Level-Up Your Supplier Risk Assessment Process

The following is a modified excerpt from the Interos book, “The Resilience Operations Center: A New Framework for Supply Chain Risk Management,” which explores modern methods of acquiring supplier risk information and completing the supplier evaluation process. Download the ebook or request a print copy here.

Operational Resilience & Supplier Risk Evaluation

Having identified risks and assets, and with a clear understanding of the challenges and success factors involved in creating a Resilience Operations Center (ROC), the next important phase is completing a supplier inventory. As part of this, you’ll need to make sure you have full insight into supplier risk information, which requires a formal, rigorous supplier evaluation process.

Here are some important questions to answer as you build the supplier inventory.

Important Supply Chain Risk Management Questions and Answers

  • What is the scope of your supply chain risk management (SCRM) program? Organization-wide, including all affiliate companies? Limited to a specific business unit? Something else?
  • Do you have an inventory, and if so, how do you know that it is complete and includes your extended supply chain?
  • Do you know who your critical suppliers are and who their critical suppliers are?
  • Is there a database where supplier risk information is stored and managed? Or are there multiple databases where this information resides? Is the database automated or manual (like an Excel spreadsheet)?
  • What information do you collect as part of the new supplier evaluation process?
  • Do you categorize your suppliers into risk domains based on the products or services they are providing to your organization or, alternatively, on the functionality provided or information that you shared with them? What role does your information classification scheme play in this process?
  • Which lines of business in your organization have been granted exclusions from your standard procurement process (and may not have been included in the overall supplier inventory)? Does documentation exist for any exceptions that have been made?
  • How is the supply chain inventory kept up-to-date to maintain the confidentiality, integrity, and availability of your organization’s key products or services, business processes, and information?
  • How can you use the available information to achieve quick wins and build program momentum with management and your board of directors?

If you do not know the services or products that are provided by your existing suppliers, then you’ll need to review the supplier evaluation process, and determine what supplier risk information is captured up-front. 

Supplier Risk Information: Automated Discovery Versus Manual Survey

Manual survey methods for building your organization’s inventory likely have gaps or inaccuracies, given that they are based on reporting of supplier relationships by individuals. What if there was a more objective way to discover, evaluate, build, and continuously verify supplier risk information?

This “more objective way” exists — in the form of emerging automated tools and platforms, ones that leverage multi-tier, multi-factor, and continuous inventory discovery processes. These tools can use a variety of artificial intelligence technologies and include machine learning and natural language processing. This makes it possible to fill in important gaps, remove overlaps, and resolve conflicts in supplier and subcontractor inventory tiers, while continuously validating and adding to your existing supplier inventory.

As part of supplier evaluation, these tools provide actionable insights into and alerts of the risks introduced to your supply chain. They continuously monitor changes in supplier relationships and associated risk factors. Machine learning can be used to discern relationships from public, commercial, and private sources of data that are not obvious in investor/ownership, board membership, and subcontractor relationships, to name a few. Machine learning can also be used to build out more robust supplier risk information; for example, identifying ripple effects of geographic events. Natural language processing can immediately identify and alert you to negative information about suppliers in public news feeds, allowing for a proactive response before the news negatively impacts your organization.

Automated tools now exist with the ability to create and maintain a single source of truth for supplier risk information, covering financial, operations, geographic, cyber, regulatory, geopolitical, and environmental/social/governance (ESG) risks. Such tools allow centralization of your organization’s aggregated supplier risk posture and can drive key operational risk mitigation and trends in your organization’s risk reporting.

What Supplier Risk Evaluation Data Do I Need to Get Started?

In order to leverage this opportunity effectively and efficiently, your organization would need a minimum amount of information for supplier evaluation. Otherwise, the high volume of data returned by these automated tools could overwhelm you. This baseline information includes:

  • Supplier name
  • Location of product or service being provided
  • Relevant URLs and internet hosting details
  • Critical software development organizations involved
  • Names of commercial products being used or deployed
  • Additional specific data, depending on defined individual use cases

Spending time upfront to carefully define use cases (for example, starting with new supplier onboarding) can help you discover supplier risk information that you were unaware of and that may need to be addressed prior to contract signing. Being aware of the constant, rapidly evolving nature of SCRM through increased use of these automated tools, along with a clear understanding of and plan for integrating these tools into your organization’s existing operating processes, are important success criteria for SCRM risk management. Their contribution to maintaining operational resilience is a game-changer in the rapidly evolving SCRM landscape, and essential for staying up-to-date on supplier risk information.

