By NITA KOHLI
What is supply chain risk? How can we manage it?
Originally designed to create efficiencies and save money, a firm’s dependence on its network of suppliers brings significant risk if the resources their network provides are disrupted by extraordinary and seemingly mundane events, such as natural disasters, an economic downturn, corporate corruption, and simple human error.
“We live in an age when the integrity of our supply chains is inextricably linked to the health of our business performance, national security and global economic wellbeing. In this new normal, and there’s no excuse for not knowing the bad actors, unlawful relationships or other inherent risks that lie within our vast and complex supplier networks. It’s incumbent on all leaders to embed trust and transparency in their supply chains to help pre-empt the next crisis before it happens.” Jennifer Bisceglie, CEO, Interos
Significant supply chain interruptions continue to plague businesses globally, with an average annual revenue loss of $182 million, according to the Resilience 2022: Interos Annual Global Supply Chain Report by the firm Interos. Nearly 90% of businesses surveyed say supply chain visibility is important, yet nearly 90% say they don’t regularly communicate with their suppliers about risk.
Businesses that ignore their supply chain and fail to prepare for the unforeseen could face reputational and financial consequences. To avoid a bad outcome, businesses must talk with and understand their suppliers’ dependencies, and then they must build a robust operational risk management program to better manage risk.
As the level of these disruptions continue to increase, regulators within the financial industry are subjecting firms to a greater level of oversight and governance of supply chain and third-party risk.
There needs to be a movement towards regulatory harmonization across the industry allowing firms to drive more consistency with the interpretation and applicability. Operational Resilience is an outcome of effective operational risk management.It’s also important to understand the interconnectivity across the regulatory space, and in 202I, Basel Committee on Banking Supervision (BCBS) issued their paper on Principles for Operational Resilience. It included mapping interconnections and interdependencies and third party dependency management as two of the core principles.
In order to effectively manage operational risk, incorporating and assessing third party and supply chain risk will help strengthen the overall resilience posture across an organization. An organization must know who, how and where a third party operates within its networks and systems. After all, an organization cannot manage what it doesn’t know exists.
Understanding the risk
Realistically, the impact from supply chain incidents should be incorporated into supplier/ vendor assessments, but the how, is not as easy to execute. It requires integration and collaboration across various functional teams, cyber and supplier incident management teams, supported by two-way communication. Many of these functions, are often siloed within an organization.
“We have the tools and we have the intelligence to mitigate such challenges while defending our operations from the growing danger of ‘supply-chain washing’ – the concealment of critical information about how products and services are sourced and sold.” CEO, Interos
Understanding Third-Party Planning Life Cycle
When you look at the lifecycle, there are intersections with business continuity programs, discussed in my last article.
How can we mitigate third-party risk?
A strong framework of foundational capabilities that supports the third-party lifecycle is imperative. That framework includes:
- Understanding the scope (i.e., breadth & depth) of all the third parties that an organization depends on and which programs they support, such as suppliers, servicers, and other counterparties. Consider looking beyond third-party suppliers to fourth- and fifth- parties. i.e. who are your forth, fifth, sixth parties dependent on within your operational ecosystem. According to the Interos survey, 74% of enterprise organizations still use manual methods to manage supply chain risk. Given the sheer volume of suppliers, a manual approach is neither scalable nor sustainable.
- Assessing third parties to understand the role they play in an organization. In the same survey, 76% of organizations contract with up to 25 different vendors, and a total of 14% deal with more than 100 different vendors. Do they play a critical role in your supply chain? Do they help manage your payroll? Asking questions like this will help your organization develop a tiered system that helps drive governance, requirements, and controls.
- Creating consistency by aligning your assessments with industry best practices (i.e., ISO 27001, 27036 NIST Cybersecurity framework), as well as across your organization. Establish minimum standards to manage third-party risk and integrate that with your organization’s risk & control self-assessment process.
Planning Strategies Considerations
Effective planning requires an organization to consider alternatives internally and externally, understanding the scenarios under which they can be employed – either separately or in combination.
Many industries and organizations have alternatives in the event of a supplier disruption. For those, additional consideration is needed to understand geographical risks/ limitations, and how easily the service can be transferred to an alternative service provider. And if the services can be transferred, is there additional supply chain risk if the third party hasn’t been thoroughly vetted?
The Way Forward
Having a strong operational resilience tool that will allow you to manage the resiliency of your critical services is foundational.
There are tools and resources that can help you simplify and manage risk effectively – for example Interos for supply chain management. The applications on the market can provide a platform, which can be integrated with open-source data.
We need to realize this is a big data challenge – billions of relationships and entities to be managed. Artificial intelligence (AI) and machine learning (ML) can help provide continuous monitoring vs. traditional semi-annual manual approaches and surveys. Using AI and ML to map your extended supply chain across the globe and down through the various tiers at speed and scale is where the focus needs to be starting now.
If there is one key message to take away, we need to break down the silos and work in collaboration with peers across the industry to drive more consistency and a greater level of transparency.
Nita Kohli is an operational resilience executive who is driving to strengthen and mature resiliency capabilities across the industry. She partners with executives, regulators, and industry counterparts to manage robust risk and control frameworks designed to deliver solutions, align core goals, and help lead organizations to manage risk. Kohli has more than 20 years of multi-disciplinary experience within the financial industry. She has held a variety of leadership roles across a multitude of functional areas, including finance, operations, risk, and control. She has driven a number of large-scale business transformations. Kohli’s career spans international work with Deutsche Bank UK, JP Morgan UK/US, and KPMG UK. She is a chartered accountant (ACA) and has a bachelor of science (hon) in mathematics and management from King’s College, University of London.