Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions
Supplier risk assessment is a fundamental component of many enterprise supplier risk management (SRM) programs. SRM has become a major focus for regulators and corporate boards as the COVID-19 pandemic, the Ukraine War, and other events have triggered shortages of goods ranging from fuel to semiconductors. These supply chain disruptions have driven record inflation and are spurring further geopolitical crises.
It’s clear that proactively assessing supplier risk is more important than ever. Supplier risk assessments can help you to understand how threats to companies in your supply chain could impact your organization’s ability to deliver its own products and services. Some types of supplier risk such as performance and event risk have been understood for half a century or more, while other types such as ESG risk and cyber supply chain risk are relatively new concepts.
Before we dive into the specifics of assessing supplier risk, let’s cover a basic question: What is a supply chain?
A supply chain is the sequence of processes required to produce a product or commodity. These sequences can be short and simple, such as a grower selling goods at a farmer’s market – or they can be long and complex, such as a consumer products organization that designs and markets its products but then relies on hundreds of third, fourth and Nth parties for raw materials, assembly, packaging and distribution.
Supplier risk assessments comprise the backbone of broader supplier risk management (SRM) programs. A supplier risk assessment involves gathering data about a supplier’s information security and privacy controls, finances, ESG practices, corporate policies, incident response programs, Nth-party relationships, and other factors that may affect their business continuity and resilience.
Supplier risk assessments are conducted by sending questionnaires to key supplier contacts, analyzing the responses, identifying risks and their potential impact, and defining any required remediation or mitigation actions. Assessments are typically fielded during the onboarding phase, and follow-up assessments are conducted at a frequency and scope determined by the supplier’s services and criticality to the business.
If you are beginning to formalize a SRM program at your organization, you can leverage assessments to establish a baseline level of supply chain risk. If you have a more robust program already in place, conducting an assessment will enable you to measure current-state risk against acceptable levels and identify key remediation activities that you can undertake to reduce residual risk to an acceptable level.
Supplier risk management (SRM) involves managing both IT and non-IT risk across the entire supply chain. Cyber-supply chain risk management (C-SCRM) is a subset of SRM that focuses exclusively on managing information technology risks, such as data breaches, control gaps, and non-compliance with data privacy and information security regulations. An effective supplier risk management program should include a significant cyber-supply chain risk management component, but C-SCRM by itself is not sufficient to mitigate supplier risk.
Cyber-supply chain assessments should include evaluations of each IT vendor’s security controls, information sharing policies, and privacy practices. In addition to assessment results and evidence about the vendor's cybersecurity and privacy programs, IT vendor profiles should include information about the type, sensitivity and amount of your organization’s data that they handle or have access to. This can enable you to rapidly identify vendors that pose a high degree of risk to your organization when breaches occur, or that may have gaps in their information security programs that weren’t identified during vendor onboarding.
Understand Supplier Risks and Build Your SRM Strategy
Download this 17-page guide to gain a better understanding of current supplier risks and get guidance for maturing your supplier risk management program.
There are many risks to your organization's supply chain, ranging from weather events that impact deliveries, to unethical business practices by fourth- or Nth-party suppliers that lead to reputational damage. As you conduct risk assessments across your supply chain, it is important to understand and categorize the business continuity and resilience challenges your suppliers face. Supplier risk categories include:
Breaches, vulnerabilities, missing information security controls, and other cybersecurity threats are some of the most critical risks to evaluate during supplier risk assessments. Unlike physical products, customer data and other sensitive information can be transmitted and retained throughout your supply chain. Attackers can also leverage vulnerabilities in your technology supply chain to directly target your organization’s systems and data. This can lead to adverse outcomes such as data breaches, compliance violations, fines and lawsuits, and reputational damage to your organization.
Almost all organizations today fall under one or more data privacy or information security compliance requirements, such as GDPR, CCPA, HIPAA, PCI DSS, and dozens of others. Penalties for non-compliance can range from fines to personal criminal liability depending on the infringement and the regulation. Closely related to compliance risks are sanctions; for example suppliers that have been cited for doing business with state-owned enterprises or have engaged in money laundering or corruption.
Business failures and financial issues can cause severe disruptions to your supply chain, even if the disruption is with a fourth- or Nth-party supplier. Business and financial risks include executive turnover, M&A activity, bankruptcy, lawsuits and regulations that could impact a supplier's ability to deliver on a contract.
Recent years have shown just how badly unpredictable events can disrupt both organizational and global supply chains. COVID-19, the Suez Canal blockage, the Ukraine War, and increasingly devastating hurricanes and wildfires are just a few examples of events that caused enormous risk and financial stress to thousands of organizations and governments around the globe.
At one time, organizations could meet the definition of corporate social responsibility (CSR) by giving back to the community through donations of time and money. However, CSR is increasingly associated with environmental, social and governance (ESG) practices. These include your company’s approaches to environmental sustainability; its relationships with customers, employees and communities; and how it deals with executive pay, internal controls and shareholder rights. Working with companies that have bad environmental track records, utilize forced labor as part of their supply chains, or engage in other corrupt practices can expose your organization to substantial reputational, civil and even criminal risk.
