Achilles Insights – Help Guide

Dashboard

The dashboard provides quick access to the most recent supplier profiles you have looked at. This can be seen under ‘recent activities’. By clicking on any one of the supplier names in this list, you will be taken to the selected supplier profile. See more about supplier profile further down this article.

You can also perform quick searches using pre set filters in the ‘quick search’ area. By selecting one of these quick searches, you will be taken to the search page and the pre selected search will run. You can see more on ‘search’ further down in this article

You can also perform quick analytics, by selecting one of the pre defined options under ‘quick analytics’. By selecting one of these, you will be taken to the explore area and 10 automated analytics will appear for the option you selected. You can see more on explore further down this article. 

You can search for a company by name using the ‘add a keyword’ at the top of the page, and then press search. 

You can also search for companies using the 10 filters on the left hand side. Hover or click on the filter to see what the filter is for. Once you have selected the relevant options within the filter, click ‘add’ and this will apply the search using this filter. Continue using the filters and ‘add’ option until you have the required search filters applied. 

You will be left with the results of the search. There is a summary of information available for every supplier in the search results. From here you can either

  • select an individual supplier and look at their supplier profile (see Supplier Profile for more information)
  • compare up to 4 suppliers, by ticking the chosen supplier tiles, and then selecting ‘compare selected companies’ at the top of the page
  • add a selection of suppliers to an existing list or create a new list – select the suppliers from the search page that you want to include by ticking the boxes within the supplier tiles, and then select ‘add to list’ from the action button. Choose from your existing lists to add them to, or select ‘create new list’ for a brand new list. All lists can be found by going to the ‘list’ option on the navigation panel on the left hand side.
  • download the data – by selecting ‘download the data’ you will be given a choice of what data you can download on the search results provided. XLS and CSV are the two choices for download. Please note that there is a maximum of 2000 suppliers per download.
  • explore the data – by selecting the ‘explore’ button at the top of the page, this will automatically create 10 tabs of analytics on the selected supplier data. To learn more about ‘explore’, please see further down this article. 

By default, search is filtered on company search, so at the top of the page, select ‘product & services’, then type the product or service you are looking for in the ‘add a keyword’ search bar and select ‘search’. Product search results can take a little time to load, so please be patient and don’t click search again. Once the results have loaded, you will be shown a list of products and services to choose from. Select the relevant ones, and you will see supplier results start to load further down the page. Once you have selected all the relevant products or services, you can choose from the 5 bullet points above as to how you proceed with the suppliers you have found. 

Lists

This area displays all the lists that you have created, as well as those your colleagues have shared with you. New lists can be created by going to the ‘search’ area and selecting the suppliers you want to be in your list, and then creating a new list. Please see ‘search’ for more information on how to do this.

The list area gives an overview of each list, including the list name, date it was created, and the number of suppliers within the list. Each list has 7 available actions

  • filter the list – select the funnel icon and you will be taken back to the search results for this list and you will be able to apply more or less filters to the original search. If you want to save these results, you will need to create a new list after these filters have been applied (see search area for more information)
  • explore – see the automated analytics on any of your lists by either clicking on the list name (in image above that would be ‘DEMOCORP LIST’, or by selecting the pie chart icon further to the right hand side.
  • manage – remove individual or multiple suppliers from a list. You can also update the qualification status for one or more suppliers from within here. See ‘Internal Qualification’ further down to understand more about this.
  • download – select from the available data options and download in either CSV or XLS.
  • share – share the selected list with colleagues. Please note the colleagues must be a user on the Achilles Insights tool. If there name does not come up as an option, please speak to your account manager to have them added as a user. Please also note that currently when lists are sent or received, any edits or updates to that list will not be seen by the recipient/sender. In effect, you have sent someone else that list and it is now their list to edit. You can continue to edit your list, but if you want that colleague to see those changes, you would need to share that list again. 
  • rename – allows the user to edit the name of the list
  • delete – allows the user to delete the list
Compare List

In addition, the tool allows you to compare 2 lists. Select 2 lists by ticking the box on the left hand side of the chosen list, and the select ‘compare lists’ (just under the ‘My Lists’ title at the top of the page). 

