Howard Walfield (00:05):
Good afternoon everyone. I’m Howard Walfield, the director of Supplier Risk Management Americas for Keon and I’m excited to be here today. So first a story about preventative risk management and this is a true story. So during COVID, if y’all remember COVID, everything was shutting down. And what I did was I told my three daughters, I was like, “Yeah, Disney, it closed permanently. It’s not reopening.” This was my preventative risk management for retirement. So I was like, “I’m going to put that out there.” And then the problem is though, I told them I was going to Orlando and my oldest daughter, she’s like, “Isn’t that where Disney World used to be? ” I was like, “Oh crap.” I’m like, “Yes, I’m going down there to help them with their supply chain risk. We’re going to try to bring it back live, but I’m pretty sure I’m going to let them know I was a failure.
(00:53):
So we’ll go with that.
(00:57):
So let’s bring it in. So you take a look at this slide for a second. Every label on here is a disruption. When it happened, it felt like it was the exception. The rare thing that would go and return back to normal. But trade war, Hong Kong, COVID, Ukraine, Red Seas, Liberation Day, and that’s before we even get to 2026. To be honest, it was one of those things where I was thinking, maybe this New Year’s, everything’s going to settle down, but it hasn’t. So the disruptions are now sporadic more than anything. It’s a structural thing. It’s the baseline. The World Economic Forum, COFIS, Political Risk Index, Central Bank Survey, they’re all saying the same thing. Geopolitical risk is historic highs and it’s here to stay. The question every organization needs to answer isn’t, will a disruption happen? It’s what will we do when it does?
(01:56):
And before we can answer that, you have to understand what you’re actually dealing with and where to start. And this is where we start. Warren Buffett put it simple. Risk comes from not knowing what you’re doing. Yes, I’m comparing myself to Warren Buffet. But I do love the quote. I’m going to laugh at my own jokes just to head up. And my wife is like, ” It’s terrible, but I’m still going to do it because I think they’re hilarious. “But I do love the quote though because it flips the problem. The threat is not the change. The threat is not being able to see it coming and that’s going to be throughout this. It’s all about the visibility. So in supply chain, the volatility is a given geopolitical events, financial instability, cyber threats, those are going to happen. What separates the organizations is whether they absorb them, that shock or they get caught flatfooted.
(02:48):
It’s about how much we know beforehand. Again, it goes back to that visibility. Supplier risk management is about replacing assumptions with insight, going from hoping your supply base is okay to actually knowing what it isn’t and doing something about it before you have a crisis. That’s the what. Now let me show you the how, specifically how we built it at Keon.
(03:12):
We call this the 360 supplier risk visibility framework. It’s a lot of words. I wanted the killer be killed but got outvoted on that one. I just thought it would have been better. The whole thing flows though in one direction from understanding to action. We start with a purpose because not all suppliers are equal. We focus where disruption would actually hurt the business, the revenue, the operations, customer delivery. And then we map the ecosystem. Because risk sits beyond just tier on the real exposure is usually deeper and you can’t manage what you can’t see. From there, we assess acros multiple dimensions. Looking at just one creates blind spots we want the full picture. We bring the intelligence combining internal data with external signals from partners like Everstream. That’s what gets us away from the gut feel towards the early warnings. We quantify. We turn risk signals into business impact.
(04:14):
So that prioritization is specific, definable, and not just that gut feel. And then we mitigate because visibility without action doesn’t reduce risk, action does. The line at the bottom of this slide is the one that generally believe in intelligence structure is driven and drives results, but the framework is only as good as the people that are running it.
(04:42):
And that brings me to the people. What you’re looking at here is our global risk supplier risk management structure. The teams across EMEA, Americas and APAC with dedicated focus on semiconductors, capacity management, and of course supplier risk. Each region is responsible for catching early signals, understanding dependencies and shifting from reactive firefighting to preventive visibility. But there’s something that I want to be very clear about and I mean, this has been said over and over again in multiple things. The program doesn’t really work without the buy-in and the partnership across the entire organization. People like Ryan Bernard, Brian Suggs, David Sevitz, Keith Cochran, Adam Suskowski, Jason Ortier, Lupita, Randy Carlson. Y’all don’t know who they are, but they’re awesome. So I had to give them a shout out. And risk management that lives in a silo without the people in the organization is just decoration. But risk management that’s woven into decision making, that’s what actually moves the needle.
