What’s on the Radar for Supply Risk Management in 2022?

Mitigating supply risk and meeting high organizational expectations needs a world class early warning system. Here’s how to create one.

Supply chain issues have become a dinner table discussion topic for people around the world as shipping delays and basic product availability issues abound. Everyday shopping has been impacted and we’ve seen increasing holiday season angst as supply networks and retailers have struggled to keep up with demand.

With millions of dollars in lost revenue, unexpected mitigation costs, and reputational damage on the line, it’s no surprise that for many organizations supply risk has become a frequent board-level discussion topic. At the same time, due to the efforts of individuals and teams to counter the past 18 months’ supply chain disruption, expectations of what procurement can achieve has been elevated to a high level.

While predicting future supply chain disruptions isn’t necessarily impossible, it’s not realistic to think we’ll be able to predict 100% of future disruptions 100% of the time. And yet, with digital transformation and the use of big data, we can start to identify vulnerabilities more accurately and more easily in our extended supply networks and plan for disruptions to lessen the impact to our businesses.

Developing a World Class Early Warning System

Procurement and sourcing leaders are aware that current supply network risk data is rife with blind spots. Existing processes for evaluating new suppliers and assessing risk are too inconsistent, and often too shallow to uncover the hidden risks. Ongoing supplier reviews are too infrequent and often rely on outdated information. Too little visibility into sub-tier suppliers of critical components and materials leaves too much exposure to the complex interdependencies of our extended supply networks.

So how are procurement leaders planning to uncover hidden risks in their supply networks and become more proactive in identifying and managing disruptions? Based on conversations with supply chain and procurement teams, here are a few of the actions that we’ll see more of in 2022:

1. Taking a broader view of supply chain risk management

So many factors can contribute to supply risk. Financial strength is a universally accepted risk indicator – if the supplier is struggling financially, they pose a risk of long-term capability to support your business. Cash flow challenges may lead to sub-par quality and service levels, an inability to reinvest in the business, or a lack of future innovation that benefits both buyer and supplier. It comes as no surprise that this is one risk indicator that most organizations review for new suppliers.

A growing emphasis on operational and location-based risks is expanding the set of factors that procurement and sourcing teams are evaluating, especially as COVID-related shutdowns have exposed companies’ over-reliance on certain regions. Geographic concentration; geopolitical trends and events; changing regulatory, restrictions and sanctions lists are all causing an expansion of relevant risk indicators for supplier assessments.

The escalation of cyber-related risks such as data breaches and ransomware attacks pose a serious challenge to digital supply chains. And ESG performance is not only a reputational risk but is increasingly becoming codified into regulations that carry a significant financial penalty for organizations.

All of this is causing procurement teams to take on a broader view of supplier risk. And they are looking at a new set of solutions to automate the collection, compilation, and scoring of this information in a single, encompassing view of multi-factor supplier risk.

2. Consistency in new supplier evaluation

Incomplete survey responses, narrow focus of questions, lack of validated data, and lack of time. All of this compounds the challenges of thoroughly reviewing each and every supplier, especially as organizations are growing their businesses and shifting their supply chains. Procurement teams are hustling to keep up with the pace of business requests for new sources of supply, and all too often different teams are taking wildly different approaches to evaluating supplier risk.

Expanding the aforementioned breadth of risk indicators can help drive a more consistent approach to how suppliers are evaluated for vulnerabilities and risk to the organization. But expanding that approach across the entire organization can only be achieved if the risk scores and underlying data is readily available and embedded into the supplier assessment process.

When Machine Learning and Natural Language Processing is applied to big data gleaned from hundreds of available sources, pre-assessed risk scores can augment supplier self-reported information without the long lead times involved with surveys and questionnaires. Instant access to multi-factor risk scores on each supplier being vetted will enable the adoption of a more consistent and thorough review of all suppliers without increasing the workload on individual evaluators.

3. Diving deeper into supplier sub-tier relationships

A recent report from the Business Continuity Institute indicated that 40% of COVID-19 related supply chain disruptions were traced to sub-tier suppliers. In my own conversations with procurement leaders, the extended supply network is gaining increased importance in terms of gaining visibility into supply risk.

Identifying and tracing sub-tier suppliers has long been a challenge for procurement and supply chain teams. But the recognition that a disruption or failure anywhere upstream in your supply chain could cause devastating ripple effects has become all too clear during the pandemic, as buyers increasingly felt the impacts of material shortages, work slowdowns, and logistics challenges far removed from their own businesses.