The 2 lists will be compared across 5 different areas: general, management systems, health and safety, scores, financials. Just select the area you want to look at to see the comparison between the two lists.

Supplier Profile

The supplier profile is split into 6 tabs:

  • Overview – Highlighting key risk information, including the Achilles Score, the 5 sub areas of the Achilles Score, Cyber Risk Score, Audit results, Performance Feedback (history and ability to create a new performance feedback), Strengths, Minor & Major weaknesses.
  • Company – Information on the company, Achilles subscriptions and which of your lists they belong to. Easily add/remove a supplier to/from a list by selecting the + or – options next to each list.
  • Products – The list of products or services this supplier provides.
  • Locations – The registered and trading address of the supplier
  • Governance – Management system information, insurances, health & safety data, convictions & notices, CSR policies and memberships.
  • Finance – Financial history of the company across key data points

Explore

Explore is our automated analytics section, that is generated for every list that a user creates. There are a minimum of 10 tabs created, all of which help the user to understand and manage the risk within that chosen supply chain.

  • General – A breakdown of your list by network, age and size. Quickly see how many of your businesses are SME’s.
  • Expiry – When are your suppliers due to expire with Achilles? Ensure your suppliers are always subscribed and their data is up to date to help minimise their risk to you.
  • Supplier Qualification – Are suppliers compliant to the rules that you have set? Are they qualified to work with? See the charts in this tab to see which of your suppliers are non compliant, not qualified to work with you. Please note…to have this set up please speak with your account manager as rules need to be applied within the system.
  • Location – Easily see where your supply chain is based. 
  • Products and Services – Do I have the right balance of demand and supply? Do I have any issues with single sourced products or service?
  • Financials – What is the financial health of my supply chain? 4 financial ratios are used to show a history of financial health.
  • Health & Safety – The key health & safety statistics for your supplier list. Fatalities, injuries, LTIFR. Filter the table underneath to see the best/worst performers.
  • Management Systems – What % of my suppliers have the required management system levels. Interact with the chart to select the area of interest. The chart and the data in the table below will reflect the chosen section of the chart. Allowing you to easily see the suppliers in more detail. Remember to remove the filter, otherwise the other analytic tabs will only reflect the filtered suppliers.
  • Corporate Social Responsibility – Easily see what suppliers have the relevant CSR policies/memberships. Filter on the table below to see more detail.
  • Insurance – What suppliers have the appropriate insurance? What suppliers in your list don’t meet the required standards? The insurance tab helps you to identify where the risk is and then you can work with those suppliers to bring them up to the appropriate level.
  • Cyber Risk – How have your suppliers been rated by our partner Orpheus. See the cyber risk rating, what bandings they fall in, and sort the table below to easily see which suppliers have a higher cyber risk.
  • Score – How do the suppliers in your list score across the 5 different areas? The interactive chart lets you select columns, allowing you to focus on the suppliers that fall into that particular bracket. The charts and the table below are refreshed to only show the selected column’s suppliers. 

Achilles Score

Achilles Score has been developed and tested on over 100,000 suppliers, from 146 countries, across 10+ industries. The Achilles score allows companies to quickly see potential issues in their supply chain, to help manage risk, and to provide benchmarking against similar sized companies.

Achilles Scores are split into 5 categories: Environment, Social, Governance, Health and Safety, and Finance. Each area has a possible score of between 0-100 (right hand side of image above). A supplier’s overall score (The Achilles Score) is calculated by taking the average of all applicable categories for that supplier (As seen on the left hand side of the image with an Achilles Score of 69).

For each of the 5 areas, the supplier is compared against a similar sized company from the same sector. This benchmark allows the user to quickly see where the supplier exceeds or falls below the average score

What area are scored?

Category

Areas that are scored

Finance

Turnover growth, return on assets, liquidity ratio and profit margins

Governance

Documentation, insurance, expiry dates, bribery and corruption convictions, quality control and corporate management

Health and Safety

Accidents, fatalities, near misses, health and safety convictions and improvement notices, policies, documentation, management systems and other processes

Social

Convictions and policies relating to topics such as modern slavery, equal rights, labour standards and collective bargaining

Environmental

Policies, processes, convictions, management systems, sanctions and notices relating to environmental issues and community engagement

How are the scores calculated?