(05:45):
And I really can’t thank them enough in the organization for the actual buy-in. So all right, so we have the framework. We have the team. The next question is, how do you assess the suppliers?
(06:00):
The 360 risk score, every supplier and scope gets that 360 risk score updated monthly across six dimensions. The financial, the geopolitical, the geographic, operational, cyber sustainability, and of course business impact. But a score on its own is not the answer. The point of the score is for clarity, on clear view across every supplier. So nothing slips through the cracks. Not every high score needs the same response now, but we know what it looks like. A score tells us who, but it doesn’t tell us why. To really understand the supplier, we need to understand them and how they fit in. And our answer is supply chain mapping.
(06:46):
Excuse me. Here’s something we have learned the hard way. And again, this goes back to the visibility. You can’t manage risk, you can’t see. Supply chain mapping is where that visibility becomes real. It starts with what is critical, which suppliers are tied to real revenue, which ones we can’t operate without, and then we pull back the curtain. We see where they operate. We see the regions they sit in. We see the risk they are tied to. Those locations scored across a portion of the 360 score. And where we have visibility into the sub-tiers suppliers, that picture becomes even clearer and sharper because the scariest risk is rarely at that tier one. They’re further down the line. They’re in the regions that you don’t know about. There are the suppliers that you’ve never talked to. The ones that deliver a part that didn’t even realize delivering.
(07:41):
Making the components that just you asumed was fine. Once we have that network, we can also focus on the critical nodes, placing them where the disruptions would do the most damage downstream. The goal is simple, expose the risk, drive the action. Again, it’s about that visibility. But here the real challenge, once you can see all of the risk, how do you decide where to focus? You can’t prioritize everything.
(08:11):
That’s where quantification comes in. Knowing where the risks exist is important. Knowing how much it matters is what drives the decisions. The formula is simple. Impact times likelihood … Oh, I got animations, got to get those out there. Impact times likelihood equals expected risk. Impact is the business side. It’s what we stand to lose. It’s the revenue on the line, the contracts we’re tied to. How much we rely on the supplier or something we cannot easily replace. The likelihood is the risk side. It comes from the 360 model. It shows how loud the warning signs are across everything we track. It’s very critical.
(08:57):
Here’s why that matters. Not every high score is the same kind of problem. A supplier with a high score but low business impact might not require the same response as a low scoring supplier that’s a sole source for a high revenue project. Quantification gives us the context. It helps us ask the right questions. Where does the disruption create the biggest financial exposure? Where does mitigation investment pay off the most? Where should we be paying the most attention? The goal is to act the right things at the right time, not just to react because of noise. And once we have what matters the most, the real question is what do we do about it?
(09:43):
And that’s risk mitigation. This is where everything comes together. Our mitigation model runs in two lanes, reactive and preventative. Remember my story, Mickey Mouse, retired, preventative risk management, excellent parenting. That’s all I’ve got to say. On the reactive side, see, I think that’s hilarious. On the reactive side, something is actively going wrong. The clock is ticking. Everybody knows about this. We’re monitoring it, you escalate it, you mobilize fast. Structural escalation pulls together procurement, logistics, quality, engineering, suppliers, everybody. We just got to go. The focus is on the issue with the highest operational and customer impact and containing it as quickly as possible. On the preventative side, and this is where the value is, this is where the investment is worth it. We use the quantified risk signals to spot exposure building before it becomes a problem. That might mean the qualifying new suppliers, getting alternative suppliers, adjusting inventory and going deeper down the sub-tier to see where the problem really lies.
(10:55):
You have to think of this in terms of firefighters. You have the firefighters or the fire marshal. The firefighters are the ones that run into the burning building. They’re heroic. Everyone cheers. They save the day. But a great fire marshal keeps the building from catching fire. Nobody puts a fire marshal on a calendar. See, again, that one I thought was hilarious. My wife was like, “Ah.” The program that we’re building, we’re trying to be those fire marshals. We’re preventing it from getting to that situation where we’re running into the building. Now, none of that mitigation works though without making the decisions in an isolated capsule. The whole organization needs to be aligned and that’s where the governance comes in.
