of the aspects or dimensions you talked about with different regions, different countries? I mean, I think you would have to do it topic by topic. Yeah. You'd really like the international labor organization, the ILO has good stuff on labor compliance risk. There's indexes of corruption risk that are available, but I don't think there's any one place that where you could go and say, what's the risk of IP protection or cyber or corruption or all the other compliance risks. So it takes some digging, but certainly you could assemble it for any individual country. Gotcha. Let's go to the next slide. So we're gonna talk now a little bit about big data and some ways to start to shift to a more proactive approach to this. Next slide. So one of the things when we were asking companies, this is a survey from last year of about 140 companies, when you're tracking your transformation, what are some of the things that you're gonna be looking at from a risk? And some of these are three of the top, these were the top three things. So if we look, one is they're looking to track, are they getting greater visibility? Two was the speed of sensing or meeting customer demands, which is really a demand related issue. But the next one was use of predictive analytics to reduce risk. So two of the top three things that people wanted to track and work on are really risk related. Getting that visibility is critical. The visibility helps a lot, both from a risk management standpoint, but also it does help you become more efficient in meeting demand. So I think that really goes both ways. Predictive analytics is something that we hear a lot from companies, is how do you start to do that? What do you start to do to put that together and put that in place? Greg, I wonder if I can just interject and ask you a question. Do you, can you sign any examples of companies that you think are moving in the right direction in terms of using predictive analytics to reduce risk? Yeah. I don't like to mention company names in a lot of these cases, but I can mention specific examples. So for example here, if you think about it from a product failure risk, standpoint, there are companies that are doing it in the technology industry and the aerospace industry for quite a while, they've been using predictive analytics to determine when a part is gonna fail. So that's an example that's been around for quite a while and it's now we see companies starting to take that mentality and extend it to new areas. Good. Craig, I just want to add one quick thing because when you mentioned predictive analytics, my ears perk up and one of the really interesting aspects of this whole big data and analytics thrust that you see that it's been going on for a while. It's not brand new, but our sophistication, our ability to execute on analytics strategy is getting better and better as technology is speeding up and allowing us to access pools of information and data that aren't necessarily right in our own servers. So I just wanted to mention that that to get better predictive information or to create it, it requires not only the transactional data that you have right in your own information, your structured data, but it's also bringing in new sources of information unstructured information. So we hear supply chain leaders talking about bringing in telemetric information, weather information is very critical in sort of being able to sense where there could be potential supply disruptions and it's the ability to capture that unstructured information out in the world and bring it into, compare it with what you're doing in your supply chain and to be able to identify where there could be areas to flag, identify where there could be a predictive issue that you need to address. Yeah, absolutely, absolutely. Next slide please. So here are a couple of quick ideas on how do you start to do this and shift from reactive to proactive. So one of the things that we see is the need for cross-functional collaboration to break down silos. We see in companies that data in many cases is still very siloed in companies. Supply chain might have their system, sales and marketing has theirs, product development might have a separate, finance has a separate system and all this data even internally is siloed. So one of the things is, how do you get the people, the different departments together to collaborate and start to share internally? So that's one of the first things that we see and in some of the work we're doing now is we're looking at ways to form teams around rapid problem solving. So that's the first. Next is looking at increasing the visibility into direct suppliers. And we see this as something that companies are really looking at and looking at it in terms of what I say, visibility into, you mean could be visibility into the labor practices in a supplier. It could be visibility into the reduction capacity utilization of a supplier. Because if you look at it from a risk standpoint, one of the root causes of a lot of problems, business performance as well as compliance is factories will take on more orders than they can produce. And when they go over capacity like that, they tend to use unauthorized subcontractors. And we see this globally as a really, really big recurring problem. So once you get into the use of unauthorized subcontractors, what happens there? Think about it from a IP protection. Suddenly you might be thinking I'm dealing with Dave, but Dave has without my knowledge subcontracted Ira to do the work. Dave's giving Ira all the stuff I gave Dave. I thought Dave was gonna protect it, but now I've got a, I don't even know Ira exists. So this visibility is absolutely critical. The next step would be gaining visibility beyond tier one. We think blockchain, this is a potential good use case for blockchain, is this enhanced visibility. And we're running some pilots now on the use of blockchain in this. So that's something we would encourage you to be thinking about is the utilization of blockchain to increase visibility and to get a little bit more accurate and information, information that you can trust. Next would be to utilize, and Dave mentioned this in integrate new data sources, unstructured data, social media data, picking up social media data in a country can give you a lot of indications about what's going on there. It could be causing you potential problems down the road. So for example, around things like local incidents of cyber problems or things like that, local weather patterns, things like that, is to get those new data sources. And then finally to start to think about building