Several data points are considered within each scoring category. Demonstration of strong performance, such as a certified management system for a particular category, awards the supplier positive points for that category. Data points that demonstrate lagging performance in a category area results in negative points against that category.

Similarly, suppliers are penalised if they do not keep their reported insurance policies, certified management systems and Achilles Audits up to date. However, the penalty for an expiry date being exceeded is always less than the bonus for having the policy/management system/audit in the first place; for example it is better for a supplier to report having Accident Insurance and then forget to update that information (allowing it to appear expired), than it is for the supplier to fail to disclose it in the first place.

Suppliers’ scores are unaffected by questions and expiry dates they have not been asked to submit, or that were optional and were not answered.

For example, a supplier without a Modern Slavery policy will have their Human Rights score penalised, similarly a supplier who has not kept any certified management systems up to date will have their governance score penalised. But companies that have never been asked about these topics due to the requirements of their membership or network will not receive any penalties.

Suppliers with scores of 75+ are in the top 95% of all suppliers in the Achilles Network. Suppliers with a score of 60+ are above average. Suppliers who score 46-60 fall below the average and Achilles would suggest considering investigation depending on the relationship with that supplier. At the lower end, Achilles recommends engaging with suppliers with scores lower than 45 to improve performance, as this indicates below average performance.

Range

Outcome

0-45

Recommend Investigation

46-60

Ok

61-75

Good

75+

Excellent

The purpose of Achilles is to raise overall performance of every industry that we operate in, and we work with Buyers and Suppliers to do this. The scoring system supports this process and highlights areas to focus on. Evidence suggests the supplier reacts quicker when the buyer supports this program and engages with the supplier.

Three examples of scoring subcategories

Negative

No Answer/Neutral

Positive

H&S Convictions

This supplier has H&S specific convictions

This supplier has not been asked about H&S convictions

This supplier has no convictions related to H&S

Quality Management System (QMS)

This supplier has reported that they have no QMS

This supplier has not been asked about a QMS, or has a documented QMS

This supplier has a certified QMS

Lost Time Injury Frequency Rate (LTIFR)

This supplier has a moderate or higher quantity of LTIFR.
This penalty increases for very high values.

This supplier has not been asked about their accidents, or has a low LTIFR

This supplier has had no accidents in the last year

How can I help the supplier improve their Achilles Score?

On the supplier profile ‘overview’ tab, there is a strengths and weakness section. If the supplier works on their weaknesses, their score will improve.

Internal Qualification

For those who have this within their subscription, users will be able to manually set statuses for every supplier they chose to. This can be done from within the supplier profile, by selecting the drop down arrow (see image below), and then selecting the chosen status.

The qualification status can also be changed within the ‘lists’ area. Either one at a time – by selecting ‘manage’ and then the three dots at the far end, then select ‘Edit Qualification Status’. Or tick the suppliers you want to change the status of, then select ‘update multiple companies status’ (just above the list of suppliers). Please note you can only choose one status when editing multiple companies, for example if you want to make 10 companies ‘Qualified’, you can select all 10 and then make that change. However, if you want to make 9 Qualified and 1 Conditionally Qualified, you would need to select the 9 suppliers that you want to make Qualified and then make that change, and then go to the 1 supplier and make that change.

Compliance

Buyers with the appropriate subscription can have compliance rules automated, based on specific questions the suppliers have answered. This will drive an overall supplier status of either ‘Compliant’ or ‘Non Compliant’ against the supplier profile within Insights. For example, one client has a rule that all suppliers must have a valid ISO 9001. For those that do, they show as compliant (see image below), for those that don’t they show as ‘Non Compliant’.

Within Explore, Buyer users are able to quickly see how many of their suppliers are either compliant or non compliant. Achilles sits down with each client to understand their objective and then puts these automated compliance rules into the system for them. For further information, please reach out to your account manager.

