The advent of the COVID-19 pandemic spurred many organizations to revisit their supply chain risk management practices. During normal times, common practices such as just-in-time supply chains and outsourcing large portions of the supply chain process to other countries helped to reduce costs, streamline operations, and minimize warehousing requirements. Global supply chains have become increasingly lean, though at the expense of resilience. For instance, COVID-19 made apparent that while these approaches are beneficial during normal times, they can pose existential threats when significant disruptions occur.
One recent example of an unanticipated supply chain disruption is when the Suez Canal was blocked for 6 days, leading to an estimated $9.6 billion dollars of trade held up per day. While no organization can predict specific disruptions, a comprehensive and effective supply chain risk management approach can help your organization prepare for unexpected events and minimize disruptions.
Implementing sound risk management strategies can help organizations become more resilient, avoid business disruptions, reduce costs, and improve customer service. Supply Chain Risk Management (SCRM) is increasingly raised as a board-level topic as business continuity concerns and product lifecycle management take on more important roles. Today, SCRM can be the difference between success and failure for many organizations.
A basic risk management plan for the supply chain is developed by:
Assessing the likelihood of those risks
Modeling different scenarios
Mitigating unacceptable risks
Monitoring and documenting your SCRM approach
Gaining a clear understanding of supply chain risk enables the organization to better prepare for and respond to disruptions to product and service delivery. Additionally, advance planning can pave the way for organizations to implement automated solutions to shoulder part of the load in supply chain risk management.
The ultimate objective is to maintain supply chain continuity in the event of an incident that would otherwise disrupt normal business relationships and therefore profitability. By using detailed data analysis and mapping, risk management programs prioritize interdependent risks and individual downtimes along the supply chain. Well-designed risk management programs include risk mitigation and risk transfer approaches based on business objectives and information gathered during SCRM program development. They also provide the ability to monitor and validate the effectiveness of various strategies and optimize as needed.
Supply Chain Risk Management (SCRM) involves identifying, analyzing, and addressing the risk of data breaches, operational failures, and other business disruptions that could affect the delivery of products and services to an organization.
Supply chains are broadly defined as the sequence of processes required for the creation of a commodity. These sequences can be short and simple (e.g., a farmer selling goods at a farmer’s market) or long and complex, such as a multinational corporation sourcing raw materials from multiple companies across the globe, using a third-party to assemble them, and another third-party logistics agency to deliver them.
Supply Chain Risk Management involves categorizing the various risks to the supply chain that enables you to sell or deliver your products to consumers, and effectively managing that risk. There are several frameworks to consider when developing your Supply Chain Risk Management Strategy. These include NIST CSF v1.1, the NIST Risk Management Framework, and ISO 27001 among others. If you are just beginning your program, incorporating third-party frameworks can be invaluable.
The recent SolarWinds attack was one of the most far-reaching and sophisticated cyber attacks seen in the last 5 years. The SolarWinds supply chain breach is now wreaking havoc on Orion consumers around the world, despite their best efforts to recognize and minimize the risks. Prevalent found that 37% of impacted parties had no documented incident management policy for responding to the SolarWinds breach. This intrusion caught many organizations off guard, revealing internal procedure deficiencies regarding customer reporting and lack of appropriate incident response planning.
The SolarWinds attack is a salient example of how organizations can suffer cascading effects from supply chain risks. Even if an organization's direct suppliers didn’t use SolarWinds, their subcontractors may have. This is also an example of Nth Party risk, where the cybersecurity practices of unknown subcontractors could wreak havoc on an existing (and even carefully managed) supply chain. These risks underscore the importance of gaining a detailed and complete understanding of your supply chain, including subcontractors; accurately accounting for potential risks; and proactively creating an incident response plan for when events occur.
The Semiconductor Shortage: 5 Steps to Supply Chain Resilience
A semiconductor chip shortage will likely cost automakers billions of dollars in revenue in 2021, as manufacturers like General Motors and Ford are forced to shift production and suspend some lines.