(11:46):
And good mitigation requires good decisions and good decisions require the right people in the room. And that’s why we have the Supplier Risk Council does. It’s cross-functional stakeholders like the people I mentioned before, procurement, supply chain, finance, quality, engineering. You come together, you review the exposure, you agree on priorities and align on mitigation strategies. The structure, it runs from the regional risk councils up to the global supplier risk council with visibility all the way up to the corporate risk management committee. Every council’s conversation is anchored around three questions. Where do you need to act right now? Where do we need to watch more closely and where do we need to invest in reducing the exposure down the line? Most companies have governance. The question is that what drives it? Real data or the gut feel we’re grounded in real data.
(12:44):
On the area that alignment becomes especially critical is cyber because cyber risk doesn’t wait for a scheduled meeting. So let me show you how we approach that. Cyber is one of the fastest growing risk categories, in my opinion, the most dangerous. And one of the trickiest to manage, unlike floods or port closures or cyber exposure can move silently fast across interconnected networks before anyone realizes what happens. Sounds like a trailer for a Marvel movie, but our approach is in three tiers. The widest layer is consistent scanning. We watch every supplier in scope warning signs that give us the baseline. The middle layer is the targeted remote assessment and this is where we have evidence-based reviews with improvement planning for the suppliers. The deepest layer, the third party audits reserve for the suppliers where the potential impact is the highest, where we go deep into the security protocols, business continuity, and incident response.
(13:57):
And new suppliers coming into Dematic, and it’s something we’ve implemented recently, is cyber screening as part of onboarding. So identifying the exposure before integration not after. The results is a strong supplier, lower risk of cyber disruption and steady operation where it matters most. If cyber example is the risk that runs deep that you need real planning to stay ahead, semiconductors may be even more complex through that. So if cyber is the hardest risk to se, then semiconductors is easily one of the hardest to predict. The chip crisis from a few years back was a real education. Components from suppliers you’d never spoken to made in fabs you didn’t know existed suddenly determined whether you could ship a product at all. Our semiconductor program is built on four things, not three like cyber, but four, makes it even better. Multi-tier visibility, we use silicone experts in Everstream to find risk hitting below tier one.
(15:04):
Full component traceability. We know where every critical part comes from. Market intelligence, we spot supplier problems early before they slow us down like end of life, things like that. It’s important. Analytics for early warnings, we see signs before they hit production.
(15:23):
The question they keep asking, where are the hidden risks in the supply chain? And once we know where and when can we act on them. The idea is simple. The risk lives deeper than you can see. The thread runs through everything that we have talked about today and it’s the heart of what Keon does. So let me tell you a little bit about Keon. So now some of you may have spent some time like ChatGPT and like who is Keon? What do they do? And that’s good. I encourage it because we make some of the dopest products that you’ve seen. It’s the stuff that’s in the warehouse that gets you your packages before you wake up in the morning and you’re like, oh, in warehouse solutions, that sounds kind of boring, but like once you see it, you’re like, “This is really cool.” I mean, it’s really neat.
(16:18):
And I came from Raytheon and when I saw this stuff, I was like, “This is very impressive.” So Keon though is made up of Lindy, still, dramatic and more. We have 42,000 employees globally, 11.3 billion in revenue in 2025. We’re the number one solution in supply chain solutions worldwide and we’re the number one in industrial trucks in EMIA, industrial trucks, AKA forklifts.
(16:48):
We work in the intersection of physical and automated supply chain, which means our own supply network is complex as the problems that we solve for our customers. Complexity is what pushed us to build this program and it’s why we believe so deeply and in what we shared today. And like the first slide, the world is not going to get any simpler. I mean, the slide at the beginning is packed with disruptions and it’s only going to keep growing. And what we can change now is not what’s happening, but how we prepare for it and what we’re going to do in the future. And by setting up a program and investing the time, the effort and the money and getting buy into it, that’s how you make it work. So again, thank you so much for your time today. I think we have some time for questions if anyone has any questions.
(17:46):
Don’t be shy.
