End of an Era: Legacy TPRM Solutions Do Not Create Operational Resilience (Part 4)

As discussed in “The Black Swan is Dead” blog, corporate boards and government agency heads are demanding visibility into their supply chain risk exposure and are starting to hold the organizations — and their leaders — personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now, and they want to know what steps the company or agency is taking to prevent the next big COVID- or SolarWinds-like supply chain shock. In other words, they want to know executives have a plan for business continuity and Operational Resilience.

Even in this new world where “not knowing” is no longer an acceptable excuse, companies and agencies are still operating in silos. They are still using manual processes and point-in-time tools, such as Third Party Risk Management (TPRM), Supply Chain Risk Management (SCRM), spreadsheets, and surveys. These all fail to map, monitor, and model extended supply chains, capabilities without which you cannot reduce risk, avoid disruptions, and achieve dramatically superior resilience.

TPRM Vendors Are Too Limited in Scope for Modern Business Continuity and Operational Resilience

Building on existing vendor risk management and supplier risk management tools, TPRM attempts to broaden the focus beyond just vendors and suppliers to include all kinds of third parties. For TPRM vendors, this allows them to expand their market from manufacturing companies to all commercial entities. Most are point solutions, but the big Supplier Relationship Management (SRM) and Supply Chain Management (SCM) vendors have rolled out TPRM modules.

What TPRM solutions do:

  • Surveys
  • Single-risk focused

What they don’t do:

  • Visualize the extended supply chain
  • Provide ongoing monitoring
  • Look at the ripple effect of global events
  • Capture complex, multi-factor risks
  • Ensure comprehensive Operational Resilience and business continuity

Supply Chain Risk Management Attempts Operational Resilience Regulation

Through a series of Operational Resilience regulations and legislation enacted over the past decade, the US government has prompted organizations to leverage increasingly formalized approaches to SCRM, which is officially defined as:

“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the suppliers’ product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”

Unlike TPRM, SCRM enables a couple of critical elements needed for Operational Resilience:

  • SCRM clearly calls out that sub-tier suppliers need to be evaluated and tracked.
  • Cyber and financial stability risk are top priorities, but so are foreign ownership, location of facilities, counterfeit products, and other factors.

What is still missing with SCRM?

  • The process uses an Operational Resilience regulation and compliance approach. This means setting mandates for an unwieldy 300,000 defense companies and their extended supply chains. Companies see this as a compliance issue and the cost of doing business instead of a way to ensure Operational Resilience.
  • It still relies heavily on self-reported, annual surveys to collect information, which is inadequate for supply chain security and continuity.

In Place of the SCRM or TPRM Market, Operational Resilience is the New Standard

To achieve Operational Resilience and business continuity, organizations require tools that can:

  • Instantly discover the Nth tiers in your supply chain.
  • Provide situational awareness based on automatic, broad, multi-factor risk assessment.
  • Evaluate “what if” scenarios and alternative suppliers.
  • Be updated on a continuous basis in near-real-time.

In addition to these tools, “risk and resilience leaders” must find a structured approach to implementing organizational change. The Resilience Operations Center (ROC), described in Part 2 of this series, more than fits the bill. The ROC represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures supply chain risk management (SCRM) objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and to react quickly to changing circumstances.

We’ve seen it work in a variety of industries, and our customers are using ROCs to dramatically change business outcomes for the better.

To learn more about Operational Resilience and business continuity, the ROC, and the technology that can enable it, visit www.interos.ai.

Operational Resilience is Now Everyone’s Job (Pt. 3 of 4)

You know you’re only as secure as your weakest link.

When it comes to your supply chain, that link could be one of your suppliers, your suppliers’ suppliers, multiple internal teams, or any of the thousands of employees whose daily work impacts how you source, distribute, process, and ship materials. That means your operational resilience is not the job of one department or manager—it’s everyone’s job.

