In this special five-part podcast series on innovation in managing third party risk, I am joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of this special series. Our conversation focuses on helping companies manage their third-party supply chains through financial health. The RapidRatings approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In Episode 2, we discuss the issue of criticality in supply chain and how to assess and manage that risk to extend the reach of compliance.

Gellert began by relating that the word “criticality” is used quite a bit in supply chain and broadly on third-party risk. He defined it, “as a means of defining for a company which suppliers are most important.” Yet he also noted it can be defined in different ways at different times. Historically, criticality was more about how much money was spent with suppliers. In practice, this meant the top spend suppliers would be the ones that were most critical. Conversely, suppliers where you were spending a small amount of money were seen as less important. However, Gellert cautioned that while such an approach is still an important part of defining risk management programs “’it’s not the end of the story.”

He explained, “Criticality now really stretches out into a whole bunch of other topics, such as which third-parties, irrespective of how much money you spend with them, have the ability to disrupt your business if they are not performing for one reason or another.” Put another way, “Do they have the ability to sidetrack your business? Does it cause you a disruption that not only has a revenue impact on your organization, but may have a reputational impact on you? What about companies that may have access to your internal IT infrastructure and therefore pose security risks? They may not be a big spend, but they may have the ability to cause a cyber problem for you.” This means that cyber risk is one of the newest and most important risks that companies are focused on. Obviously, this means if a company uses, tracks and maintains private information of its customers or others, any supplier that has access to that information has a another set of critical elements to it.

Subsequently, when organizations are trying to evaluate criticality of suppliers, they may segment them in different ways and create different cohorts of suppliers. For instance, you may want to start with those who can create the most business interruption, those that can create the most reputational risk and impact and those that can disrupt revenue and cost the most amount of money. Gellert related, “all of those are elements of credit, quality, and innovation are really just about the movement of product services. Data analytics and business process that allows companies to manage all of those suppliers and all of those risks in a more cohesive way.”

All of this means that supply chain risk is really about an enterprise-wide risk. It includes, “the sourcing, identifying what companies to work with, perhaps many possible ones and then narrowing it down to the one you want to work with and move forward with the due diligence. The next step is ongoing, continuous monitoring to ascertain that the suppliers that can grow with the business. It is important that with the ups and downs of business cycles it can withstand the shock, coupled with the flexibility an organization needs to make the investments; that the supply chain partner continues to be a good business partner. All of those are really important as companies align with the best possible partners.” Risk management is really valuable for the compliance professional to know it is a part of a long continuous process over the lifecycle of working with a company. Gellert stated, “It’s not just about doing something that’s a part of an onboarding process for really, there’s a lot more longevity and value that can be created when looking at suppliers and applying supply chain risk management best practices.”

One of the innovations which RapidRatings has brought is through its Financial Health Rating (FHR). The FHR allows an organization “to look deeply inside a company and compare it against years of public and private company data. And in order to generate an FHR, RapidRating obtains the financial statements from private companies and we use the filing data from public companies.” It is a review of more than simply a company’s financial statement but a more comprehensive look at overall  financial health correlated to lots of other risks that are valuable for people to understand.

One of the key reasons for the innovation of this approach is that, in the past, companies have tended to use payments scores and payment data from companies to understand whether they are good risks or bad. However, this is a “pretty antiquated way now of understanding the health of a company. It is the first opportunity to be able to give people comprehensive coverage of really all of the suppliers that they work with or customers that they work with in a very quick, fast and very precise way.” The FHR helps to make the risk management process more efficient in a workflow process. It does so in a manner at scale for companies around the world, in a very analytically way. This adds tremendous value to the entire process.

Please join us tomorrow when we consider the issue of third-party expansion in supply chain risk management.

This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at