A Business Perspective of Supply Chain Risk
Today’s supply chains are just as long, complex, and important as the ancient Silk Road. But where the Silk Road became vital to civilisations of the past, modern supply chains could be their downfall, jeopardising functionality and consequently organisations’ reputations. In the interconnected, globalised economy, companies are connected to many suppliers and partners through their supply chains. This exposure leads to a plethora of risks that can severely damage a company’s finances, reputation, and future competitiveness. It’s time to understand the challenges and implement a proactive strategy to get on the front foot. Continue reading for a business perspective of supply chain risk.
The APICS Dictionary, 14th Edition, defines supply chain risk as “decisions and activities that have outcomes that could negatively affect information or goods with in a supply chain.” In other words, supply chain cyber attacks put organisations at significant risk – risk that can disrupt their operations and damage their reputations.
These risks that businesses face are too large to be left unmanaged. Risk management is a proactive way of mitigating risk before it occurs, as well as optimising an organisation’s response to a risk once it has occurred. Without risk management, companies tend to react to problems ineffectively. The image below illustrates this point:
Risk management is an ever-changing process. In the past, risks were simple to identify and address. Now, they come in waves, from yesterday’s simple concerns to today’s uncertainties. The unknowns of tomorrow are the lessons learned of today. This lifecycle reflects the process of human discovery, prediction and management
of risk applied to the supply chain.
The Expanse of Risk
“The global trade industry is increasingly competitive, and companies must adjust. They are faced with new challenges, such as increased complexity in supply chains, that a lot of European corporations are not used to dealing with” says Ronan Lavelle, CEO, Elasticito. Indeed, the more expansive and interconnected a supply chain, the greater exposure to risk that can occur, such as geopolitical issues and piracy. With threats ranging from disruption risk impacting production and distribution, and confidentiality risk to personally identifiable information (PII) in terms of the General Data Protection Regulation (GDPR), the impacts are immense.
In the event of a supply chain security incident, customers of a breached operator can also be subject to spying, data theft, ransomware, or loss of control of their critical operations. In addition to huge costs to remediate, these breaches can destroy brand reputations and expose the private details of citizens. The pandemic has also driven organisations to accelerate their digital plans and reach out to their customer-base in this new world to trade and remain competitive.
One of the most recent high-profile supply chain breaches was the attack on IT software vendor SolarWinds in 2020, in which hackers were able to gain access to the software and from within deploy malicious code to its customers via an update. It was reported that some 18,000 customers around the world installed the tainted patch, including US Fortune 500 companies and government departments. 2017’s NotPetya attack is another notable recent supply chain attack.
When companies enter into contracts overseas, they can suddenly be in a compliance minefield. There are so many different regulations across the globe that conducting business can be a struggle. When regulatory changes happen, it can also have a big impact on a business’ operations. Due to the size of supply chains, there is less visibility over who has what data. Who is the data owner? Who is the data processor? Not understanding where your data lies in the supply chain can be a big problem, not least because when an organisation suffers a vendor data breach, it tends to be their reputation that suffers most.
The Impacts of Taking Risks: A Business Perspective of Supply Chain Risk
According to a 2020 Annualized Risk Report by DHL Resilience360, the risks you take may cost more than you want to pay.
- 69% of firms say they do not have full visibility into their supply chains.
- 63% of organisations do not use any technology to analyze, track, and monitor their supply chain performance.
- 73% of board members surveyed identified reputational risk as to the area where they felt most vulnerable, but only 30% had a plan to address a reputational crisis.
- 99% of all companies have experienced a disruption in their supply chain over the past 5 years.
Mapping the System, Monitoring and Control
So what can be done? Managing cyber supply chain risks require ensuring the integrity, security, quality and resilience of the supply chain and its products and services.
You have to start by assessing and understanding what cyber risk means to you as an organisation. You can then develop scenarios with clear parameters that you can quantify in financial terms. Quantification is an important step because it allows you to make informed decisions about how you manage that exposure. You can determine where you allocate your finite cyber risk management budget based on Value at Risk (VaR) and impact on your balance sheet. This will help you optimise the blend between technical control improvement, crisis management, business continuity planning, supplier contracting and risk transfer.
There is no silver bullet when it comes to defending your organisation. Therefore, security needs to become an integrated part of your business practice. Things to consider when securing your supply chain are:
- Supplier Management: Be sure to include your security requirements in any agreements with suppliers. If a supplier does not comply, you must take them to task, ensuring that the supplier will maintain their adherence to your company’s standards. You should also audit suppliers regularly, performing inspections of the suppliers to ensure continued adherence. Finally, you should create an environment where suppliers will inform you if they are breached.
- Asset Management: You wouldn’t go on a trip without knowing where you’re going and what you’ll need, so why would you do this for your business? Know who your suppliers are and how they fit into your operation. Understand how much access they have to your data and what data they can see. This will help ensure a safe and healthy business relationship.
- People Awareness: Apply the same security standards to contractors as you do with other suppliers. Make sure they have the proper clearance and only grant them access if they need it. Remember to revoke their access once the contract has been terminated.
- Monitoring & Cyber Threat Intelligence: The risk and security management process can be a difficult one, but it does not have to be. In this changing era, it is important for brands to be cognizant of their key suppliers and the risks they pose. Cyber threat intelligence is an excellent way to monitor your own risk and the risks that are important to you and your suppliers.
- Continuous Third-Party Risk Management: If a company’s suppliers are at risk, then your company is at risk. Evaluate the security risk of key suppliers and apply security metrics as risk-based scoring to protect your organisation. It’s important to use cyber threat intelligence as well. Remember that their security risk is now your security risk.
- Penetration Testing: When introducing new technology, security needs to have a place in your design. When you’re done designing, test. High-impact organisations with access to highly sensitive data should acknowledge their responsibility to do this.
- Incident Response Support: The key to detecting vulnerabilities in your system is monitoring issues. If you are breached or know you have an increased risk, don’t hesitate to contact third parties who can provide the technical tools and strategy to put a security roadmap in place. Supply Wisdom, for example, can help your business monitor digital security risks and implement emergency support when necessary.
The Bottom Line
In the world of global supply chains, trust is becoming an increasingly important commodity. Every organisation needs to play a role in the integrity and security of its digital supply chains, as a lack of trust can impede business performance and innovation. Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.
Contact Elasticito for further information regarding any of the above-mentioned topics.