With today’s varied and constantly shifting risk factors, keeping the supply chain safe depends on connected teams and coordinated decision-making. The two previous posts in this series explained how the death of Black Swan events has created a need for a Resilience Operations Center—an organizational framework for monitoring and mitigating supply chain risk factors.

But where in the organization does operational resilience responsibility belong?

Supply chain threats are organizational threats

Cyber security mitigation became everyone’s job once business leaders saw that internal silos and lack of education were putting the entire organization at risk. Bad actors seek out and exploit weakness anywhere they can find them. Supply chain risk is very similar. If a risk exists in one part of the supply chain, it makes the entire system weaker because suppliers rely upon each other for compliance and governance.

The need for a Resilience Operations Center (ROC) has never been greater as the role of supply chain security is shifting to the entire organization rather than traditional silos.  And you are only as secure as your weakest link.

Creating a silo-less supply chain

The status quo in supply chain risk management is to have multiple groups looking at a small piece of the problem, with little communication or coordination between them—a fragmented approach to risk that is no longer acceptable. Traditionally, these threats were addressed separately by the chief security officer (CSO) or chief information security officer (CISO), legal and governance teams, and procurement. Many companies have recently added chief risk officer (CRO), but those roles often do not cover supply chain. A new solution is needed, one that connects stakeholders and ensures information is shared freely between them.

For example, consider a business reliant on high quality steel for its products. Imagine they purchase lower quality components at some point, which results in a poor product and a dip in customer loyalty. In a traditional organization, the role of addressing this problem would be divided among multiple groups, often with different goals. The purchasing team wants low-cost materials and may ignore concerns about quality. The product teams need high quality steel to support the design. The governance and legal teams only get involved much later in the process. The CISO wants to ensure the company only uses vendors with good cyber hygiene. The marketing team promoted the product as high end. What results is often finger pointing, uncoordinated responses, and a long, difficult process to sort out and remedy the issue. Meanwhile, customer frustration grows.

Organizations must tear down the silos in order to create a central organization to address these issues. A ROC can act as that central resource by connecting teams, laying out clear processes, and creating reliable decision-making criteria for managers.

A top-down approach and awareness are keys to success

Fortunately, events of the past 14 months have created an awareness in the C-Suite that has put the health and agility of the supply chain squarely in the purview of the CEO and Board.  Ensuring executives saw and understood the big supply chain picture, fostering a collaborative environment, and creating organizational goals used to be more difficult.  The solution requires a top-down approach. It’s near impossible for one department or team to achieve these objectives on their own. If you don’t spend time and money vetting a supplier to make sure they are compliant with your risk reduction goals, it doesn’t matter if your purchasing team picks another supplier purely because they were cheaper or that supplier has the best security policies in place.

Siloed actions create winners and losers within an organization. Leadership needs to ensure teams are acting as a single entity, not as individual units. Group success benefits everyone, and group failures allow for learning experiences—a chance to understand gaps or mistakes and implement best practices.

Again, the ROC helps create and sustain this kind of mindset. It enables communication, improves visibility, and keeps teams focused on big goals and shared KPIs through a set of tools and processes, including:

  • Coordinated risk assessment
  • Supplier relationship mapping
  • Continuous monitoring
  • Incident response teams
  • Single-source-of-truth dashboards
  • Insight sharing and real-time alerts
  • Outcome modeling and predictive insights
  • Closed-loop processes for lessons learned

Most supply chain risk management (SCRM) programs and processes fall way short of what organizations need in today’s complex threat environment. Ad hoc tools, point in time surveys and spreadsheet-driven systems can’t tell you that. They are too limited in scope, not agile enough, and don’t align with or help meet wider enterprise objectives.

Who understands your supply chain?

For agile, competitive companies, this is a long list. If it’s only your VP of supply chain and your procurement officer, you’re not doing enough to achieve operational resilience. A list of supply chain stakeholders needs to include:

  • CEO and CFO
  • Procurement
  • IT (CIO) and information security managers
  • Regulatory officers
  • General counsel
  • Business unit heads

That’s just the minimum. A broad base of connected team members creates a foundation for a number of supply chain and business benefits, from better risk management and business continuity planning to speed-to-market and customer satisfaction.

