Sara Ricci, Information Risk Governance and Resilience Executive, HBC shares her insight ahead of Third Party & Supply Chain Risk USA

Gaining visibility across suppliers and subcontractors and enhancing resilience

Sara Ricci, Information Risk Governance and Resilience Executive, HBC

Below is an insight into what can be expected from Sara’s session at Third Party & Supply Chain Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How will visibility across suppliers and subcontractors enhance resilience amongst organizations?

With increasing dependence on third parties that make up complex supply chains, managing third party risk is one of the top-of-mind risks for the enterprise. Increasing ransomware attacks that exploit vulnerabilities in the supply chain are a serious threat to the resilience of the organization.

In recent years, we have seen cybersecurity breaches of third party systems resulting in unprecedented losses. Often, the risk to the enterprise has emanated from not only direct suppliers but also through suppliers embedded deeper in the supply chain, including subcontractors that were not considered to be of significant concern.

Therefore, sufficient visibility into the supply chain layers, appropriate due diligence, and third party management and monitoring are key to enhance resilience.

The convergence of cybersecurity/business continuity/privacy/operational risk considerations makes it an imperative that extends beyond the procurement/sourcing/legal functions across the enterprise and farther into the macroeconomy in an increasingly interconnected world.

Why should organizations be quantifying their supply chain resiliency? Where do the challenges lie?

It is often said, “You can’t manage what you can’t measure”. While the quote itself is debatable in that not everything can or should be measured; metrics help us manage better. Therefore, it would be helpful to be able to assess supply chain resiliency by using quantitative measures to supplement qualitative assessments of the ability of suppliers to support the organization’s resiliency goals. Defining meaningful Key Risk Indicators (KRI) to monitor risk levels and Key Performance Indicators (KPI) to manage SLAs and third party performance helps manage supply chain resiliency.

The challenges lie in establishing an end-to-end supply chain strategy and developing capabilities to gain intelligence across the entire supplier ecosystem.

It is difficult to manually derive overall quantitative indicators in light of the varying levels of contribution to risk in the supply chain by suppliers with disparate criticality to the resilience of that supply chain. Unless the organization has the resources to invest in tools that help in data collection and analytics to identify and manage the third party risk in the supply chain, it can be an existential threat to some organizations.

Meanwhile, supply chain resilience does not exist on its own. It lives with robust business resilience and cyber resilience programs as part of an operational resilience ecosystem, which can also inform the supply chain/third party risk management process to enhance overall resilience.

What impact do global events have on supply chain resilience?

Today’s supply chains are no longer linear and confined to a limited geographical area. With globalization and technological advancement, the world has become smaller, and the chain may actually be a mesh, traversing multiple regions, nations, and continents!

This has added geopolitical risk to the supply chain. Stabilizing a supply chain when there is increased global economic volatility and uncertainty may lead to an inability to maintain inventories. The local economic conditions, labor shortages, inflation, and the regulatory regime can impact the supplier in that section of the supply chain. A location with a high risk of natural disasters and climate risk may make the supplier vulnerable to disruptions from these causes.

We have recently seen how the Covid-19 global pandemic resulted in severe shortages of products we consume in our daily lives and in pushing out deadlines of heavy-duty, strategic projects.

The Russia-Ukraine conflict has highlighted the energy dependence of several countries on supply chains in the impacted region while also resulting in higher food prices.

Lack of convergence of self-interest of nations along the global supply chain can erode the collaborative business environment that is necessary for a stable supply chain. Dependence on critical suppliers located in those geographies can seriously impair the resilience of the organization. Therefore, global events can significantly impact supply chains, and organizations should identify alternative suppliers to engage with in case of a supply chain disruption.

How can organizations maintain business continuity in the case of supply chain disruptions?

Business Continuity Planning (BCP) is a pillar of the business resiliency objectives of the enterprise.

A disruption of the supply chain can lead to a business disruption, resulting in several types of impacts to the organization. For example, operational impact, i.e., not being able to conduct certain functions in the absence of a supplier input, resulting in financial loss to the organization from not being able to provide its product/service to its customers, loss of reputation and competitiveness in the market and regulatory fines or penalties if the business disruption results in a breach of law or contract.

So, how do you plan for business continuity? The key steps in the planning process to gain sight of critical suppliers and to address recovery from a supplier disruption are:

  • A Business Impact Analysis (BIA) to identify critical processes/functions is conducted at the start of the BCP cycle by determining the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
  • External and internal dependencies are flushed out, and suppliers that support critical processes are reviewed further.
  • The supplier’s BCP and its ability to support the process are analyzed.
  • The supplier is asked to remediate any gaps and issues that are found.
  • Tabletop or disaster recovery exercises that include the supplier are undertaken to validate recovery capabilities in the event of a disruption.
  • Review contracts and SLAs, remediate any weaknesses found, and identify insurance needs for transferring business disruption risk

The organization will plan for supplier disruption contingencies to maintain business continuity:

If a supplier is discovered to be a Single Point of Failure (SPOF), e.g., a sole, or single source supplier, potential backup suppliers may be identified to strengthen the resiliency of critical processes.

If that is not possible, alternative strategies to address the risk of supplier disruption should be implemented.

Supplier risk assessment at the time of onboarding should include a review of their BCP test results, Cyber Incident Response Plan, and how crisis communication would occur during a disruption, in addition to all other required due diligence.

Periodic reviews and exercises should be conducted based on supplier criticality for assurance of recoverability during a disruption. The supplier’s critical sub-service providers/subcontractors should also be reviewed for the supplier’s resiliency.

Planning for recovering from supplier disruption and validating the plan with exercises will help in maintaining business continuity in case of a supply chain disruption.