algorithms to predict the likelihood of future events. And we're doing work also on algorithms and developing algorithm councils as a mechanism to force this cross-functional collaboration. So these would be some of the key things from a digital supply chain standpoint that we think are some of the basics of moving from a reactive to a proactive approach. Craig, can I add a couple of things? So one of the really good examples I can think of when it comes to social media information giving insights that could be useful from a supply chain perspective is the area around warranty claims. So traditionally warranty claims have been handled when a customer actually contacts you to let you know that they've got a problem with the product that you have been selling them. And if you think about something gets into the supply chain, gets out to customer, gets into a use situation and then develops a problem. We're talking months and months of time to find out that there could have been a manufacturing problem. With social media analysis, some companies are getting very good at this now where they're scraping that social media information and any mention of a product where there is some sort of issue that is reported. Like, you know, all my keyboard is sticking on my W key. And they're able to get out in front of some of those warranty issues by analyzing that unstructured social media data, pulling it in and then flagging if there are multiple instances of mention of certain warranty issues that can get out and identify those sometimes months before you could have with traditional techniques. So that was one mention. The other is this algorithm idea is really fascinating and you know, there's building algorithms. And there's also this idea of machine learning algorithms that, you know, if you're able to create, you know, pools of data, they call them data lakes now where you can find patterns. You can set a machine learning process, you know, start one off on that data lake to try to find patterns, to find, to be able to predict where you might be able to have an issue. I think that's one thing. Gregory does have a question here, Craig. Also, basically he's trying to figure out which industries are the most developed, which was Iris question. And then he's also interested in which industries are least, are behind or maybe in a different phase and have benefited from digital for construction, for instance, is very behind relative to others. Any thoughts on Gregory's question? Is it related to cyber security and IP protection specifically or more broadly? It seems like it's more broadly. If that's not correct, Gregory, shoot me another Q and A to clarify. Yeah, on a broader sense, that's a hard question. Which industries are behind? Maybe take it from the cyber security IP perspective. I think that's the context that we were in earlier. Yeah, from a cyber standpoint, God, a lot of industries are way behind. Manufacturing is pretty far behind as an overall sector. Critical infrastructure, manufacturers that are in the critical infrastructure are a little bit further ahead. The US government is pushing companies that are supplying the US government to become more cyber secure. But so many sectors are behind. I would say food and consumer products are pretty far behind, is the one that comes to mind in particular. Yeah, and that's a risky one, right? You've got any type of food product that has food safety issues, you really need to be able to track and trace the source of this supply. Yeah, let's go to the next slide. So now we're actually gonna talk a little bit about cyber and IP risks. This is a topic that I talked a lot about and do a lot of sessions on this. So I've put together something relatively brief, but if people are interested, we can certainly find ways to follow up with you. So there's really three pillars of IP protection. One would be management systems. And this is the one that most people don't really think about. And that, when I say management system, I'm talking about trained, committed people that are following the procedures. It's not about having a policy, it's about our people doing this. Two would be legal, and that's where a lot of it has always occurred, was through contracts and litigation. The lawyers in the company would get a contract sign, sign saying, this is our intellectual property, we're giving it to you to produce a million units of our product, period the end. And then if they found that there wasn't being followed, they would try to litigate in subcapacity. And then three is IT and physical security. And of course, IT security is more and more important as more of the assets are digital. So that's something that is really important to keep in mind. Management systems is the piece that companies are typically weakest at in terms of overall IP protection. And that is really thinking about the people and process and how do you get people to follow it? So that's something that we could talk a lot about, but I don't think we have time to talk that much about it. Yeah, we talked about training last week and just the people becoming data citizens is what our guest from J&J mentioned. It was a great concept, increasing sensitivity about how data is used and making sure it's protected. And then also within organizations need to know that's one of the things that's really, really important for organizations to think about is that need to know who really needs to know this information. So what's today's situation? So one is, and I'm now focused on IP protection and cyber. Organizations are pretty weak at the risk assessment piece and they don't really know where the assets are. They haven't really prioritized what the most important assets are to protect. And it's a struggle for companies. So if you don't know what is most important to protect, it's really hard to protect everything equally well. And that creates a big problem. The other thing that I mentioned before is silos still dominate. And trade secret protection or confidential information protection is still primarily viewed as a legal issue. Cyber is still primarily viewed as an IT issue. It's starting to change, but it's just at the beginning of that change. And then that cross-functional approach, more people realize it's essential, but it's not really consistently employed. We do see a trend, I'm working with a group of 25 multinationals to talk to them about cyber and what their approaches are. And we do see a trend toward legal IT and compliance, forming a three department collaboration around trying to improve cyber security and trade