New supply network mapping initiatives are gaining steam, as are new technologies that identify and map global buyer-supplier-partner relationships that go beyond the link-by-link Bill of Materials (BOM) tracing that has been the traditional goal. Today’s complex interdependencies between supply partners require a much broader and deeper view of trading partners, to understand where vulnerabilities exist that could impact the supply chain.

4. Continuous monitoring and ongoing evaluation

Checking the box on initial supplier due diligence and periodic reviews is so 2018. “We didn’t see that coming” is a response that will generate hard stares and uncomfortable questions in the face of supply chain disruptions.

Supplier performance management has been a relatively real-time pursuit, particularly since the data on order accuracy, on-time delivery, quality and responsiveness is fairly easy to access using internal operational data.

We’re seeing a shift towards a more continuous monitoring of supplier risk factors to gain a real-time view into potential problems and vulnerabilities. Rather than focusing on annual reviews of critical suppliers, or of those who have struggled in the past, procurement teams are recognizing that it’s the supplier who is seemingly doing fine that can cause havoc with little warning.

Combine a broader view of risk indicators with a deeper view of risk throughout the extended supply network. Add continuous monitoring of those multi-factor, multi-tier risk indicators, and you get an early warning system of potential or real-time disruptions that provide the ability to proactively mitigate those risks.

COVID-19 case increases triggering a port lockdown in a region full of critical suppliers – that’s an alert procurement teams want to get before materials and goods stop flowing. Geo-political unrest or a catastrophic weather event endangering a region heavily populated by raw material suppliers – the earlier that can be seen, the faster procurement can respond and find alternatives.

The Path Forward in Supply Risk Management

These are exciting and challenging times to be in procurement and supply chain. Now more than ever, supply risk management, contingency planning, and supply continuity initiatives are highly visible, critically important, and generating executive-level commitment and funding from organizations.

This is leading to real, impactful changes to the ways that procurement organizations are engaging their supply network to understand, root out, and mitigate risks to their businesses. New technology solutions that provide better initial screening and ongoing monitoring of multiple risk factors across multiple tiers of the supplier network are delivering organizations with the real-time visibility they need to identify vulnerabilities and enact an early warning system to possible disruptions in their supply chains and improve supply chain management.

Predicting the future is impossible but preparing for it is not. From early indicators of on-coming chaos, to warning signs and priorities, you need to know how to spot risks in order to mitigate them.

Author: Greg Holt

Supply Beacon Vol. 4 – Cyber Mercenaries, Chip Complications, and a whole lot of China

The Top 5 Supply Chain News Stories You Need to Know
The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

Facebook says 50,000 users were targeted by cyber mercenary firms in 2021

Private surveillance and hacking groups have used Facebook and Instagram to target at least 50,000 people in over 100 countries, according to a published investigation by Meta, Facebook’s parent company.

The existence of private companies that use sophisticated digital tools to expose secrets from people’s work and private lives—sometimes in legal-but-ethicallydubious ways—is no secret. What this new study shows is that the surveillance-for-hire industry that was previously thought to focus on spying on a handful of companies and services actually includes a much more expansive spider-web of connections. Meta’s investigation outlines private-sector mass surveillance on a scale never before shown.

The perpetrators, so-called “cyber mercenaries” who operate at the behest of governments and private entities, were shown to target Journalists, human rights advocates, activists, dissidents, clergy, politicians, and their families – sometimes resulting in torture or worse.  

The ultimate goal of the work Meta’s study is to prompt a broader discussion about the surveillance-for-hire industry. They recommend strengthening transparency and “know your customer” laws, deepening industry collaboration to counteract surveillance firms, and increasing accountability through new legislation and export control laws. 

Interos InsightThe Meta investigation revealed seven surveillance businesses worldwide that employ illicit surveillance. These firms’ customers were numerous and diverse, both commercial and governmental. Companies mentioned here are at risk of getting banned or put on ESG or cyber-related restricted lists. A recent example is Israel’s NSO Group, creator of Pegasus spyware, which the US Commerce Department put on its Entity list — a move that sent the company spiraling towards bankruptcy.  

Spyware and the privatization of cyber weapons are serious threats to national and personal security. Clients must be aware of related companies in any part of their supply chain that might compromise their business, negatively affect their clients-or wind up on a restricted list like NSO. Interos provides this transparency to companies and their clients via an AI-powered platform that alerts users to threats like these as soon as they are discovered. 