We’ve been warned, now it’s time to act

Cyber security fears (and failures) motivated organizations to rethink how they monitored and responded to technology threats. Will the supply chain events of the past year, and the ongoing looming threats, inspire similar action?

In an era where the workforce has more freedom than ever before, every remote user is a possible entry point for a supply chain-driven cyberattack. We are all responsible for supply chain integrity and operational resilience. It is only by working together, sharing information, and reducing organizational silos that we can support a healthier, more resilient supply chain. This is the guiding principle behind – and function of – the ROC.

Why wait until the next supply chain shock to start building a ROC when your business, brand, and reputation are already on the line? If you’d like to see how Interos can help your organization achieve operational resilience, reach out for a solution demonstration.

Supply Chains & The ESG Imperative: The Buck Stops with the C-Suite

Supply Chains & The ESG Imperative: The Buck Stops with the C-Suite

Nike and Chipotle tied executive compensation to sustainability goal achievement. Mary Barra of GM allocated $27 billion to the development of electric and self-driving vehicles through 2025. Citi recently added circular economy and sustainable agriculture focus areas for its $250 billion Environmental Finance Goal, which it expanded from the original $100 billion goal that it met four years early. Environmental, Social, and Corporate Governance (ESG) is a top concern for today’s businesses and it’s not going away.

This said, there are plenty of businesses still grappling with the challenge. Whether it’s unethical child labor practices in China creating business concerns for H&M or environmental recklessness in the Amazon region creating problems for McDonalds, Walmart, and Costco, these days the C-Suite is working hard to gain real visibility into risks lurking deep in the supply chain that could cause serious negative repercussions back at HQ.

Let’s call it the new ESG imperative. The movement towards embracing ESG responsibility as a core corporate value has been some time coming. 2000 saw the launch of the Global Reporting Initiative, which redefined corporate governance to include sustainability measures. Today, these standards have been adopted by more than 80% of the world’s biggest corporations.

Sustainable Investing & Regulations Drive Adoption

ESG has risen to even greater prominence today as a form of sustainable investing, whereby investment into new ventures is evaluated through a more holistic lens that looks at the environmental sustainability and societal impact of the funded project and not merely at its projected raw financial performance.

To be sure, there is a growing sense that ESG-funneled investments will perform better than most, as the global community begins to place increased priority on ethical behavior, fair labor practices, combatting human rights abuses, diversity, inclusion, and climate change. In 2018, a survey on climate and sustainability services found that just 32% of investors conduct a structured review of ESG performance. By 2020, that number had jumped to 72%. The pandemic has added fuel to this argument, where sustainable equity funds withstood early pandemic market dips better than non-sustainable counterparts.

Let’s be clear. There are laws and regulations that will force us to take responsibility for certain aspects of our supply chain. Here in the United States, for instance, the Securities & Exchange Commission (SEC) is promulgating an effective ESG disclosure system — one that would require publicly traded companies to elucidate broader ESG exposures in their extended supply chain, as part of their annual 10K filings, beyond some existing mandatory disclosure requirements in the area of board membership diversity.

The SEC’s John Coates, Acting Director of Corporate Finance, said on March 11, 2021: “The SEC is well equipped to lead and facilitate a discussion on when and how ESG risks and data must be disclosed, and how to create and maintain an effective ESG-disclosure system that would promote the disclosure of decision-useful, reliable and, where appropriate, globally comparable ESG information.”

“There remains substantial debate over the precise contents and details of what ESG disclosures might or should encompass. Part of the difficulty is in the fact that ESG is at the same time very broad, touching every company in some manner, but also quite specific in that the ESG issues companies face can vary significantly based on their industry, geographic location and other factors,” Coates added.

This isn’t mere posturing. Last Friday the SEC put out a risk alert, citing instances of misleading claims, inadequate internal controls, and weak policies found in an examination of investment advisors, companies, and funds.

