An Introduction to Supplier Risk Assessment

Understanding Different Types of Supplier Risks

There are many risks to your organization's supply chain, ranging from weather events that impact deliveries, to unethical business practices by fourth- or Nth-party suppliers that lead to reputational damage. As you conduct risk assessments across your supply chain, it is important to understand and categorize the business continuity and resilience challenges your suppliers face. Supplier risk categories include:

• Cybersecurity Risks

• Compliance Risks

• Business and Financial Risks

• Event Risks

• Corporate Social Responsibility and ESG Risks

• Capacity Risks

• Performance Risks

Cybersecurity Risks

Breaches, vulnerabilities, missing information security controls, and other cybersecurity threats are some of the most critical risks to evaluate during supplier risk assessments. Unlike physical products, customer data and other sensitive information can be transmitted and retained throughout your supply chain. Attackers can also leverage vulnerabilities in your technology supply chain to directly target your organization’s systems and data. This can lead to adverse outcomes such as data breaches, compliance violations, fines and lawsuits, and reputational damage to your organization.

Compliance Risks

Almost all organizations today fall under one or more data privacy or information security compliance requirements, such as GDPR, CCPA, HIPAA, PCI DSS, and dozens of others. Penalties for non-compliance can range from fines to personal criminal liability depending on the infringement and the regulation. Closely related to compliance risks are sanctions; for example suppliers that have been cited for doing business with state-owned enterprises or have engaged in money laundering or corruption.

Business and Financial Risks

Business failures and financial issues can cause severe disruptions to your supply chain, even if the disruption is with a fourth- or Nth-party supplier. Business and financial risks include executive turnover, M&A activity, bankruptcy, lawsuits and regulations that could impact a supplier's ability to deliver on a contract.

Event Risks

Recent years have shown just how badly unpredictable events can disrupt both organizational and global supply chains. COVID-19, the Suez Canal blockage, the Ukraine War, and increasingly devastating hurricanes and wildfires are just a few examples of events that caused enormous risk and financial stress to thousands of organizations and governments around the globe.

Corporate Social Responsibility and ESG Risks

At one time, organizations could meet the definition of corporate social responsibility (CSR) by giving back to the community through donations of time and money. However, CSR is increasingly associated with environmental, social and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees and communities; and how it deals with executive pay, internal controls and shareholder rights. Working with companies that have bad environmental track records, utilize forced labor as part of their supply chains, or engage in other corrupt practices can expose your organization to substantial reputational, civil and even criminal risk.

Capacity Risks

Whether driven by business events, economic conditions or natural disasters, suppliers may not be able to meet their delivery schedules. That’s why it’s important to continuously measure supplier capacity, including tracking current order status, performance against order history, supplier responses and acknowledgments. A proactive view of supplier capacity can help your organization be more agile when a disruption occurs.

Performance Risks

Closely related to capacity risks are supplier performance risks, which you can identify by measuring key performance indicators (KPIs). KPIs can include quality metrics, delivery performance, and criteria for meeting agreed-upon service levels. Supplier performance management is easier when you set contractual clauses with enforceable service level agreements (SLAs) and leverage a SRM dashboard that provides enterprise-level visibility.

Five Keys to Effective Supplier Risk Assessments

Different organizations approach managing supplier risk in markedly different ways. The composition, focus and scope of a mature SRM program depends heavily on the organization’s industry sector and the size and complexity of its supply chain. Given that, below are five keys that apply to almost any supply chain across industries from retail to technology.

1. Profile and Tier Your Suppliers

Effectively evaluating your third-party suppliers based on profiled, inherent and residual risk is essential to your overall supplier risk assessment approach.

Profiled Supplier Risk

Profiled risk relates to the nature and criticality of products or services that a supplier provides to your organization. For instance, a computer manufacturer’s semiconductor supplier would pose more far risk than their packaging supplier would.

Inherent Supplier Risk

An inherent risk is an existing risk that the vendor poses prior to any remediation efforts taking place. Examples of inherent risk include poor financial posture, inadequate information security controls, or operational inefficiencies.

Residual Supplier Risk

Residual risk involves risk that is left over after a vendor has taken adequate remediation actions. It is up to your risk management team to determine whether residual risk is acceptable or unacceptable.

Each category of risk can be evaluated independently or combined to drive more informed, risk-based decisions and actions. Organizations with a high degree of profiled or inherent risk may require additional risk assessment and remediation efforts, such as:

• Conducting more frequent internal assessments and/or continuous external monitoring

• Requiring the supplier to pass an audit against an information security framework such as ISO 27001, SOC 2 or the NIST Cybersecurity Framework

• Stipulating contract or SLA provisions related to information retention, destruction and compliance

Understanding and implementing an effective process to accurately determine profiled, inherent, and residual risk is the core building block to your overall supplier risk management program. Before conducting supplier risk assessments, ensure that you have a process-driven framework for scoring profiled, inherent and residual risk.

2. Align Your Supplier Risk Assessments with an SRM Framework

Basing your supplier risk assessments on a risk management framework can help to ensure that they follow best-practice guidance and minimize any coverage gaps. Many organizations align to NIST or ISO frameworks, depending on their industry and other factors. Specific NIST guidelines to consider include NIST CSF v2.0, NIST SP 800-53 and NIST SP 800-161. For ISO standards, start with ISO 27001, ISO 27036-2 and ISO 27701.

3. Don’t Underestimate the Importance of ESG

Assessing ESG risks should come front and center as you evaluate your supply chain and extended supply chain. Organizations with poor track records related to ESG are at risk for divestment, reputational damage, and customer blowback. Investors and customers are increasingly concerned about issues such as carbon emissions, deforestation, modern slavery, and corruption. As you conduct your supplier risk assessments, make sure you are accounting for ESG risks – not only for your direct suppliers, but also for fourth- and Nth-party suppliers in your extended supply chain.

4. Stay on Top of Compliance as Regulations Evolve

Assessing third-party compliance is a core element of an effective supplier risk management strategy. Compliance should be integrated at every level of your SRM program, from sourcing and selection to offboarding. Conducting an annual supplier risk assessment provides an opportunity to identify potential compliance gaps and address them with relevant stakeholders.

Regular assessments also enable you to evaluate your current compliance program against regulations that may have been issued or updated since you onboarded a supplier. For example, the German Supply Chain Due Diligence Act will take effect in 2023 and includes several critical requirements for organizations to combat modern slavery in their supply chains. Proactively assessing risk against regulations that may not yet be enforced enables you to get ahead of situations where you may need to switch vendors or require additional remediation prior to contract renewal.

5. Cover Gaps Between Assessments with Continuous Monitoring

Assessing suppliers as they are onboarded is critical, and it is equally important to conduct ongoing, regular risk assessments (e.g., annually) to stay on top of emerging risks and changes in each supplier’s operations. However, new threats and weaknesses can arise and impact your business at any moment. Of course, it’s impractical and virtually impossible to conduct questionnaire-based supplier assessments on a daily, or even monthly, basis. That’s where continuous risk monitoring solutions can help. By continually scanning and analyzing thousands of sources of cyber, business, financial and reputational intelligence on a supplier, you can identify and act on emerging risks before they affect your organization.

Next Steps

Supplier risk assessments can enhance your organization's resilience against supply chain disruptions due to business failures, reduce the risk and impact of third-party data breaches, and minimize reputational damage traced to shortfalls in supplier ESG practices.

Wondering how to get started? Learn more about our solutions for supplier risk management, our supplier risk monitoring service, and our procurement due diligence service. Interested in whether Prevalent solutions and services may be a fit for your organization? Request a demo.