We have taken this research a step further: An active internal Interos study has captured data on dozens of countries purchasing surveillance technology from private entities. Some countries are repeat offenders, purchasing this type of software many times over. Interos integrates government surveillance policies and accountability into its cyber risk model and continues to track those governments and companies exploiting the hacking-for-hire market and putting corporate data at risk. To account for the rapid pace of change in the cyber-warfare space, our cyber model is not static and evolves with the changing risk landscape to provide even more comprehensive data to help our customers assess the true risk in their supply chain.  

Nation-state cyber capabilities are increasingly abiding by the “pay-to-play” model: any government — even those with limited resources — can purchase these surveillance and hacking tools from private firms. The software companies conceal who their clients are, making it harder for defenders to find the actual source.  

An Interos map (below) reveals the global proliferation of surveillance software sold to governments and private entities: 


Why your organization needs a software bill of materials 

Summary: The recent Log4j vulnerability exposed systemic problems in how businesses build and monitor their use of open-source software. The Log4j vulnerability was almost immediately weaponized and exploited by criminal gangs who used this exploit to plant crypto-hijacking and other malware. Organizations rushed to find all instances of the exposure in linked libraries, but most had no clear overview of where such instances existed in their systems. Google’s research showed that more than 8% of all packages on Maven Central have a vulnerable version of Log4j in their dependencies.  

CISA has created a dedicated Log4J webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. Organizational leaders should also review NCSC’s blog post, “Log4j vulnerability: what should boards be asking?” for information on Log4Shell’s possible impact on their organization as well as response recommendations.  

Interos Insight: The first line of defense is a good software and dependency inventory  

In last month’s Supply Beacon, we referenced CISA’s SBOM (Supply Chain Bill of Materials) educational webpage and their work relating to Executive Order 14028. This EO requires the government’s critical software vendors to supply SBOMs for their products and employ automated tools to maintain trusted source code supply chains.  

Over the past month, Log4J has emerged as one of the most severe cyber threats to date. The silver lining of this unfortunate vulnerability is that it is likely to hasten SBOM adoption. It is a concrete example illustrating the need to be fully informed of your cyber exposure across your entire enterprise. Never before has it been more important to map and monitor your whole supply chain. Interos can help partners establish automated mapping, arming them with the visibility to invest in the right, trusted technology while cataloging the use of open source and third-party software to deliver a complete and accurate SBOM with visibility into the supply chain to the nth degree.  


Chip Makers Contend for Talent as Industry Faces Labor Shortage 

Summary: In yet another challenge for the semiconductor industry, the world’s largest chipmakers are fighting for workers to staff the billion-dollar-plus facilities they are building to address the ongoing chip shortage.  

A dwindling supply of qualified workers has worried semiconductor executives for years. That fear has manifested to a far greater degree than anticipated due to the global labor shortage, a pandemic-fueled demand for all things digital, and a race among governments to bolster their local chip-manufacturing capabilities.  

Interos Insight: The US alone expects a shortage of up to 300,000 semiconductor workers by 2025. In recent Interos’ research, we cited the shortage of skilled laborers as a significant issue in the semiconductor supply chain, possibly disrupting the desired outcome of legislative efforts and related investments in production facilities.

The two primary areas expected to face shortages are technicians to run the plants and researchers to design the newest chips. The semiconductor firms are implementing new recruiting plans, and US chip manufacturers are lobbying for more foreign work visas to fill the gap. With semiconductor chips a geopolitical flashpoint for the 21st century, making silicon work appealing is a matter of national security. Leading Taiwanese universities are launching semiconductor-specific courses together with TMSC, and 12 Chinese universities have already created chip-focused colleges to fill the void. Even with growing demand, employment in semiconductors in the United States has remained a problem for the past decade and will likely require substantive policy changes to combat.  


U.S. chipmaker Magnachip, China’s Wise Road end $1.4 bln merger deal 

Summary: Chinese private equity firm Wise Road Capital Ltd. and US chipmaker Magnachip Semiconductor Corp. abandoned their $1.4 billion merger agreement struck in 2021. The Committee on Foreign Investment in the United States (CFIUS) had suspended the transaction during the summer, pending its review of the deal due to national security risks. According to the parties’ announcement, they couldn’t obtain CFIUS’s approval despite months of costly attempts. With an uncertain future, Magnachip could not make concrete strategic plans, affecting its equity valuation. It has hired JPM Morgan as an advisor as it attempts to find another buyer a year later.  