secret protection, legal compliance and IT. So that's a big step in the right direction. A lot of companies really grapple with the idea of what is appropriate level of controls for a third party to have or for us to have. And we there advocate the idea of a depth and breadth approach. So where are the critical assets or critical suppliers that you're dealing with that you want to go in depth and really have a good understanding of what's going on? But then how do you cover the broad spectrum? If you have 10,000 suppliers, you can't go in depth with everybody. So you have to have a strategic way to understand depth versus breadth. And that's where the good analytics strategy can really help. Absolutely, absolutely. You can pull that data together. Right. Sorry, Craig, we got an interesting question here. Sorry, why don't you finish what you were about to say and then I'll pop the question. Sorry about that. Sure, and then the other thing is that third party risks are high and engagement is low around this. And it's still, we still see a lot of companies looking at this contractual approach to trying to protect digital assets. And there's really a lack of in monitoring to ensure if the obligations are being met. I'll tell you, we're doing some work now with, we're looking at a multinational that has 60 supply chain partners around the world. And what we found is that all 60 signed a contract that had certain obligations around cybersecurity and protection of trade secrets. They all signed it. Zero had the capability to meet the contractual obligations. Wow. So if you think about that, think in each of your companies are the contracts, one, is it being covered in the contract but then two, does the third party have the capability to deliver on that? And most people are just focused on the business side of it. So if somebody does need to be thinking about this, they say they're gonna protect our trade secrets. How are they going to do it? So onto the question then, Dave. Yeah, so Schtenbergen has a interesting question. I think we'll expand it just a little bit if that's okay, Schtenbergen. He's asking, please expand more on the role of the Algorithm Council in helping companies. And I guess I would just add in developing algorithmic solutions to help manage risk, I think would be the right context. And correct me if I'm wrong, Schtenbergen on that. But so I don't know if we've mentioned Algorithm Council yet, but maybe Craig, I'd like to describe that a little bit and then what its role might be in helping establish some good practices around risk management. Sure, yeah, we did mention it a little bit earlier. So what we're doing with the Algorithm Council is looking at forming a cross-functional team of senior people that starts to identify common business problems, the most common pressing business problems from each department's perspective. So you could have supply chain and finance and sales and marketing and product development and HR coming together. And they then collectively are going to identify those common pressing problems that they share. From there would be to start to look at either building or adapting algorithms, identifying what data sources, like in a Greenfield situation, what data sources would you want to be able to get at to really be able to solve this problem and get the different perspectives of it. That council then would be something that would meet on a routine basis to look at the performance of the algorithms, how the machine learning is possibly adapting the algorithms and what the results are and then start to either, one is sustain those first ones that have been built, but then also to continually identify the new most pressing problems that are common to the different functional departments. Yeah, and Gregory has a follow-up to that. I think that fits right in here. So he mentions that silos hold back innovation and then the question is around, what type of organizational structures can be deployed to help break down silos? I think that that's a kind of a cue for algorithm counsel in a way, isn't it? Yeah, and the way that I would look at it is, or the way that I typically look at it and I've worked with hundreds of companies on this basis, is we don't get as involved in thinking about how they need to change their org structure. We get involved in thinking about what short-term project with a definable goal would naturally break down the silos and pull people together to solve a very specific goal and then kind of let it organically go from there. So instead of coming in and saying, you need to change the org structure, we would say, what is the common problem that these departments have? Of course, you gotta get them in the room in the first place, but what are we gonna solve in six months or three months? What's really pressing? And then what we find is that the org structure, the collaboration, the process improvement, all takes place organically underneath the people trying to meet a challenging goal. So let's go to the next slide. We're getting close to the end of our time. What companies are trying to get to with cyber and IP protection is verified trust. So that's really the key thing for you to think about is you do need to be able to trust your suppliers, but how do you verify it? Because what we've seen historically is that relying only on self-assessments or self-certification is not really a sufficient. So you do have to have some way to, in a scalable fashion, to try to get to a verified trust. So again, it gets back to identifying, prioritize what you wanna protect, map the critical data interdependencies. So again, like that target case was a case where it was a supplier that was used as a gateway into the target system. Somebody needs to be mapping where are the access points and how could things get in? And also what data are we sharing or sending out to people? We mentioned before about integrating cyber and IP into supplier selection. So we think that that is something, we see it happening more and more. We think that that's gonna be an ongoing trend and we think that companies will be able to develop a competitive advantage through being better at cyber and IP protection in getting business and gaining investment. Go beyond the contract, we've talked about that and really start to think about how you could assess the maturity of the third parties. What controls do they have in place? Collaboration with a purpose we talk about is do you really need to be able to collaborate with those third parties in a mutually beneficial way? And one of the things that we're looking