Performance Feedback

If your company has subscribed to it, Performance Feedback can be found on every supplier profile page. It is within the overview tab as seen in the image above. You can see the overall rating of the supplier (when a rating has been provided), and then by clicking on the stars, it will open to show the 6 areas that have been rated, and how many ratings this has come from. If you or one of your colleagues have left a review, then you will also be able to see the detail of that review. If it was left by another organisation, then this is not visible and you will only see the star ratings.

To create a new Performance Feedback review, click on ‘write a review’ and it will open up a form (similar to the image below). Fill in all the required areas. Whilst all 6 areas are not required to be rated, we do require the ‘Overall’ option to be rated out of 5 stars and a small comment left, otherwise the review can not be saved.

How do I rate a supplier?

Each area within the Performance Feedback review can be rated from ‘very poor’ to ‘Excellent’. Similar to leaving online reviews for shopping websites, we have not provided any further guidance as to how to come to that decision. It is down to the company and the person leaving the feedback to make that decision.

Once you have completed all the relevant sections, click ‘publish on the top right hand side.

Cyber Risk Rating

What is this Cyber Risk Rating telling me?

The Cyber Risk Rating indicates the level of cyber risk associated with an organisation. The higher the score, the higher risk a company faces of being the victim of a successful attack. The score can be seen within the supplier profile. 

Why am I now seeing this Cyber Risk Rating?

Achilles has recently partnered with Orpheus to provide Cyber Risk Ratings. Many attacks now start with a company in the supply chain, rather than by directly targeting the end victim. With the significant rise in working from home, the attack surface for criminals has grown. Attackers are aware of this and look to take advantage of suppliers with weaker security measures. To help understand and reduce the cyber risk in the supply chain, Achilles is sharing these Cyber Risk Ratings with the suppliers and the buyers in the platform.

Why is this important?

Many attacks now start with a company in the supply chain, rather than by directly targeting the end victim. Larger organisations often have strong cyber security measures in place but give access to their systems to legitimate suppliers. Once suppliers have this access, they become a part of your network and, as a result, your attack surface. Furthermore, your business is highly likely to be disrupted if any of your important suppliers suffer a cyber attack, regardless of whether or not they have access to your systems, and it is also probable that many of your suppliers hold your and your customer’s data. You are likely to be held responsible if your customer’s data is breached by your supplier – particularly if you have not followed best-practice in managing your supply chain cyber risk. If you are not assessing your supplier’s cyber security measures, you have no idea if they pose a large or small risk. Attackers are aware of this and look to take advantage of suppliers with weaker security measures.

In addition, international regulators are starting to impose guidelines on supply chain security. Regulators and governing bodies will not reduce fines because the attackers gained access through a third party, as they see this as a risk you were responsible for mitigating.

Understanding the score

Scores range from 0-1000 and the higher the score, the higher the risk. High scores are bad and low scores are good.

ScoreRisk Level
0-199Very Low
200-399Low
400-599Medium
600-799High
800-1000Very High

VERY LOW

The Orpheus Cyber Risk score is between 1-199. This suggests generally good levels of cyber hygiene, a limited attack surface that is associated with smaller or more secure organisations, an undeveloped threat landscape, and very low levels of cyber risk.

LOW

The Orpheus Cyber Risk score is between 200-399. This reflects moderate levels of cyber hygiene, a generally limited attack surface, a limited threat landscape facing the organisation, all of which contribute to low levels of cyber risk.

MEDIUM

The Orpheus Cyber Risk score is between 400-599. This shows occasional cyber hygiene issues, an attack surface that features vulnerabilities and will generally present opportunities for adversaries, a developing threat landscape, which results in moderate levels of cyber risk.

HIGH

The Orpheus Cyber Risk score is between 600-799. This reflects multiple failings of cyber hygiene, an attack surface likely to feature multiple vulnerabilities or misconfigurations, evidence of repeated attacks by more sophisticated or disruptive threat actors, which all present higher levels of cyber risk.