Interos Insight: Over the past few years, cross-border transactions involving any technology or sector deemed critical and a risk to US national security has experienced a significant surge in CFIUS investigations. US protection over semiconductor assets is unspectacular; what was notable and unexpected is CFIUS’ involvement in a transaction between two non-US companies. CFIUS’s jurisdiction is triggered by a takeover of (or certain types of investments in) a “US business.” Other than Magnachip’s Delaware parent company, which essentially serves as a holding company, the business has no US entities and no US employees. Its research, development, and functional operations are all located and conducted outside the country. While some may think that CFIUS’ jurisdiction over any particular deal is limited, the Committee is obligated to act whenever anything seen as critical to the US defense, intelligence and national security community is involved. In this case, it was the supply chain for semiconductors. After the enactment of the Foreign Investment Risk Review Modernization Act (FIRRMA), Treasury and other Departments have dedicated considerable resources to expanding and developing CFIUS’ authority to identify concerning transactions.   

Under CFIUS’s expanded regime, some transactions (including takeovers of companies with technology subject to US export controls) must be reported. Parties should not overlook the possibility that regulators could intervene after definitive agreements are signed and sometimes even after closing had been consummated for years. However, even in those cases where the mandatory filing triggers are not present, a voluntary filing is still warranted. Interos’ supply chain maps help customers identify the ownership, the extended relationships as well as the financial and regulatory risk of companies to which your organization is connected, enabling businesses to identify potential FIRRMA concerns before they manifest.  


Biden signs bill banning goods from China’s Xinjiang over forced labor 

Summary: US President Joe Biden signed into law legislation that bans imports from China’s Xinjiang and imposes sanctions on individuals responsible for forced labor in the region. 

The Uyghur Forced Labor Prevention Act is part of the US pushback against Beijing’s treatment of the China’s Uyghur Muslim minority, which Washington has labeled genocide. The bill passed late December after lawmakers reached a compromise between House and Senate versions.   

Key to the legislation is a “rebuttable presumption” that assumes all goods from Xinjiang, where Beijing has established detention camps for Uyghurs and other Muslim groups, are made with forced labor. It bars imports unless proven otherwise.  

The Uyghur Forced Labor Prevention Act cements the Administration’s sights on three products in particular: cotton, of which Xinjiang is one of the world’s largest producers; tomatoes; and polysilicon, a material used to produce solar panels.  

Interos Insight: The Act is the latest in intensifying US penalties against China for alleged abuse of ethnic and religious minorities. Earlier in the year, US Customs and Border Protection (CBP) within DHS started to detain cotton products and tomato products produced in China’s Xinjiang Uyghur Autonomous Region  

Country or, in this case, region-specific restricted lists are growing by the day. Just the week before Biden signed the Act, the US government put investment and export restrictions on dozens more Chinese companies, including top drone maker DJI, accusing them of complicity in the oppression of China’s Uyghur minority and helping the Chinese military. Human rights risk, are almost impossible to track throughout your extended supply chain with manual methods like surveys or spreadsheets, a challenge that will only grow as these restricted lists continue to expand. Interos’ mapping provides insight into every restricted list, with a scoring system that not only ensures compliance but helps you assess potential exposure and avoid reputational or operational harm so you can source with confidence


And a Follow-up: 

Minmetals confirms China rare earths merger, creating new giant 

Summary: Since we last discussed the matter in last month’s Beacon, final details of China’s newly formed massive and global force in the Rare Earths space were confirmed. The consolidation gives China the ability to control pricing, increase efficiency, and secure its strategically crafted dominance and competitiveness. Three of China’s Big Six rare earth groups will team up in a merger to create the world’s 2nd-biggest producer, a state-owned enterprise. 

The group would have significant pricing power for some rare earth elements such as dysprosium and terbium, which are essential for producing high-performance magnets. 

Interos Insight: This consolidation comes at a critical time as Washington grapples with US and Allied dependence on Chinese rare earths. In response, a February executive order identified critical minerals as one of four key areas in need of a complete review and improved policy options to address related risks to the supply chain. Considering the importance of rare earths to national security, it would not be a stretch to imagine a related US State Dept Strategy for our Allied partners or potential inclusion of the Chinese critical mineral companies on section 1260H of the National Defense Authorization Act for Fiscal Year 2021, since they are “military-civil fusion” operators in the Chinese Industrial base.”  