Working towards Sustainable Supply Chain Management

Clearly, this is only the beginning of what is to come from a government mandate perspective. Even without strong compliance drivers, there are ample, solid business reasons for executives to move proactively to 1) understand/visualize their ESG profile in their extended supply chain and 2) optimize how they position their ecosystems to be operationally resilient and to yield top performance by being “ESG-forward.” It’s short-sighted to see this in defensive or even cynical terms, or to think that real hard-nosed business execs don’t really take ESG seriously. But implementing that desire can be difficult. As I recently told the Financial Times, said businesses want help identifying their exposure but struggle with the many tiers of suppliers on which they depend.

What if we can flip the script? Go beyond what is merely the minimum (the basic “compliant” level) and actually find and reward positive behavior. The power of transparency means the right thing to do is a massive business opportunity. This goes beyond the investment world; this goes straight to the core of the corporate world and the myriad extended supply chains of finance, manufacturing, energy, aerospace and defense, pharma, automotive and beyond.

Done right, we can encourage the creation of a better, healthier, and safer global economy. We can help re-build trust in the global supply chain. We can reveal and reward the good, as well as see the bad and put a higher cost of doing business on pursuing those out-of-fashion ways of operating.

Likely Changes for the Future

To be sure, there have been a number of self-correcting moves along these lines of late. The large solar-power industry here in the U.S., repped by the Solar Energy Industries Association (SEIA), resolved to eschew solar-panel product components from a region of China reportedly involved in unethical child labor. Furthermore, the SEIA has been urging its members to move supply out of the remote Xinjiang autonomous region in western China following reports of forced labor among the local Uighur ethnic-minority population.

Numerous international companies involved in sourcing components from the same region – making a range of products from footwear to consumer electronics – are reevaluating their sourcing from Xinjiang as reports surface of forced labor in factories located in this remote region.

In sum, when speaking of resilience in supply chains, more and more companies are realizing that we all have a shared responsibility to uphold our values, protect the environment and find a visible seat at the table for ethics. More and more boardrooms, rightly so, are focused on exposure to ESG risk, if you will, of a business. It’s a matter of improving your top and bottom line and of securing your brand’s global reputation.

The following hypothetical scenarios, where improved visibility into your extended supply chain and a will to change into an ESG-forward posture is the new normal, could prompt businesses to:

  • Not source lumber from native forests that are not being replenished… in the case of a worldwide home-goods producer
  • Refrain from using products tested on certain species… a CPG giant focused on personal care products
  • Eliminate the use of child labor at cobalt mines in Congo… a global electric-car/hybrid automaker
  • Ensure diversity in your supplier base to increase innovation and economic impact in various socioeconomic demographics

At Interos, we enable companies to monitor supply chain risk in real-time based on automated models that look at relationships and events around the globe. Our customers are able to see their commitments, as well as their risk, down to five or more tiers in their supply chain when it comes to environmental damage and protection, gender inequality, governance, labor practices, and unethical sourcing. The rising prominence of ESG reflects the moral imperative that faces us as business leaders to hold ourselves accountable for the future of our planet and future generations.

Jennifer Bisceglie, founder & CEO, Interos

Why You Need a Resilience Operations Center – The Case for Operational Resilience (Part 2)

In the first post in this series, we talked about the death of Black Swan events—how the challenges of the past year necessitated a new approach to supply chain preparedness. Being caught off guard by unlikely events isn’t an option anymore.

The downside to this new environment is that supply chain shocks are more common and more costly than ever. The upside is that technologies and new business frameworks exist that are helping organizations map, monitor, and model their global relationships to improve outcomes and uncover opportunity.

A Paradigm Shift in Supply Chain Continuity and Security

Organizations have been using Security Operations Centers (SOC) for decades. They have been instrumental for tracking information on internal and external supply chain threats and helping teams manage responses.