Lay the Groundwork for a Resilience Operations Center

The Resilience Operations Center book goes into more detail on supplier evaluation and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your organization on the road to operational resilience. Then, to learn more about Interos, visit interos.ai

The Resilience Operations Center: Challenges and Success Factors

The following is an excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

With the goal of reaching and maintaining operational resilience, organizations are looking for a modern approach to supply chain risk management (SCRM) and third-party risk management (TPRM). One way organizations are working to improve their preparedness—and overcoming the deficiencies of SCRM and TPRM approaches—is adopting Resilience Operations Centers (ROC).

The ROC framework can drive better outcomes because it is based on three simple but vital principles: 1) aligning risk management and organizational goals, 2) breaking down silos, and 3) modernizing threat detection and mitigation with technologies like automation, artificial intelligence, and natural language processing. Plus, it provides the insight and agility needed to capitalize on never-before-seen opportunities.

Challenges to Operational Resilience

Of course, aligning around a new risk management approach is not always a smooth journey. There are several areas where operational resilience breakdowns can occur. The following issues and pitfalls can occur across the extended supply chain and within your own organization:

  • Weak, ineffective operational risk management governance processes at the board, senior management, business unit line management, and independent enterprise risk management levels.
  • Incomplete business continuity management for critical operations functions, including monitoring, scenario analysis, periodic testing and tabletop exercises, staff training, and availability.
  • Lack of scenario planning and analysis to anticipate potential disruptions in supply chains. Scenario planning should be combined with forecasting to assign probabilities of occurrence of scenarios to further refine plans.
  • Insecure information systems, including inadequate protections for sensitive information in transit and in storage at all locations.
  • Ineffective operations monitoring, log review, and follow-up actions and reporting.

Any one of these inefficiencies could result in the loss of significant financial resources and pose additional operational risk to your organization.

ROC Success Factors

Making a ROC successful involves many factors. But following these five fundamental principles will help any organization lay the groundwork for reaping the framework’s benefits.

  1. Be aware of your industry’s key operational risks. Different industries are exposed to different types of risks, along with varying levels of regulation. For example, financial services organizations focus on service interruptions to their supply chains caused by misconfigurations, misuse, and phishing/hacking. IT hygiene, focusing on active monitoring of your threat environment and proactive patching of security vulnerabilities, is a critical activity, as is having a mature software development life cycle. Manufacturing supply chain risk managers focus on disruption of logistics, transportation, and raw material procurement. Monitoring for and taking actions to address political instability, natural disasters, and the potential for black swan events such as pandemics can ensure greater operational resilience. Understanding your critical risks will allow you to focus on key mitigation steps to ensure operational resilience.
  2. Don’t think you can outsource business risk and accountability. Business units often assume that once a function has been outsourced to a supplier, they are no longer accountable for that functionality or the performance of their suppliers and extended supply chains. That is not the case. Establishing appropriate oversight of these relationships is management’s responsibility. By performing quarterly supplier performance reviews based on pre-determined success criteria, this can be easily done. Outsourcing oversight also includes the ability to preserve, and, as necessary, recover services in the event of a supplier failure. All outsourced critical business services need a contingency plan for either bringing the function back in house or migrating it to a new supplier in a timely manner.
  3. Maintain operating execution knowledge. Alongside accountability, the knowledge to effectively operate a business, if not carefully preserved by your organization, can disappear. You should always have a fallback plan for your suppliers to ensure your operational resilience should catastrophe strike. Preserving this knowledge within the business, with the capacity to insource or migrate the functionality should the need arise, is often neglected and can create a situation in which the ability to continue operating may be lost over time.
  4. Don’t equate compliance with risk management. Your SCRM program can become overly focused on compliance and “check the box” exercises to demonstrate that suppliers have been reviewed to identify operational risks. Focus on ensuring that proper steps have been taken to mitigate risks to a level that meets your risk appetite. Compliance isn’t resilience. Use KPIs to report trending changes in the delivery of critical outsourced products and services before product or service delivery resilience is negatively impacted. This leads to the next point.
  5. Focus on total cost of ownership (TCO) of your SCRM program. Your SCRM program can easily become a “Field of Dreams” endeavor in which you spend years building out an asset inventory, identifying supplier relationship managers, and performing increasingly large risk assessments without achieving risk mitigation. Risk assessments alone do not reduce operational risk. When combined with unfettered growth in the number of suppliers used by your organization, this can lead to inefficiencies in your overall risk management program and operational performance degradation. From the beginning of your program, identify quick wins that mitigate actual risks and report to all levels of management on progress being made towards greater operational resilience.

