Supply chain risk management, or Vendor Risk Management, encompasses the coordinated efforts of an organisation to help identify, monitor, detect and mitigate threats to supply chain continuity and profitability.
In many ways, your supply chain system is like the circulatory system of your body. The supply chain is made up of organisations and links between them through which your organisation produces its services and ensures they find their way to your end customer.
Why is Supply Chain Risk management so important?
Similar to the organs and network of your body the supply chain is a complex system that can make or break the success of your business. And just like your body it is continually changing:
- The continual focus on the optimisation of processes and elimination of waste through the widespread adoption of ‘lean’ practices produces a constant low-level shift in activities in the supply chain that is hard to track but which causes transformation over time.
- The rise in offshore manufacturing and sourcing makes it harder to track true quality standards across several countries
- The drive of the financial imperative increases out-sourcing and change in the supplier base
- An ongoing global consolidation of suppliers means that a company may end up concentrating its procurement risk in fewer companies
- Moves towards centralised production and distribution increase risk in supply links
All of these factors combine to make supply chains more vulnerable to disruption.
A few examples show the potential unknown impacts that changes in the supply chain can cause:
- Concentration on a single supplier – At the height of the growth of the drive for cleaner diesel cars in 2005 Peugeot Citroen discovered an over–reliance on the production of particulate filters in France from a single supplier, Ibiden, which resulted in a 12 day shutdown of production due to oven maintenance. At that time Ibiden were one of only two ceramic filter producers in the world and were part owned by Toyota, a significant competitor. It took nine months to stabilise supply. https://www.autonews.com/article/20050207/SUB/502070894/filter-shortage-disrupts-psa-production
- Risk lies beyond the first-tier supplier - Following the shut-down of Dell’s American assembly line within days of the September 1999 earthquake in Taiwan the company set out to understand why this had happened. To do this Dell studied where their tier one suppliers did their shopping and this in turn soon yielded the first important answer – the Taiwan Semiconductor Manufacturing Corporation (TSMC). Dell’s executives realised that they were in fact buying hundreds of millions of dollars of chips each year from TSMC indirectly. https://www.cnet.com/news/pc-industry-hit-by-taiwan-quake-aftershocks/
- Ongoing unknown concentration of supply - in March 2012 a fire at Evonik Industries in Marl closed down the chemical factory that produced the resin PA-12 on which many car braking and fuel systems depend. It turned out that this factory was responsible for at least 30% of the world’s supply, effectively paralysing a significant portion of the global car production capacity within three weeks https://ihsmarkit.com/country-industry-forecasting.html?ID=1065966710
How to enable supply chain risk management
The examples above show that the risks of not managing your supply chain are clear and their impacts can be very severe. In such a complex system it is critical to have an organised and efficient management system and structure in place to ensure that you keep pace with the speed and level of change.
Businesses need to be able to answer the following questions:
- Do you know who is in your end-to-end supply chain?
- What is the overall risk in your supply chain, and where is it concentrated?
- Do you know how Vendors use or send your data?
- Are you confident in the maturity of their own security?
- What actions should you be asking the weaker vendors to take?
- How would you defend your position, if a vendor was breached?
The assessment of different vendors needs to be proportionate to the risk they represent, but the judgements need to be consistent and comparable from both an individual vendor and an aggregated view. Likewise treatment requires a holistic approach, from tolerating low risk, placing remediation actions on a vendor to terminating a commercial relationship as a last resort.
Fundamentally, this comes back to a traditional Risk/Impact model, identifying the vendors whose risk level and impact of risk is highest:
These are labour intensive, specialist activities and it may be here that an external consultancy or managed service provider can help:
- Defining VRM risk processes and workflows
- VRM program maturity assessment
- Developing the business case for VRM
- Identifying must have risk outcomes
- Developing an Integrated VRM model
- Full VRM model implementation or supplementary support for in house assessment processes
Risk Remediation and Mitigation
The assessment of vendors is only useful if their risks can be appropriately remediated and mitigated. Again, this is a full-scale activity that covers all the different parts of the business, not just security or procurement. The impacts and operation of risks occurs in the normal day to day activities of a company and buy in from across the business to mitigate risks is essential. Again, this could be where an external organisation can yield significantly more productive results than a home-grown solution:
- Risk assessment
- Data discovery
- Security strategy, roadmap and programme development
- People roles and responsibilities
- Awareness and training
- Designing and building security operations for detection and response
- Security sourcing strategy, RFP development and procurement support
- Compliance to ISO 27000 standards
Risk Analysis and Evaluation
Finally, it is essential to be able to track, manage and monitor progress effectively to gain the benefits of supply chain risk management. Companies have relied on homegrown, manual or quasi-automated systems to analyse and evaluate vendor risks but the speed and extent of change in the supply chain has long outgrown these solutions.
Vendor and third-party risks demand a complex set of assessment approaches, processes and workflows that cross organisational boundaries. Conventional, highly customised applications struggle to perform and deliver against their intended use cases. Maintaining the visibility, consistency and security of sensitive data sources and the integrity of the data itself is unscalable when relying on traditional spreadsheets, documents and emails.
These problems demand a fresh approach.
Services that only look at a vendor’s external vulnerabilities do not provide a reliable indication of the security inside a business. Others that rely on surveys and self-assessments can be onerous on the vendor and assume questions are answered correctly.
Issues will be missed by entirely technology-based solutions that lack the human in the loop to interpret, challenge and apply judgement. Consultancy based solutions are not only inefficient but over time lead to inconsistent conclusions. They will also only present an assessment of the risk at a moment in time while the risks themselves evolve and change.
It is essential to look at a vendor from four different perspectives:
- Vendor- Customer context. This determines inherent risk, with attributes such as the data types exchanged, services delivered, volume and criticality
- Open source indicators. Exploiting available data on the internet (eg. DNS record configurations, SIC codes, domain reputation and news feeds) continuously monitors indicators of risk
- Assertions. Vendor responses to questionnaires tailored to the context and risk give a richer, more complete and self-certified picture of vulnerabilities
- Evidence. Reviews of evidence, site visits and audits enable an analyst to validate controls when required