But the variety and speed of those threats have changed, with financial, cyber, regulatory, geopolitical, operations, and environmental/social/governance (ESG) risks happening in every tier of an enterprise’s supply chain, continuously. The internal roles have changed, too, and include risk managers, cyber security analysts, procurement teams, IT, and other groups. They all require high quality real-time data and close coordination.

The Resilience Operations Center (ROC) meets these needs and more. It represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures supply chain risk management (SCRM) objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and to react quickly to changing circumstances. We’ve seen it work in a variety of industries, and our customers are using ROCs to dramatically change business outcomes for the better.

The Roots of Supply Chain Vulnerability

The world has seen unprecedented business process and supply chain disruption. While many companies have suffered, some have survived and even thrived in this new environment. Several organizations were able to reposition the supply chain quickly and efficiently and meet or exceed their customer’s needs. To understand what sets them apart, we need to first review some history.

If you’ve studied supply chains in recent years, you’ve likely focused on Just-In-Time (JIT) or lean manufacturing. This approach prioritizes reducing excess inventory — only ordering components when needed and keeping spare parts to a minimum to reduce storage costs.

Globalization has also impacted modern production methods. Many global organizations pull components from far-off sources. Parts are made in different factories, then shipped to central locations for assembly. For service companies, software can be written anywhere in the world and then merged into the final product. This is often done to leverage existing resources and partnerships, or to avoid taxes and regulations.

The result of these factors and approaches was a perceived increase in efficiency and cost savings. However, those benefits could only be realized in an environment of limited and easily controlled disruptions. Deep and detailed planning seems unnecessary when things are going well. But the death of the Black Swan has changed the playing field. More events are coming, and you have to prepare for them. “Not knowing” is no longer an excuse.

Traditional Risk Management Is Outdated

Organizations typically leverage operational risk management (ORM) teams and perform disruption planning. However, the scope of much of this planning is limited to traditional events with limited global impact. For instance, an organization may plan for well-known seasonal storms that could impact their shipping. But the possibility that a national border would close for a year due to a world-wide pandemic, or that trading block statuses could suddenly change and upend international shipping laws just weren’t considered. Not to mention a prolonged accidental blockage of the Suez Canal by a wayward container ship.

Compounding the problem, most supply chain risk management (SCRM) approaches rely on point-in-time supplier risk assessments made up of ever-expanding questionnaires, surveys and the like. These manual processes are meant to assure internal teams and business partners that the risks they are taking—from sourcing raw materials in the supply chain to outsourcing core business functions—were acceptable. In reality, they waste time, treat all suppliers equally, consume precious resources, and provide limited insight into risks.

Many organizations have learned through experience just how dependent they are on the actions and vulnerability of other parties, from the first tier to the Nth tier. Events large and small across multiple risk factors happen without much notice, and the deeper they are in your supply chain, the less warning you often have.

Organizations need pro-active, continuous visibility and engagement across multiple risk factors. They need to act quickly and in coordination with suppliers to identify, understand, and respond to events. And they need to anticipate emerging risks — eliminating or mitigating them before they impact business operations, assets, or clients. This is the definition of Operational Resilience—and what standing up a ROC enables you to achieve.

The ROC: Deep Planning and Full Visibility = Supply Chain Preparedness

Organizations in every industry—from manufacturing and logistics, to services providers and digital businesses—are looking for a way to map, monitor, and model their supply chains. As we’ve seen, most solutions currently in place are too limited in scope, not agile enough, and do not align with or help meet wider enterprise objectives.

