Third-Party Risk Management in complex Supply Chains
A straightforward digital identity use-case from the pharmaceutical industry
Continuing our series of industry-specific insights and real-world business examples, we want to share some of the work we are doing to optimize supply chain management in the pharmaceutical sector. What might at first glance seem unique or specific to that sector is widely applicable to other industries without too much translation.
This post will explain the blockchain-enabled third party risk management (TPRM) processes by which suppliers are assessed and administered in a pharmaceutical supply chain. In the course of TPRM processes, suppliers need to disclose their policies, audits and operating procedures, so that their customers can validate compliance data to analyse and manage risks. The size and complexity of a global pharmaceutical empire’s supply chain, and the volume of information that needs to be gathered from all corners and tiers for the end products to be compliant and viable, is increasing over time. Siloed systems for validating this information as if each supplier sold goods to only one client are thus a source of mounting inefficiency, and all parties would benefit from harmonizing processes and fostering wider circulation of verified information to economize these processes and reduce overhead redundancies. The process can be deceptively simple (as outlined in our explainer video), but it’s worth slowing down to think about each of the steps at industry-wide scale to grasp the power of the transition to a more organic and decentralized data sharing system.
Intransparency and regulations drive complexity
In today’s global, outsourced, and optimized supply chains, corporates build up a business network of third parties. Thousands of suppliers, suppliers-of-suppliers and service providers for quality control, assurance and logistics interact in a complex ecosystem with dependent and intransparent processes. Understanding this network poses a major challenge for brands, importers and retailers, who are ultimately responsible for the products they deliver to consumers.
Additionally, regulatory and civil society initiatives make brands indirectly or directly liable for many of the risks incurred in intransparent corners of their supply chains. These initiatives, coming from governments (e.g. UK Modern Slavery Act, Reach), international standards groups (e.g. International Labour Rights) and civil society campaigns (Sum of Us, Nordea, Greenpeace) all combine to pressure global brands to accept and bear end-to-end responsibility for all the labor practices and material footprints of their supply chains.
As a consequence, brands request audits and self-assessments from suppliers to prove their compliance with policies and regulations. Managing these data for thousands of suppliers is complex, costly and time consuming. To organize these third-party risk management processes and their masses of data, brands use management systems. These systems analyse and track each supplier over time, based on due diligence, risk assessments, collaborative corrective actions and roadmaps. The scale at which countless supply chain actors have to prove compliance with countless overlapping regulations and best practices can be staggering to overview, much less orchestrate.
Suppliers have to enter all requested data to the brand’s management system. Suppliers are obligated to assist and accommodate each clients’ specific formats and styles of due diligence processes, risk assessments, collaborative corrective actions and roadmaps. What is centrally administered and simplified for the clients is, for the supplier, a maze of siloed portals, redundant processes, and nearly-identical information being passed to each client.
During each onboarding process, a supplier invests significant time filling out several self-assessment questionnaires, uploading multiple audit reports and providing supplemental data on different company policies and internal procedures. Such an onboarding process requires the suppliers to gather information from different departments throughout their organization, but also subcontractors and service providers. Even after the onboarding process, the supplier continues to invest significant time maintaining this paperwork, since it is obliged to ensure data integrity in each supplier or vendor’s portal.
Hence, the current solutions for third-party risk management focus on process improvements for the brand and are designed to cover 1:1 relationships. But from a supplier’s perspective, it slows down collaboration processes and raises a significant barrier to entry for new 1:1 relationships, disincentivizing broader, shorter-term, or more agile partnerships. Even guaranteeing the integrity of this data over time with a fixed roster of clients is a cost driver passed on to each of them.
An industry-wide consortium for harmonising TPRM
If we consider how similar and redundant the due diligence processes, it would be naïve to leave the saving and efficiency potentials for all stakeholders “on the table” in the current siloed system. Luckily, the elaboration of an alternative is already well underway.
The pharmaceutical and healthcare industry recognized this problem some time ago and has collaborated substantially on optimizing third-party risk management processes for the members of the Pharmaceutical Supply Chain Initiative (PSCI), an industry consortium of 40 major pharma companies. Among other projects, this consortium synchronizes and standardizes the content and format of supplier assessments, in a way that maximizes the sharing and reusing of verified compliance data. As a practical result, brands can now select for the onboarding process of suppliers harmonized self-assessment questionnaires, policies or share audits which are also accepted by other members. The harmonized questionnaires and policies are centrally administered by the PSCI and accessible for all members and their suppliers.