Need Operational Resilience? Get the ROC Book

The Resilience Operations Center book goes into more detail on these and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.

Biden’s latest supply chain order expands ban on US investment in China

The steady pace of commercial and investment restrictions continued yesterday with the Biden Administration’s latest Executive Order, “Addressing the Threat from Securities Investments that Finance Certain Companies of the People’s Republic of China”. This latest Executive Order follows the same pattern of accelerated industrial policy we’ve been detailing as the uptick continued throughout 2020 and into 2021. However, there are some notable differences with this Executive Order that only adds to the growing complexity of the regulatory landscape as geopolitical and national security concerns intersect with economic and industrial policy, with widespread ramifications across supply chains.

An All of Government Approach

There has been a growing all-of-government focus on supply chain and cybersecurity resilience, with an unprecedented focus on excluding or banning commercial or investment relationships with specific companies (and often their subsidiaries and affiliates) deemed either a national security threat or facilitators of human rights violations, or at times both. From the Department of Commerce’s Bureau of Industry and Security Entity Lists to Section 889 of the 2019 National Defense Authorization Act to the Department of Treasury’s Office of Foreign Assets Control, there have been over 350 Chinese entities with whom U.S. companies and/or federal government partners are prohibited from engaging in commercial or investment relationships.

Subtle Changes from Previous Orders

This Executive Order similarly includes investment restrictions, however there are some nuances that do deviate from previous additions. It builds upon November’s Executive Order 13959 which prohibited financial transactions from entities identified by the U.S. government as “Communist Chinese military companies”. That November Executive Order, in turn, was informed by several lists produced by the Pentagon last year and in January in accordance with Section 1237 of the 1999 National Defense Authorization Act requirement for the Pentagon to produce and update a list of Chinese companies identified by the Pentagon with links to the Chinese military. However, some of the entities on the Section 1237 lists have since sued the U.S. government for inclusion on the list, and Xiaomi has since been removed from the list following their lawsuit.

In the latest Executive Order, the companies listed under last year’s Executive Order, also referred to as the Non-SDN Communist Chinese Military Companies List (Non-SDN CCMC), have been superseded by the Non-SDN Chinese Military-Industrial Complex Companies (Non-SDN CMIC) list introduced by yesterday’s Executive Order. To this end, several companies previously listed on the Non-SDN CCMC list are no longer listed on the Non-SDN CMIC list. However, there are 59 companies in total on the Non-SDN CMIC list introduced in yesterday’s Executive Order and the scope was expanded beyond just those with connections to the Chinese Military to also include those in surveillance and technology, including Huawei and Hikvision. Moreover, the Non-SDN CMIC list will be fully under the purview of Treasury, rather than Defense, and will take effect on August 2, 2021.

What Comes Next?

With a focus on countering surveillance and repression, yesterday’s Executive Order demonstrates a continued focus on building trustworthy and secure supply chains, especially in the areas of emerging technologies. In fact, with a G7 Summit only a week away, the U.S. may take the opportunity to coordinate industrial policies and restrictions on capital flows with allies and like-minded partners. As geopolitical tensions continue and vulnerabilities and dependencies across supply chains emerge, these kinds of restrictions are likely to persist as the new normal in a post-pandemic global order. Unfortunately, there is yet to be an openly available, one-stop-shop integrating these lists. Interos continues tracking and updating our restrictions data and analysis, providing holistic and evolving insights into this ever-changing global regulatory landscape.