A ROC solves these problems by creating an enterprise-wide framework that:

  • Acts as a single, centralized resource and coordination point within your organization and with your extended supply chain.
  • Provides a real-time view into your organization supply chain risk and a means for monitoring and taking immediate proactive action to ensure ongoing operational resilience.
  • Identifies key stakeholders and functions and helps mobilize them for risk event-planning, scenario analysis, and probability forecasting.
  • Helps you pro-actively leverage resources to quickly detect, respond to, and recover from incidents when they occur.
  • Provides a consistent measurement and reporting framework for senior management, board of directors, and other stakeholders.
  • Monitors existing and emerging risks and speeds corrective actions.
  • Embeds lessons learned from previous incidents into organizational DNA, making you more resilient to future events and incidents.
  • Serves as a catalyst for leveraging your supplier relationships, building trust across your entire supply chain, and empowering suppliers to work together to manage risk while creating mutual value.
  • Optimizes SCRM and reduces supplier duplication, minimizing the risk of a data breach and reducing administrative costs.
  • Enables intelligence functions and information sources to share and analyze data continuously at an organizational level.
  • Shares SCRM program insights with organization stakeholders to speed response times and minimize disruption and shorten recovery time.

The ROC framework can drive these outcomes because it’s based on three simple but vital principles: connecting SCRM and organizational goals, breaking down silos, and modernizing threat detection and mitigation. Plus, it provides the insight and agility needed to capitalize on never-before-seen opportunities.

Keep your eye on this space next week for parts 3 & 4 of our series on operational resilience AND stay tuned for more information on the ROC!

Panel: Solar Winds and the Supply Chain Threat We’ve Ignored for Too Long

Insights from Jennifer Bisceglie, Alpa Inamdar, Agnes Berecz, and Renee Forney

CEO and founder of Interos, Jennifer Bisceglie, moderated a lively and informative panel for this year’s OpRisk Global virtual event, “Solar Winds and the Supply Chain Threat We’ve ignored for Too Long.”
Joined by an all-woman virtual roundtable of industry veterans — Alpa Inamdar, Head of Third Party Risk Governance for BNY Mellon; Agnes Berecz, Senior Risk Analyst for Danske Bank; and Renee Forney, Senior Director, Azure Hardware Systems Information Security, for Microsoft — Jennifer led the discussion of how massive cybersecurity breaches like Solar Winds must shape boardroom discussions surrounding supply-chain resilience moving forward.

Solar Winds, COVID-19, and the not-so-“Black Swan” events that cause disruption

“These highly public attacks will certainly not be the last… what have we learned and where do we go from here?” Bisceglie posed to participants.

An estimated two-thirds of highly publicized cyber breaches reportedly now occur through the supply chain, and the magnitude of the impact is immeasurable with no predicted endpoint.

Real-time visibility into extended supply chains — and full accountability for risk — has become vital for any organization to operate in the current landscape. Within the boardroom, it is now an expectation to understand the end-to-end supplier chain when working with critical vendors. Over the last year, many corporations became acutely aware of their siloed approach and were forced, by exogenous shocks (COVID-19, Solar Winds, ongoing trade wars) to the supply chain, to determine a new strategy – one that would involve more than just point-in-time visibility of supply nodes down to say two tiers.

“Because of the current situation that we’re going through — a pandemic — organizations and industries are changing significantly at a very fast pace. So that single point of time will not [represent] all operations. You need more data. You need more analytics,” said BNYMellon Bank panelist Alpa Inamdar.

A risk associated with any one supplier is potentially a risk to the entire supply chain. Events like the Solar Winds supply chain hack illustrate how cyber risk issues can emerge and proliferate via exposure through third-party vendors. It’s become even more apparent over the past year that the interconnectedness and the interdependencies among vendors and solutions is a complex web that’s ever-changing. And, by neccessity, things have started to advance beyond traditional semi-annual, manual-focused supply chain analysis of days gone by that served as a snapshot of risk.

 

Compliance and cybersecurity must go hand in hand — “Ditching the three-ring binder”

“I think we’re in a position now where we have to challenge our traditional way of thinking, right? We all come from the ‘three-ring binder’ point in time assessment model… we have to move beyond the point in time assessment to utilizing a multilayered approach to assessing our vendor population,” said panelist Renee Forney with Microsoft. “A continuous monitoring model is key for 2021.”

Long gone are the days of measuring risk assessment focused on only the first, second, and, at most, third supply chain tiers — that only provides insight into the tip of a supply chain iceberg.