VERY HIGH

The Orpheus Cyber Risk score is between 800-1000. On average, organisations will have poor cyber hygiene standards with multiple issues likely to be exploited by adversaries, an extensive attack surface that is typically associated with larger or less-secure companies, likely featuring critical-severity vulnerabilities, consistent evidence of attacks and operations by highly sophisticated and disruptive threat actors, ultimately producing very high levels of cyber risk.

What information is the score calculated from?

The score uses a large number of data points, combined with machine learning to calculate the score. The information includes:

THREATS

  • Threat intelligence on sectors and countries in which you operate
  • Intelligence of intent to target technologies used by your suppliers
  • Intelligence of cyber threats targeting your suppliers’ sectors
  • Evidence of adversaries exploiting live attack surface issues we can see your suppliers have
  • Intelligence of cyber threat activity in the countries your suppliers operate in
  • Dark web mentions potentially relating to your suppliers

VULNERABILITIES

  • Security of your suppliers’ internet facing technologies
  • Evidence of your suppliers’ weak email security policies
  • Evidence of your suppliers’ employee email addresses and passwords being available for sale online
  • Failures in your suppliers’ cyber hygiene
  • Unpatched vulnerabilities in your suppliers’ networks
What is the difference between the Orpheus cyber risk management approach and frameworks such as Cyber Essentials?

Cyber Essentials certification is a Government backed scheme that is designed to try and help you to protect your organisation from common cyber attacks. Cyber Essentials is self-assessed and Cyber Essentials Plus requires an accredited consultant verifying your security measures. Whilst it encourages all the correct behaviour, both are a point-in-time validation that doesn’t help with the ongoing assessment of the threats and vulnerabilities your organisation can encounter throughout the year.

Orpheus provides an ongoing understanding of your threats and attack surface so that you can stop cyber risk before it happens. Cyber risk changes constantly as the cyber threat landscape shifts due to hacker’s activities and your attack surface evolves depending on the configuration of your IT assets. Orpheus’ monthly reports therefore deliver the understanding you need of both cyber threats to you and your online attack surface so that you can make your cyber risk low and keep it there.

Is there a Cyber Risk Rating for every supplier?

No, there are some instances whereby this is not available.

What will a supplier receive?

Suppliers can reduce their score and therefore lower their Cyber risk, by subscribing (for FREE) to Orpheus’ platform. Following registration, suppliers will receive username/password credentials and be able to see their cyber risk profile within the platform, download the Orpheus Cyber Risk Rating report, and download a spreadsheet detailing their live vulnerabilities. 

At what level should a buyer discount a supplier from the process?

The level you consider acceptable is for you to decide based on your risk tolerance. We would suggest working with suppliers to reduce their score, rather than discounting the supplier altogether. The report Orpheus produces shows the supplier how to do that. We would suggest suppliers that are unwilling or unable to mitigate serious security risks should be considered for removal.

If the score is low, is there anything else I need to worry about?

Low risk does not mean no risk. Insider threat and phishing campaigns are examples of two key risks that exist for almost every organisation. The Orpheus Cyber Risk Rating is a strong indicator, offering steps that organisations can take to reduce their risk. We offer a hacker’s perspective and you may want to seek additional insight, available only to those who are already within the organisation.

How often do I need to check their scores?

Our scores are updated constantly and with new vulnerabilities being discovered daily these scores can change. We would suggest at least monthly to review any changes that might be introducing risk to your company.

What if a supplier disagrees with their score?

Any organisation that disagrees with their score can contact Orpheus directly to discuss remediation. We work hard to remove false positives from our scores and an error rarely occurs. The overall Cyber Risk Rating is made from many data points so it is unlikely that a false positive in one area has a large impact on the overall score. In the unlikely event this is the case, we have a remediation process to correct this, where we can validate the error a company has identified.

How do I get to MyAchilles?

Click on the Achilles logo in the top left hand corner and select ‘MyAchilles’ from the available dropdown. This will take you through to MyAchilles.

How do I get more training on Achilles Insights?

Please contact your account manager, who will be happy to set up additional training for as many users as you would like.

Updated on 13th December 2022

Was this article helpful?

Related Articles