Attendee 1 (17:50):
Hello, hold on. All right, great. Here you go. What was the best way, looking at your bill of materials, what was the best way that you could figure out how to work with your suppliers to map out your sub-tier suppliers for risk? You did some of it on the semiconductor there, but looking at, I think some of the products, you’ve got probably some tier ones also. What was the most effective way that you were able to map out the bill of materials across the suppliers to get visibility down into the sub-tiers? Thanks.
Howard Walfield (18:22):
I mean, when it comes down to it, I mean the easiest way is for the suppliers to trust you to give you the information, but then you also have solutions like Everstream and Silicone Experts where we’re able to take that information and map it down and really once you get that and you’re able to see that risk down to those sub-tier levels, it completely changes everything. I can think of a supplier recently, one of our sub-tier suppliers for one of our main tier ones that had a cyber attack and I’m like, “Well, that’s not good. Probably should let them know. ” So I reached out to the category lead and say, “Hey, can you let so- and-so know about this issue and see if they’ve known about it? ” Sent them the information and they’re like, “Actually, we had no idea.” They reached out to the supplier and luckily everything was squashed before anything became an actual issue, but again, it’s reaching out to the suppliers using solutions like these is that’s what really helps map it.
(19:18):
Yeah, thank you. Good question.
Attendee 2 (19:20):
Maybe one more regarding energy management and energy risk of your suppliers. I mean, two months ago we had the Iran conflict. Do you also measure that or is that more with the procurement team? Because this could eat up- I’m
Howard Walfield (19:33):
Having a hard time hearing. I’m sorry.
Attendee 1 (19:37):
I think the question was about energy and the war and keeping up with some of the risk related to energy, right?
Howard Walfield (19:45):
Yeah. I mean, so that slips a little bit out of our purview, but it’s definitely something we talked about because for example, the cost of fuel, the cost of everything, it affects everything down the line, not necessarily supplier specific, but it is in the view of us, but it’s nothing that my group necessarily dealt with straight on. It’s similar to the tariffs that tariffs not fun, not necessarily supplier related, but I’m still in the weekly meetings where we get to chat about it.
Attendee 1 (20:17):
Yes.
Attendee 3 (20:21):
When mapping all your suppliers in a tool like this, you can get a lot of notifications. That’s the experience we’ve had. I’m just curious how you manage which ones you want to look at, which ones you don’t, so you’re not just getting a bunch of noise.
Howard Walfield (20:36):
Yeah. So that’s a super good question. So with Everstream, for example, because it’s our solution provider, their customer service is outstanding and it’s something where we were able to actually work through the notifications and figure out which notifications we wanted based on the different suppliers in the industry and how we could actually get that aligned. And once we did that, it took a litle bit of tweaking, but once you got it tweaked, like for example, we have a person in APAC that was really interested in the mines in Africa because they’re getting the raw material for their tier ones, blah, blah, blah. We set up them to get notifications on the mines that we specifically mapped in Africa and they only get the notifications that are affecting those sites or related to that. And then you could detail them down to what they actually want to get and it worked out really well for them.
(21:31):
Any other questions? Oh, one more. Nice. If it’s about Disney World, I’m not going.
Attendee 3 (21:42):
I was just curious how you justify that ROI for these programs. That’s one of the struggles.
Howard Walfield (21:48):
Awesome question. So that’s the risk quantification. So going back … Oh, wait, there it is. So let me find … Man, I don’t have the good one that I really like because they said simpler is better. So the risk quantification, that low cost product, the impact times the likelihood expected risk, it’s a formula that we put together. So each business unit is different, the two different business units, the IAS and the ITS. Essentially what we did is we were able to measure what that supplier does to the bottom line through the formula. I mean, I can talk about it in more detail, but the way we’re able to do that is you could see that if this supplier has this issues, it’s going to cost millions of dollars. Or for example, if it’s going to affect a project down the line, if they go into bankruptcy or there’s a shortage on materials that we’re able to actually quantify that and put that into real dollars and that’s what goes up to that risk committee at the corporate level where they’re looking at it and going, “Oh my God, we got to do something about this.
(22:51):
” So then it makes in turn not just procurement and supply chain react, it makes R&D go, “Well, maybe we need to take some additional measures to move and qualify some other suppliers and that’s worth that return on investment of the requalifying.” Any other questions? All right. Well, thank you everyone so much. I really appreciate the time.