Supply chain risk can be generally categorized into two types. There are external supply chain risks that occur outside of your organization (e.g., natural disasters) and internal supply chain risks, such as a data breach negatively impacting a key supplier. Both risks can be managed, but internal risks tend to be considerably easier to mitigate or eliminate.
Some of the most important risks facing 21st century supply chains are data breaches and other unexpected cyber events. These can jeopardize suppliers, their customers, and even their customers’ customers. For example, in 2013 Target suffered a massive data breach that exposed the PII of up to 40 million consumers. The attackers’ point of entry was an HVAC subcontractor that had served numerous Target locations. These types of events are not uncommon. In many cases, large enterprises will have robust cybersecurity programs, but these don’t always extend to third-party organizations that may have substantially less cybersecurity knowledge and capability.
The concept of identifying and quantifying risk in the supply chain can appear to be a significant, daunting undertaking at first glance. However, there are participants internal and external to your organization who represent every node in the value chain and can enable your program. For example, in dealing with cybersecurity risks to the supply chain, you may be able to call on internal experts such as a Chief Information Security Officer or an external resource such as NIST Supply Chain Risk Key Practices. Also, when sourcing raw materials it is critical to engage with product management and manufacturing to thoroughly understand the potential risks at each link in the supply chain. This means a critical aspect of SCRM is breaking down the silos that may limit the overall effectiveness of your SCRM program.
The cost of encouraging a supplier or vendor to comply with NIST guidelines can be steep, even for larger corporations. Prevalent recommends using Vendor Evidence Sharing to reduce the burden of ensuring each individual company is compliant. However, a holistic approach to SCRM that includes the control of all forms of risk across all supply levels and all risk objects (suppliers, locations, ports and more) is critical. SCRM is a key business enabler that is embedded and implemented into an enterprise's core systems when performed correctly.
Business supply chain risks can take many forms. A key supplier could declare bankruptcy and be unable to deliver on its contracts. In fact, some studies show 25% of businesses have been affected by the financial failure of a supplier in the past year.
Mergers and acquisitions can also signal a change in strategy or market consolidation that could impact service delivery, prices or contract terms. In addition, leadership turnover or legal trouble can impact organizational culture, strategy, and its ability to execute against goals.
In addition, organizations are increasingly subject to regulatory penalties for financial disclosures and ethics that may not be visible or well understood by security teams. For example, the Office of the Comptroller of the Currency (OCC) provides specific guidance for banks entering relationships with third parties such as cloud service providers, data aggregators, fintech companies, and subcontractors.
When evaluating potential vendors it is critical to understand the organization's financial situation, existing contractual obligations, and other factors that could prevent them from effectively executing on your contract. The less due diligence that is performed before onboarding a vendor, the more likely you are to experience a significant business disruption.
Having a formal and documented Third Party Risk Management strategy can help to manage these risks. Vendors should be evaluated uniformly based on a predetermined set of metrics that make it easy to compare competing vendors and identify potential suppliers that may have difficulty fulfilling their contractual obligations.
Supply chains have become dramatically more complex with globalization. A hurricane, wildfire, tsunami, or earthquake in one country can impact supply chains around the globe. The risk of experiencing a supply chain disruption due to a natural disaster is projected to increase due to climate change. It’s critical to account for the risk of natural disasters to supply chains. Organizations that may be impacted should have a detailed plan to refer to in the event of a natural disaster that impacts their supply chain.
COVID-19 serves as a prime example of how a natural disaster can disrupt supply chains on a global scale. In January and February of 2020, China was at the center of the COVID-19 crisis and it quickly became apparent how widespread disruption could occur, particularly when coupled with drastic changes in demand for certain products. For instance, supply chains were significantly disrupted for key personal protective equipment such as N95 respiratory and face shields while demand skyrocketed.
It’s impossible to predict disasters like hurricanes or earthquakes far in advance, but it is possible to mitigate the risk and dam
pen its impact on your organization. In addition to having a plan, organizations can also run simulations on their supply chains. Running simulations can help you understand what the most vulnerable parts of your supply chain are and how natural disasters would affect business operations.