The Resilience Operations Center: Understanding Risk and Identifying Assets

The following is a modified excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

The success of an organization’s business resilience process depends on agile and informed teams, intelligent use of data, and fast adaptation to changing circumstances. The Resilience Operations Center (ROC) framework — which involves modernizing your supply chain risk management (SCRM) and third-party risk management (TPRM) approaches — helps deliver on those requirements. Whether you build a virtual or organizational ROC, it will be the foundation you rely on when facing adversity and will empower your organization to deliver for all stakeholders, no matter what challenges arise.

Laying the Groundwork for Your Operational Resilience Framework

Risks are everywhere in today’s landscape. The ability to identify ongoing and emerging threats and vulnerabilities and proactively adapt and respond to them through your business resilience process can help your business thrive. Nowhere is this more important than in your third-party risk methodology — specifically, your approach to managing operational risks arising from supplier outsourcing decisions.

Organizations need to focus on the operational resilience that is derived from building a joint business-supply chain ecosystem. The concept of a supply chain ecosystem is at the center of effective management of supplier risk in our complex, constantly evolving world. Resilience is the ability to mitigate the consequences of unplanned events, manage adversity, and navigate manmade as well as natural disasters. Resilience demands forecasting and planning for different scenarios while continuously evaluating key organizational risk factors. Connectedness—a willingness to understand your suppliers’ interests, build trust, and act together with them for the strategic good of all—contributes to resilience and should be a key component of your third-party risk methodology.

Aligning SCRM/TPRM with Your Business Resilience Framework

Aligning your SCRM or TPRM program with strategic business objectives can help you bolster your business resilience process planning. As a risk management practitioner, you must understand which assets are critical to your business. To begin identifying them, ask the following questions:

  • What are your industry’s critical assets?
  • How are they used?
  • How are they derived, manufactured, and transported?
  • Where are information assets stored, sent, and shared?
  • Who has access to your assets at each step throughout the supply chain process?

Critical assets vary across industries, and could include the following:

  • Financial services: Banking customer Personally Identifiable Information (PII), including name, address, and account number
  • Healthcare: Patient Protected Health Information (PHI), including name, date of birth, and Social Security number
  • Retail: Customer payment card industry data, including card number, expiration date, and Card Verification Value
  • Pharmaceuticals: Proprietary drug formulations
  • Manufacturing: Process patents and other proprietary information

This knowledge, combined with risk appetite (the amount of risk a business is willing to assume to achieve its strategic goals), allows you to implement effective, efficient, and resilient business operational strategies and third-party risk methodology. This provides the ability to prevent disruptions in service or product delivery. It also enables organizations to minimize the impact of and recover quickly from unforeseen events, including unlikely black swan events.

Identifying Key Business Operational Risks and Improving Your Third-Party Risk Methodology

Which operational risks are greatest for your organization? Not all risks are created equal, and every industry has a different business resilience process. Once you have identified the risks, you need to understand how the organization is monitoring and responding to them. These risks could include the following: 

  • Financial: Trending, growth, solvency, soundness
  • Operations: Bankruptcy resiliency, counterfeiting, business cost trends
  • Governance: Compliance practices, including U.S. and international regulations, country-specific risks, management turnover
  • Geographic: Pandemic impact, corruption, and political violence concerns, infrastructure stats
  • Cyber: Data breaches, emerging cyber risks

To achieve resilient operations, you need to expand your third-party risk methodology to include the operating environments within your extended supply chains, including all tiers and their risk factors. This process should be ongoing so you can spot and address current and emerging risks before they affect the business.

Beyond the obvious cybersecurity and disaster recovery/business continuity risks affecting the supply chain, you should consider geographic and concentration risks, financial disruptions, operations process risks, geopolitical instability, regulatory changes, and gaps in SCRM programs. Environmental, social, and governance (ESG) risks also need to be addressed. This requires working with suppliers to proactively communicate and exchange information to create a strategic advantage and safe operating environments for all participants. The end goal is creating a business resilience process that can leverage modern technology to identify emerging threats and respond quickly to protect the business and its customers.

More Disruptions are Coming—Get the ROC Book

The Resilience Operations Center book goes into more detail on these and other topics, including identifying stakeholders, telling your SCRM story, and creating business value through supply chain relationships.

Get a digital or physical copy of the book here and put your supply chain and your organization on the road to operational resilience. To learn more about Interos, visit Interos.ai