Corporations have to move into a threat-based, intelligence-led risk management model. It’s important to be able to look at vendors on an ongoing basis, to be able to understand where they reside in the supply chain, and to clearly assess their level of importance to the company’s mission and the criticality of operations.
What’s next and how do we get there?

Operational resilience can’t happen overnight; it’s always going to be an ongoing process. That said, it’s crucial to integrate a continuous monitoring model with a layered approach. Understanding where to put resources, determining the mission criticality of different vendors, and having a model that allows room for flexibility with backup options will put everyone in a better position to halt disruption before it starts.

Every supply chain is inherently exposed to risk, but in working with a provider like Interos, corporations and government entities are able to analyze the level of risk associated with any supply chain decision and monitor it on an ongoing basis in order to prepare for potential disruption or stop it in its tracks altogether.

“We are actually very, very hopeful that this digital operational resilience act will be introduced with the proper support and pillars because exactly this is what we need,” said Dansk Bank panelist Agnes Berecz. “We need this digital, cyber, and third-party requirement to wrap together holistically so that we, as a financial industry, are able to be more resilient and provide products and services to our customers…Ultimately, this is a business issue and if we are going to have issues with these areas, our customers and shareholders will pay the price.”

The Black Swan Is Dead – The Case for Operational Resilience (Part 1)

What is Operational Resilience?

Operational resilience is the ability of a commercial or public sector organization to continue to provide their products or services in the face of adverse market or supply chain events (“shocks”). Given the remarkable disruptions of the past year, you know if your supply chain is resilient or not. An organization lacking operational resilience:

  • Scrambles to cope with events as they happen
  • Wastes resources because of siloed teams, duplicated efforts, or poor communication
  • Suffers brand damage because of product or service disruptions or slowdowns

On the other hand, organizations that are operationally resilient:

  • Continuously monitor for potential risks and proactively make adjustments to minimize and potentially prevent disruption
  • Quickly identify disruptive events to evaluate exposure, find alternatives, and respond fast
  • Anticipate, model, and plan for possible scenarios and build the organizational skills to address and respond to these challenges

Only operationally resilient organizations can minimize disruptions, recover from shocks faster, protect their reputations, and ultimately capitalize on opportunities. In this age of hyperconnectivity, being operationally resilient isn’t just about managing risk, it is just good business.

There is No More “Not Knowing”

In 2020, we witnessed a watershed year of “Black Swan” events. So much so that the phrase does not really apply anymore—we can’t pretend that these kinds of disruptions are rare, unpredictable, or even shocking. It is not a matter of “if” similar events will occur, but when. Which is why governments are putting in place legislation (i.e., Germany’s “Initiative Lieferkettengesetz”) and regulations (such as EO14017, NDAA FY19 Section 889, and CMMC in the U.S.) to hold organizations and executives responsible for making sure these events do not impact national security, economic prosperity, and public safety.

Given the threat of backdoors, bad actors, and bottlenecks, today’s corporate boards of directors and government leaders around the world need to ask tough questions of their organizations:

  • Is SolarWinds in your digital supply chain? If so, where and how might it come back to harm the organization?
  • When is your sensitive or confidential data shared with partners or with their partners? Do you know who your partners’ partners are and how they are protecting your data?Do you use suppliers (or suppliers to your suppliers) who operate in the Xinjiang region where forced labor is a growing global concern?
  • Which of your suppliers (or suppliers to your suppliers), if they were to pause or cease operations, would significantly disrupt your operations?
  • Which of your suppliers (or suppliers to your suppliers) show up on any of the many prohibited or restricted lists (i.e., Section 889)? And are you tracking their subsidiaries, affiliates, or controlled entities?

Corporate boards and government leaders are demanding to know what their exposure is and are starting to hold the organizations—and their leaders—personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now and they want to know what steps the company is taking to prevent the “next one.”

