So, the TRUST has been established, but you still have to reduce your risk.
So, now that you have established an open forum to share information, and you have created mutual trust, what can you do to ensure it success?
Use the the 3P's methodology as a useful framework to secure value from sharing relevant and useful information, while decreasing the risks of abuse.
Segmentation-The basic foundation for protecting confidential data is the classic technique used by the military to protect secrets; classifying data according to its confidentiality and giving access only on a "need to know" basis. For example, a supplier designing a component that fits in your product usually only needs to know the physical envelope (attachment points and constraints) and electrical interface characteristics for their component, rather than receiving your entire design.
Actionable Information-A promising approach is to scrub data into actionable information. Structured contracts, with detailed boundaries, venues, and parameters, are a good example. Instead of sharing range forecasts, companies express future demand via structured contract terms like minimum firm commitments (or MQC's), lead times guarantees with different pricing for different lead times, capacity guarantees for upside flex at a higher price, etc.
Escrow Account- At least one company had success with another creative approach; establishing an escrow account that is used if either party violates the agreement. The money is then reinvested in the relationship to fix the cause of the problem, e.g. joint team education, fixing flawed processes, or new technology. This dramatically improved the level of trust in that relationship. (Good luck getting your CFO to buy-in on this, but it can be done).
It is critical that the policies are backed up by processes and controls to prevent, detect, and correct accidental or deliberate misuse of confidential information, such as:
Physical Security-Controlled access to offices, receptionist diligence on who is allowed in the building, badges, questioning unknown people in sensitive areas, not leaving confidential documents out in the open, etc.
Separation/Rotation of Duties-E.g. having a different person control physical inventory than the one controlling information about that inventory.
Training and Testing-Training employees on the procedures and importance of protecting confidential information (yours and other's under NDA). Testing awareness and taking corrective steps.
Logs- Keeping accurate, tamper-proof records of who accessed what areas/ information and when.
Audits- Auditing your firm and trading partners to ensure safeguards and proper training. Some companies have computer-assisted "continuous auditing" of compliance.
Particularly sensitive data may require structural organizational safeguards as well. For example, some engineering organizations establish a "clean room" approach that separates the people receiving the highly sensitive design information and restricts their interactions and communications with the rest of their engineering organization to prevent the partner's design information from leaking into their own proprietary designs.
Policy and process decisions must weigh tradeoffs based on business performance impact:
1) Business value of sharing information
2) Cost of implementing proposed controls
3) Consequences of compromising the information
There are useful technologies available for implementing these practices. Role-based access controls (RBAC) enable implementation of segmentation-giving access only to specific people only for the specific chunks of information they need. Digital Rights Management systems can protect individual documents even after they are sent outside your company, limiting access only to specific people and certain actions (e.g. no printing, no cut and paste, no forwarding, etc.). Private and industry networks have implemented technologies to protect confidential data between trading partners; for example, the ANS network enables automotive OEMs and their suppliers to securely exchange digitally signed and encrypted confidential design files and business transactions. At the very least, PDF files can reduce some leaks...
This may be the single most important issue to have secured, and resolved prior to creating a shared trust environment. To realize the optimum "return on sharing", there should be advocates for both the sharing and protection of data. Some companies have elevated data protection to a C-level job-the CISO (Chief Information Security Officer). Senior supply chain executives must also advocate the benefits of sharing of information. These decisions should rationally weigh the tradeoffs. The supply chain, that maximizes sharing of the right information, works like one integrated enterprise, realizing significant competitive advantages over a supply chain whose participants withhold valuable information from each other.
Be smart when sharing information. Reduce your risk be using the 3P's.
I will be at the EyeForTransport Supply Chain Directions in Philadelphia next week from April 19, until April 22nd. It is at the Hilton Philadelphia City Avenue Hotel. We will be sharing more on my recent topics in the speeches and break-out sessions. I hope you attend. See ya there!