at, I'm writing some work with Dave on accelerating transformation. And one of the things we're looking at there is the idea of trading data. Like I will give you this data that you want of mine if I can get this data from you. So that's one of the things that we're looking at is how would you do that in a way in sort of a systematic way? And then finally I'm into before the depth and breadth approach. Next slide. So we're now getting to the end and what I wanna just do is and then we have a, there've been some good questions along the way but I do wanna leave a few minutes. Next slide. Is think about turning risk into an opportunity. If you can become excellent at something. If you become excellent at managing a certain type of risk it is a competitive advantage. Next slide. And so what I challenge each company to do is to make a strategic decision. And if you look at that broad spectrum of the risks both the business performance or the compliance risks, what could you turn into a strategic, a competitive advantage? So think about if you're a credit card company. If I'm MasterCard or Visa or AmEx and I become known as the world leader in protecting personal information, that gives me a strategic advantage as a credit card company. If I become, they wouldn't care about being a world leader in environmental protection. It's not part of their core business. If I'm Patagonia or Timberland or North Face and I become known as a world leader in environmental protection in the supply chain, that gives me a competitive advantage because that's core to my brand value. So what I challenge each company to do is to think about your company. Think about your customer base. Think about the risks and where do you wanna mitigate and have an acceptable level of risk management? And where's that one thing that you wanna be world-class and be known as the best? It could be on-time delivery. Whatever it is, we really, really advocate that you think about risk as an opportunity, risk management as an opportunity and not just a cost center. Any other questions coming in? Yeah, so Pepper, those questions in, if you have any. And Craig, I just while we're looking for those questions, I just wanted to mention that it strikes me that this transparency of information trading that's going on with value chain partners, it resembles a negotiation, doesn't it? I mean, you're really, you're sitting down at the table metaphorically and you're saying this is a vision of what a transparent sharing of information would look like. You're sharing this, we're sharing this. And it reminds me of the negotiator's dilemma a little bit though, if you share, but the trading partner doesn't share back, then you've just given away some value and you've weakened your negotiating position. So it really does have to be a kind of a mutual gains discussion with these value chain partners. So I see a question just hanging in around, we talked about management systems and types of controls. And could I go into a little more detail? So what we look at there is if you think about, and it's really common around all the risk areas, there's usually seven or eight different building blocks. So the first one would be the idea of policies and procedures. Next would be having that cross-functional team or who's really managing that part of the risk program. The next one would be the risk assessment piece, which we've talked about a lot. Next would be third-party management, which is really a critical piece. Next would be training and capacity building. So do you have a training program? You can have the best policy in the world, but if there's no awareness of it, it's really not gonna work. The next piece is monitoring. That's something that we see on a global basis as being the weakest area, except in a few isolated cases where monitoring has really become a huge industry like labor compliance monitoring is now a multi-billion dollar industry and they're pretty good at the monitoring piece. And then the final piece is corrective actions. So that's sort of the building blocks. Ira, I guess back over to you to do the wrap-up. Yeah, before I wrap up, Craig, I would just wanna follow up and you've listed a great explanation of risk and turning it into competitive advantage. If I'm listening to this and I'm a supply chain manager and I wanna start implementing some of this, where would you suggest I start? Maybe to get some good examples that I can show management that this is something we need to proceed with and broaden? Yeah, that's a really good question. You mean in terms of like where other companies have done it like case studies that somebody might be able to get? Yeah, either case studies or just from your own experience where you think this is low hanging fruit. If you want to go to your manager and say this is what we need to do and I wanna prove to you that we can have success in bracing this strategy, here's where I wanna start. Yeah, so I think what I always would think about is getting that one key statistic that would really highlight it. So Gartner did a study recently and they said that I think the stat was by 2020, 60% of companies will be assessing the cyber security and IP protection capability of any supplier before they sign a contract. So that's the kind of thing that would get management attention in the beginning and then kind of go from there. Great, thank you. And now that we're a little bit over on our time, I wanna thank Craig and Dave, great presentation. I wanna thank the audience again for following us through the series on the digital supply chain. And I wanna remind you too that you can capture it, I captured it, we've captured it for you, but you can see all the previous recorded expert connects on this topic, you go to the DSEI website, we have it all there, easy link for you. And I also want to put in a plug for another expert connect series that we are launching tomorrow, in fact, at 10 a.m. And this one is on digital identity. This will also be a series recurring and it'll go monthly as of September, but tomorrow's digital identity expert connect will focus on an introduction to the topic, which is another interesting and part of, I think what we've been discussing in digital transformation, because we're all used to identity in an analog world. And as we move to a digital world, the challenges are enormous and it's not just management from a business perspective, there are lots of societal issues and we hope in this series to begin to delve into that. Again, I want to thank everyone and have a good rest of the day. Thanks a lot. Bye-bye. Bye-bye.