If large portions of your supply chain are outsourced to other countries, a change in political conditions or a country's security situation can cause negative supply shocks. Examples could include changes in tax policy, internal stability issues, or trade embargoes. It is critical that you analyze political, social and economic conditions in the region of a potential supplier and assess the likelihood that these could impact your supply chain.
Every organization is going to have a different level of supply chain risk based on their industry, suppliers, area of operation, and business strategy. The first step is to identify just how much third-party disruptions could impact your business. Take the time to review your third-party suppliers and categorize and tier them according to their criticality to the business
When working with numerous organizations around the world, it is critical that you get a full view of how your supply chain operates. Diagram out different suppliers and what critical roles they fulfill. In addition request Business Continuity Plans and Disaster Recovery plans from current and potential suppliers. Make sure to store this information in an easy-to-access centralized location. The more information that you can collect on the internal businesses processes of suppliers and potential suppliers, the better prepared you will be in the event of an incident.
Once you have a centralized repository of information on your suppliers, assign risk scores based on the information that the suppliers have provided, as well as other factors (such as geographic location, company history, financial standing, etc.) this can provide an invaluable store of data that enables you to easily identify suppliers that may need to be replaced due to unacceptably high risk to your organization's overall supply chain.
A simple SCRM risk scoring chart
Risk mitigation in the SCRM lifecycle could take a variety of forms. A company could choose a different supplier, shipping route, or require companies to undergo TPRM assessments in order to be considered as a vendor. Organizations should begin by focusing on the mitigation of high-frequency, high-impact events before moving on to risks with a lower priority.
Once you have identified your level of supply chain risk, scored your suppliers and worked to mitigate risks, you should reassess your program. It is critical to identify any deficiencies in your SCRM program and to remediate any outstanding high-impact risks. Finally, you need to put into place a formal third-party risk monitoring program to ensure that you stay on top of new and emerging threats to your supply chain. If you found specific failure points that could cascade into a wider organizational crisis, it is critical that you map those out as well.
An organization's risk is not limited to its direct (third-party) associates and vendors. Harm may also be introduced by their partners and retailers, also known as "fourth parties," as well as those higher up the supply chain. The challenge of recognizing such organizations, the associated risks posed by third parties, and their ability to administer and implement controls against those risks is of great concern for businesses today. The complexity involved in assessing and responding to these types of risks requires a robust and comprehensive Third-Party Risk Management Program.
When making critical decisions, supply chain managers should be able to measure the likelihood and impact of these risks, apply disciplined risk management processes, and be aware of their impact on their business and communicate those to the stakeholders. This means it is critical that the organization invest in the tools and practices necessary to identify, anticipate, analyze, and mitigate risks in your supply chain. Managers must also create a plan for supply chain resilience to prepare for the many potential disruptors that come with competition in today's global economy. Successful mitigation of supply chain risk and disruption is essential for sustainable growth and prosperity.
No matter how strong your SCRM and procurement approach is, problems will occur. For particularly critical portions of your supply chain, take the time to map out contingency plans that can enable you to rapidly transition in the event of an incident. This can mean the difference between widespread disruptions across your organization or a minor hiccup in operations. The more important the vendor is, the more critical it is that you map out specific and actionable incident response plans.
8 Steps to Building a Third-Party Incident Response Plan
Read this executive brief to discover proven ways to reduce your time to detect and respond to supplier breaches.
Successfully implementing SCRM enables your organization to outperform your competitors and increase your market share when risks arise impacting markets. Investment in risk management systems in the supply chain offers many benefits. Organizations that prioritize developing and implementing a risk management strategy for their supply chains are more likely to reduce their risk than those that do not. Companies that implement risk management strategies in their supply chains see a clear competitive advantage compared to others in their industry. Organizations that apply the power of big data to their risk mitigation strategies can also benefit from a more robust risk assessment and management system that produces data and insight that is valuable far beyond the reach of the SCRM program.
Wondering how to get started? Learn more about our solutions for supply chain resilience, or check out our on-demand webinar: Supply Chain Risk: Fourth Parties and Beyond. Interested in whether Prevalent solutions and services may be a fit for your organization? Request a demo.