How does your organization respond to these demands and this level of oversight? In today’s fast paced world, responding before your competitors is not just a competitive advantage, it may be essential to your organization’s brand, reputation, and very survival—and your continued employment.

Institutionalizing Operational Resilience – People and Processes

Commercial and public sector organizations looking to achieve operational resilience face challenges inherent within their own organizations:

  • Shift behavior from response to prevention. Eisenhower was quoted as saying, “Plans are worthless, but planning is everything.” What this means is that today’s organizations require a change in mindset: they need to anticipate, prevent, evaluate alternatives, and model all scenarios and options. Reacting to events as they happen is not sufficient in today’s competitive market.
  • Make managing risk an organization-wide job, not the domain of one person or team. Current approaches to managing risk are siloed within business units, such as procurement, supply chain operations, and IT, or in single focus organizations, such as information security and compliance. By breaking down silos, organizations improve how they coordinate, collaborate, and prepare. Those are essential capabilities when you need to uncover risk across activities and proactively respond faster and smarter to modern threats.
  • Manage risk beyond the walls of your company. Today’s organizations rely on an extensive network of suppliers and partners that play an integral part in developing and producing their products and services. Yet most do not know who these suppliers and partners are. Only by identifying third-party relationships in the extended supply chain can an organization decide if those connections are a good or bad business choice, thereby identifying and preventing potential risk.

 

To meet these demands, leading organizations are looking to expand from their decades-old, learned experience in setting up and running Security Operations Centers (SOC) by embracing the Resilience Operation Center (ROC). This is a framework that, from the onset, connects people and processes to organizational goals around operational resilience.

Institutionalizing Operational Resilience – Technical Requirements

As organizations shift to forward-looking Operational Resilience, they are finding that traditional tools fall short. Supply Chain Management (SCM), Supplier Relationship Management (SRM), Governance, Risk, and Compliance (GRC), point-in-time surveys, spreadsheets, and broadly deployed manual processes only reinforce silos. They also lack the external business relationships and real-time event data needed to provide the situational awareness executives require so they can ensure operational resilience and make better informed decisions based on real-world scenarios.

To achieve Operational Resilience, organizations require tools that can:

  1. Map suppliers instantly and automatically.
    Know who is in the supply chain – potentially to the Nth tier – to decide if those relationships are helpful or pose risk.
  2. Monitor continuously for changes in risk profile before operations are disrupted.
    – Assess suppliers against multiple risk factors such as finance, cyber, geopolitical, regulations, operations, and Environment, Social, Governance (ESG).
    – Track global events that could impact the operations of suppliers (and their suppliers).
    – Get alerts about the changes that matter.
  3. Model anticipated or actual changes in the extended supply chain in order to reduce risk and improve business performance.

To successfully map, monitor, and model extended supply chains, you need access to data about an ever-changing number and array of global business entities and events—a monumental undertaking for any organization. But machine learning, AI, and Natural Language Processing (NLP) make it possible to collect, analyze, and liberate massive amounts of high-velocity data so you can:

  • Identify and visualize multiple tiers of suppliers and ascertain business relationships.
  • Identify and assess potential risks.
  • Uncover hidden opportunity.

And the kicker? All of the above can be achieved and kept relevant in near real time, compared to the weeks or months that it takes organizations using manual processes, point-in-time surveys, and spreadsheets.

Operational Resilience—Your Business Depends on It

Operational resilience does not mean operating free of disruption or challenges.

  • It means having the insights you need when you need them in order to change course, mitigate loss, and find opportunity in your supply chain.
  • It’s about seeing everything—the relevant business relationships and the inherit risks within—sharing that knowledge across the organization, and acting on it to improve outcomes.
  • It’s about deep, comprehensive and ongoing planning—and responding collectively when the need arises to pre-empt unnecessary disruption.

As we have all learned, the world is complex, and connections are tenuous. The prepared will not be immune from disruption in the always fragile supply chain. But they will see it coming, have plans in place to cope with events, and emerge from them as a stronger competitor and a better business.

The upshot: Operational Resilience is just good business.