As a key member of the PSCI initiative, our client integrated harmonized policies and questionnaires in their own TPRM system, built in partnership with ServiceNow. Using those questions in their onboarding process has reduced time and costs for our client and their suppliers greatly. The benefits for the supplier are clear: it reduces the investment of time and due diligence by essentially onboarding each supplier once for all PSCI members, with minor supplemental information provided in some cases. As all members have the same questionnaire for all available risk categories, the supplier is able to store and reuse available data extensively.
Improving existing TPRM systems with blockchain
Although the self-assessment questionnaires and policies are harmonized among PSCI members, one problem remains. The supplier needs to maintain its data in the respective TPRM system of each client. To enable automated data integrity, however, data need to be readily transferable across multiple siloed TPRM systems.
As blockchain technology can support decentralised management of data, it is the perfect trust fabric for sharing the verified compliance data of suppliers. In practice, it guarantees data integrity and trust between supply chain actors over time.
Our client initiated a consortium of business and technology companies to enable verifiable and self-sovereign data exchange across supply chain participants. Spherity is contributing its enterprise wallet, based on decentralized, verifiable digital identities, so that suppliers and brands can sign and share data in a secure yet privacy-preserving way.
The core principle of this solution is that every supply-chain actor holds a decentralized identity (DIDs) that signs all of its reusable, verified information in DID-linked documents called “verifiable credentials” (VCs). Brands, suppliers and audit companies have a unique identifier as well, also anchored on the blockchain, that can be used to cryptographically sign data or to open secure channels for data sharing. The identity wallet managing all the identities and verifiable data of an enterprise can be summarized as the “browser” for navigating this blockchain-enabled data exchange. The consortium-governed Sovrin network will be used as the trust fabric for this blockchain-enabled TPRM network.
In the blockchain-enabled TPRM system, we apply Self-Sovereign Identity (SSI) data exchange principles to both individuals and corporate entities. SSI allows individuals to issue, store and selectively prove the authenticity of personal data like ID number, date of birth, address or driver’s license details; they store and manage these sensitive documents as “verifiable credentials” in a personal identity wallet. In the context of blockchain-enabled TPRM, we apply the same principles: a supplier can use its wallet to store its answers to questionnaires, audit reports or operational policies in an enterprise-scale credentialized data model.
This data model means that the brand can verify the submitted data and use its own enterprise wallet to issue verifiable credentials as confirmation that it has vetted and approved the suppliers data to PSCI standards. The verified TPRM data are now stored — together with the credentials issued by the brand — in the supplier’s wallet. These credentials can be reused for the next onboarding process at another brand using an identity wallet. Since all parties benefit from making their credentials reusable, the “identity layer” securing and verifying these credentials functions as a “meta-platform” synchronizing each vendor’s platform or portal. This creates something powerful and efficient: a unified and interoperable data exchange for TPRM data across all supply chain stakeholders on the broader, federated network.
Spherity integrates the functionalities of its enterprise wallets into the existing business processes and TPRM systems of global brands (such as the TPRM systems built by ServiceNow). On the other side of the marketplace, suppliers are able to manage their digital identity and valuable data in a wallet of their own, which is securely accessible via a web service. These self-sovereign, cloud-based identity wallets provided by Spherity can be integrated via exposed APIs into any TPRM system or vendor portal, to enable all supply chain stakeholders to take part in such a verifiable credentials exchange platform.
The interoperability between different wallet providers is a key driver for the success of this solution. For large players like global brands, interoperability guarantees and future-proofs investments at ecosystem scale; for smaller players, interoperability ensures that they truly own their data in a way that is both widely portable and universally verifiable (and thus valuable and useful to the most clients). As we have written elsewhere, Spherity’s entire business is predicated on actively participating in standards bodies to make decentralized identity interoperable and keep it future-proof. We have worked with the W3C for years to cement the foundations of DIDs and VCs protocols, and today we are working closely with the Decentralized Identity Foundation (DIF) to evolve communication protocols for verified data exchange built on those protocols.
Amidst this evolving ecosystem of verifiable data, suppliers can transform their normal compliance and risk assessment data into more valuable new forms like verifiable credentials. These credentials can be shared and verified among different siloed TPRM systems by using enterprise-scale identity wallets, bringing objectivity and verification to their reputation.
If you have any questions about how this kind of harmonization and efficiency could be brought to a cooperative ecosystem without compromising privacy or security, feel free to reach out with any question and set up a demo to see how these tools work. You can also follow us on LinkedIn, Twitter or sign up for our newsletter.