Operational Resilience is Now Everyone’s Job (Pt. 3 of 4)

April 30, 2021
Jennifer Bisceglie

You know you’re only as secure as your weakest link.

When it comes to your supply chain, that link could be one of your suppliers, your suppliers’ suppliers, multiple internal teams, or any of the thousands of employees whose daily work impacts how you source, distribute, process, and ship materials. That means your operational resilience is not the job of one department or manager—it’s everyone’s job.

With today’s varied and constantly shifting risk factors, keeping the supply chain safe depends on connected teams and coordinated decision-making. The two previous posts in this series explained how the death of Black Swan events has created a need for a Resilience Operations Center—an organizational framework for monitoring and mitigating supply chain risk factors.

But where in the organization does operational resilience responsibility belong?

Supply chain threats are organizational threats

Cyber security mitigation became everyone’s job once business leaders saw that internal silos and lack of education were putting the entire organization at risk. Bad actors seek out and exploit weakness anywhere they can find them. Supply chain risk is very similar. If a risk exists in one part of the supply chain, it makes the entire system weaker because suppliers rely upon each other for compliance and governance.

The need for a Resilience Operations Center (ROC) has never been greater as the role of supply chain security is shifting to the entire organization rather than traditional silos.  And you are only as secure as your weakest link.

Creating a silo-less supply chain

The status quo in supply chain risk management is to have multiple groups looking at a small piece of the problem, with little communication or coordination between them—a fragmented approach to risk that is no longer acceptable. Traditionally, these threats were addressed separately by the chief security officer (CSO) or chief information security officer (CISO), legal and governance teams, and procurement. Many companies have recently added chief risk officer (CRO), but those roles often do not cover supply chain. A new solution is needed, one that connects stakeholders and ensures information is shared freely between them.

For example, consider a business reliant on high quality steel for its products. Imagine they purchase lower quality components at some point, which results in a poor product and a dip in customer loyalty. In a traditional organization, the role of addressing this problem would be divided among multiple groups, often with different goals. The purchasing team wants low-cost materials and may ignore concerns about quality. The product teams need high quality steel to support the design. The governance and legal teams only get involved much later in the process. The CISO wants to ensure the company only uses vendors with good cyber hygiene. The marketing team promoted the product as high end. What results is often finger pointing, uncoordinated responses, and a long, difficult process to sort out and remedy the issue. Meanwhile, customer frustration grows.

Organizations must tear down the silos in order to create a central organization to address these issues. A ROC can act as that central resource by connecting teams, laying out clear processes, and creating reliable decision-making criteria for managers.

A top-down approach and awareness are keys to success

Fortunately, events of the past 14 months have created an awareness in the C-Suite that has put the health and agility of the supply chain squarely in the purview of the CEO and Board.  Ensuring executives saw and understood the big supply chain picture, fostering a collaborative environment, and creating organizational goals used to be more difficult.  The solution requires a top-down approach. It’s near impossible for one department or team to achieve these objectives on their own. If you don’t spend time and money vetting a supplier to make sure they are compliant with your risk reduction goals, it doesn’t matter if your purchasing team picks another supplier purely because they were cheaper or that supplier has the best security policies in place.

Siloed actions create winners and losers within an organization. Leadership needs to ensure teams are acting as a single entity, not as individual units. Group success benefits everyone, and group failures allow for learning experiences—a chance to understand gaps or mistakes and implement best practices.

Again, the ROC helps create and sustain this kind of mindset. It enables communication, improves visibility, and keeps teams focused on big goals and shared KPIs through a set of tools and processes, including:

  • Coordinated risk assessment
  • Supplier relationship mapping
  • Continuous monitoring
  • Incident response teams
  • Single-source-of-truth dashboards
  • Insight sharing and real-time alerts
  • Outcome modeling and predictive insights
  • Closed-loop processes for lessons learned

Most supply chain risk management (SCRM) programs and processes fall way short of what organizations need in today’s complex threat environment. Ad hoc tools, point in time surveys and spreadsheet-driven systems can’t tell you that. They are too limited in scope, not agile enough, and don’t align with or help meet wider enterprise objectives.

Who understands your supply chain?

For agile, competitive companies, this is a long list. If it’s only your VP of supply chain and your procurement officer, you’re not doing enough to achieve operational resilience. A list of supply chain stakeholders needs to include:

  • CEO and CFO
  • Procurement
  • IT (CIO) and information security managers
  • Regulatory officers
  • General counsel
  • Business unit heads

That’s just the minimum. A broad base of connected team members creates a foundation for a number of supply chain and business benefits, from better risk management and business continuity planning to speed-to-market and customer satisfaction.

We’ve been warned, now it’s time to act

Cyber security fears (and failures) motivated organizations to rethink how they monitored and responded to technology threats. Will the supply chain events of the past year, and the ongoing looming threats, inspire similar action?

In an era where the workforce has more freedom than ever before, every remote user is a possible entry point for a supply chain-driven cyberattack. We are all responsible for supply chain integrity and operational resilience. It is only by working together, sharing information, and reducing organizational silos that we can support a healthier, more resilient supply chain. This is the guiding principle behind – and function of – the ROC.

Why wait until the next supply chain shock to start building a ROC when your business, brand, and reputation are already on the line? If you’d like to see how Interos can help your organization achieve operational resilience, reach out for a solution demonstration.

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money