Whether driven by business events, economic conditions or natural disasters, suppliers may not be able to meet their delivery schedules. That’s why it’s important to continuously measure supplier capacity, including tracking current order status, performance against order history, supplier responses and acknowledgments. A proactive view of supplier capacity can help your organization be more agile when a disruption occurs.
Closely related to capacity risks are supplier performance risks, which you can identify by measuring key performance indicators (KPIs). KPIs can include quality metrics, delivery performance, and criteria for meeting agreed-upon service levels. Supplier performance management is easier when you set contractual clauses with enforceable service level agreements (SLAs) and leverage a SRM dashboard that provides enterprise-level visibility.
The Supply Chain Resilience Toolkit
Based on ISO 22301 standard practices, the Supply Chain Resilience Toolkit provides instant access to expert guidance, customizable templates, and structured worksheets.
Different organizations approach managing supplier risk in markedly different ways. The composition, focus and scope of a mature SRM program depends heavily on the organization’s industry sector and the size and complexity of its supply chain. Given that, below are five keys that apply to almost any supply chain across industries from retail to technology.
Effectively evaluating your third-party suppliers based on profiled, inherent and residual risk is essential to your overall supplier risk assessment approach.
Profiled risk relates to the nature and criticality of products or services that a supplier provides to your organization. For instance, a computer manufacturer’s semiconductor supplier would pose more far risk than their packaging supplier would.
An inherent risk is an existing risk that the vendor poses prior to any remediation efforts taking place. Examples of inherent risk include poor financial posture, inadequate information security controls, or operational inefficiencies.
Residual risk involves risk that is left over after a vendor has taken adequate remediation actions. It is up to your risk management team to determine whether residual risk is acceptable or unacceptable.
Each category of risk can be evaluated independently or combined to drive more informed, risk-based decisions and actions. Organizations with a high degree of profiled or inherent risk may require additional risk assessment and remediation efforts, such as:
Understanding and implementing an effective process to accurately determine profiled, inherent, and residual risk is the core building block to your overall supplier risk management program. Before conducting supplier risk assessments, ensure that you have a process-driven framework for scoring profiled, inherent and residual risk.
Basing your supplier risk assessments on a risk management framework can help to ensure that they follow best-practice guidance and minimize any coverage gaps. Many organizations align to NIST or ISO frameworks, depending on their industry and other factors. Specific NIST guidelines to consider include NIST CSF v1.1, NIST SP 800-53 and NIST SP 800-161. For ISO standards, start with ISO 27001, ISO 27036-2 and ISO 27701.
Assessing ESG risks should come front and center as you evaluate your supply chain and extended supply chain. Organizations with poor track records related to ESG are at risk for divestment, reputational damage, and customer blowback. Investors and customers are increasingly concerned about issues such as carbon emissions, deforestation, modern slavery, and corruption. As you conduct your supplier risk assessments, make sure you are accounting for ESG risks – not only for your direct suppliers, but also for fourth- and Nth-party suppliers in your extended supply chain.
Assessing third-party compliance is a core element of an effective supplier risk management strategy. Compliance should be integrated at every level of your SRM program, from sourcing and selection to offboarding. Conducting an annual supplier risk assessment provides an opportunity to identify potential compliance gaps and address them with relevant stakeholders.
Regular assessments also enable you to evaluate your current compliance program against regulations that may have been issued or updated since you onboarded a supplier. For example, the German Supply Chain Due Diligence Act will take effect in 2023 and includes several critical requirements for organizations to combat modern slavery in their supply chains. Proactively assessing risk against regulations that may not yet be enforced enables you to get ahead of situations where you may need to switch vendors or require additional remediation prior to contract renewal.
Assessing suppliers as they are onboarded is critical, and it is equally important to conduct ongoing, regular risk assessments (e.g., annually) to stay on top of emerging risks and changes in each supplier’s operations. However, new threats and weaknesses can arise and impact your business at any moment. Of course, it’s impractical and virtually impossible to conduct questionnaire-based supplier assessments on a daily, or even monthly, basis. That’s where continuous risk monitoring solutions can help. By continually scanning and analyzing thousands of sources of cyber, business, financial and reputational intelligence on a supplier, you can identify and act on emerging risks before they affect your organization.
Supplier risk assessments can enhance your organization's resilience against supply chain disruptions due to business failures, reduce the risk and impact of third-party data breaches, and minimize reputational damage traced to shortfalls in supplier ESG practices.
Wondering how to get started? Learn more about our solutions for supplier risk management, our supplier risk monitoring service, and our procurement due diligence service. Interested in whether Prevalent solutions and services may be a fit for your organization? Request a demo.
Third-party risk assessments not only enable your organization to proactively detect and reduce risks, but also...
Discover key changes in the Standard Information Gathering (SIG) Questionnaire, and learn how they can be...
Learn about the SIG Core and SIG Lite assessments and how you can use them to...