A bipartisan piece of legislation (Restoring Essential Energy and Security Holdings Onshore for Rare Earths Act) has already been introduced in the US Senate. It would force defense contractors to stop buying rare earths from China by 2026. It would track and disclose the country of origin of certain rare earth metals used in systems delivered to the military. Companies with any component in their supply chain that requires rare-earth materials will want to keep abreast of related policy and legislative developments 

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

Supply Chain Sustainability Info Gap Exposed in New Survey

Companies today want to create a sustainable supply chain – but they often lack the data and visibility into their partners to truly meet their sustainability goals, according to new research from Interos and Procurement Leaders.

The report — “Supplier Sustainability: From Intent to Impact” — revealed that 37% of responding businesses struggle to obtain the data to measure supplier sustainability accurately.

Businesses have long relied on suppliers to self-attest to their sustainability and ethics status. This information is often inaccurate and submitted through a cumbersome manual process on an annual basis. Given the rapidly changing nature of the modern supply chain ecosystem, periodic self-reporting is no longer adequate, but it is still the method 74% of businesses rely on, according to our study.

This lack of trustworthy information leads to real-world problems: 41% of organizations reported that ESG-related risk factors had caused detrimental impacts to their business in the past two years, making it harder to achieve a sustainable supply chain.

Get Ahead of the ESG Sea-Change

To make meaningful progress towards creating a sustainable supply chain, companies first need accurate information on the companies they work with directly and indirectly. This is where Interos comes in. Our cloud-based, artificial intelligence platform monitors more than 80,000 data streams to provide visibility into your suppliers’ risk posture as it changes, not 9 months after-the-fact.

Per Procurement Leaders: “The path forward is clear: companies looking to get ahead in public opinion and compliance will benefit from adopting automated solutions that leverage machine learning and AI.” “Automated solutions are the only type that can scale to match the size and speed of the global economy and represent the best path forward to defeating ESG risk in the supply chain.”

While many companies have a good understanding of the partners they directly interact with (their Tier-1 suppliers, also known as first parties), they often lack any visibility beyond that point. Procurement Leaders found that while 79% of procurement teams regularly engage with Tier-1 suppliers, that number quickly drops to 35% for Tier-2 suppliers and just 9% for Tier-3 and beyond.

This lack of visibility can cause tremendous peril, as we’ve seen over the past two years of intense disruption, laying bare the fragility of the global supply chain. For instance, a shutdown at a lower-tier supplier – like a factory shutting down due to a Covid outbreak – can cause ripple effects all the way up the chain to the consumer. When procurement teams set their sights on a truly sustainable supply chain, improved visibility is urgent. 

The Cost of Inaction on Supply Chain Sustainability

The Interos Annual Global Supply Chain Report found that supply chain disruptions cost large companies, on average, $184 million a year. Combatting that costly disruption can have many benefits in addition to the potential for significant cost savings. Improving supply chain visibility can also help reduce reputational risk and enhance regulatory compliance while increasing rates of innovation and attracting more talent. A transparent, sustainable supply chain also shows customers you operate an ethical company that cares about its community and the environment.

As our survey showed, businesses rated eradicating slave labor and using fair business practices as their most important sustainability goals:

A chart reflecting respondents' top obstacles to creating a sustainable supply chain. The top answers include eradicating slave labor, ensuring fair business practices are in place, and improving worker welfare and conditions.

The Sustainable Supply Chain is a ‘Board-Level’ Priority

The potential opportunities and challenges of today’s supply chain make it an issue the entire C-suite and board should know and understand. Thankfully, business leaders are beginning to understand this dynamic and see the sustainable supply chain as something more significant than just the domain of a chief procurement officer or a logistics team.

On average, corporate boards are meeting to discuss supply chain risk 22 times each year. In addition, 50% of supply chain leaders report that the issue of supply chain risk will be their organization’s top business priority in two years. Just a few years ago, maintaining a sustainable supply chain was barely on the corporate leadership agenda, consigned to the remits of procurement and security leaders. It is now top-of-mind for the most senior executives, and companies looking to protect their reputation and bottom-line will need to take action on ESG risk.

For more information on reducing your supply chain risk, and to download the full sustainability report, please click here. To learn more about Interos, visit interos.ai.