Thanks to globalization and rapidly developing technology, enterprise involves more connections than ever before, and more connections means more risk in the supply chain.
Supply chain risk extends past those suppliers with whom you’re doing business directly. Beyond your third-party suppliers are their suppliers, and the supply chain continues branching out from there.
In today's connected world, organizations must not isolate their supply chain risk management. Procurement teams should also share the risk management responsibilities.
The 2019 Airbus data breach is a perfect example of third-party risk in action. Vendors Rolls Royce and Expleo were involved in the incident, despite being “vetted” by procurement. What was absent in the vetting procedure? Considering the type of violation, it seems probable that Airbus's purchasing department did not concentrate on the cyber threat posed by their suppliers.
Here a few ways procurement teams can improve their supply chain risk management strategies and improve the performance of procurement risk management.
Ask the right questions
While onboarding new suppliers, procurement teams should consider additional sources of risk alongside factors like price and availability. Here are a few risk areas to consider:
- Cyber — How much access will the supplier have to your organization’s sensitive systems and data? Is their cybersecurity performance up to your organization’s standards? How likely are they to experience a data breach?
- Compliance — Is the supplier compliant with relevant industry regulations? Some regulations (like the California Transparency in Supply Chains Act and GDPR) hold businesses responsible for the actions of their suppliers, and non-compliance could spread up and down the chain.
- Reputational — Does the vendor have a reputation for taking security seriously? Were there any previous occurrences of security incidents or failures of security controls? On what scale, and how did they respond?
- Geopolitical — Where is the vendor located? Consider the possible cyber risks associated with the area’s geopolitical climate. For example, a vendor based in Ukraine may be a potential target of another nation state's attacks like Russian cyberwarfare or related sponsored actors.
- Environmental — Based on location, what environmental risks does the vendor face? Do they have plans in place for coping with natural disasters and strategies for protecting critical systems?
Answering these questions can be tricky, but improved continuous monitoring technologies are making it faster and easier than ever to identify risks in third parties and track their status.
Some of the biggest advancements have been made in the realm of cyber risk, and this is also one of the greatest sources of supply chain risk.
Address cyber risk
In addition to maintaining your own organization’s cybersecurity, you also have to worry about your third- and fourth-party suppliers’ cyber risk, as well as other connections up and down the supply chain.
According to Deloitte’s 2018 CEO and Board Risk Management Survey, more than 50% of organizations say they don’t have a plan to establish formal risk-monitoring standards for their third parties. For these organizations, lack of supply chain visibility could set the stage for a devastating data breach.
Data breaches that originate in the systems of third parties are among the most common and most expensive, and these attacks don’t always come through expected channels. The 2014 Target breach, for example, occurred after an HVAC vendor’s credentials were stolen. A 2017 attack on a petrochemical plant targeted third-party systems controllers.
Fourth-party breaches are a risk as well. When DNS provider Dyn went dark as a result of a cyber attack in 2016, large swaths of the U.S. internet — even websites which had no direct business with Dyn — went down, costing an estimated $20,000-$100,000 in losses per business per hour.
Strengthening the relationship between procurement and supply chain risk management
In a siloed organization, the procurement team might wait until just before a deal is signed to request a cyber risk assessment. Alternatively, they may delay until the agreement is officially signed, or they might not even ask for one at all.
In this model, cybersecurity isn’t prioritized, and supply chain risk increases as a result. To avoid this siloed structure, cybersecurity teams should have more of a role in the procurement process, and procurement teams should have more ability to evaluate a potential supplier’s security.
But how can procurement teams accurately evaluate cyber risk? How can an organization set specific, measurable standards for risk management while onboarding new vendors?
Security ratings offer one solution.
Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. Ratings are derived from objective, verifiable information and created by independent organizations. With access to a security ratings platform, Procurement teams are able to easily see the relative cyber risk associated with potential suppliers.
Other tools, like Bitsight for Fourth-Party Risk Management, can reduce fourth-party risk. By creating a map of digital supply chain connections, this tool can help procurement teams eliminate potential sources of risk in the extended enterprise.
Conclusion
To minimize risk, organizations need to recognize and strengthen the connection between procurement and supply chain risk management. Security ratings and fourth-party risk identification tools can arm your organization with the powerful continuous monitoring capabilities it needs to decrease overall risk.