Interos CISO Insight Series: 6 Vital Findings into Supply Chain Security

Interos recently hosted a roundtable for financial services industry (FSI) security professionals to discuss supply chain challenges. The event included 30 FSI participants and several of Interos’ supply chain security experts. The six most important findings of the event are below:

1: Only 10% of participants monitor their supply chain past the first level.

We see this all the time: most organizations have little or no visibility past their direct, first-tier suppliers. This lack of awareness can be challenging when dealing with a cyber breach such as Kaseya. The chief information security officer (CISO) has no idea how such an event could impact their organization. The CISO must wait for a vendor to notify them of a breach or detect an attack in progress. Which forces them to be reactive in a potentially catastrophic situation.

2: Most do not continuously monitor first-tier suppliers or only use third-party risk software for annual reviews.

This feedback was disappointing but expected. Many participants said they employed third-party risk software but had not actively used it to make changes. If the organization is not actively mapping and monitoring the supply chain, it can be challenging to understand the bigger picture and anticipate future risks.

3: Many don’t know what to do with the information they receive from third-party risk tools.

More information does not necessarily help the CISO if they cannot use it to make proactive decisions to improve security posture. Much of the risk scoring uses past events or surveys. While third-party risk scoring solutions can be helpful, they often don’t provide real insight into the bigger picture of the risks in an organization’s supply chain. A CISO trying to be proactive and remediate issues will need an awareness of the entire supply chain to understand potential weaknesses.

4: Very little supplier vetting is done during onboarding, which takes 4-6 weeks on average.

This area was the most crucial topic for attendees. All agreed vetting of new or existing suppliers is the most common supply chain task given to a CISO organization, and the most frustrating. The cyber team may have no onboarding requests this week and five next week. This variance is disruptive to planning and staffing efforts. Vetting is usually done by sending and correlating surveys. The challenge is getting surveys back quickly and completely. At Interos we use public sources of information to build the risk score of a potential supplier which dramatically reduces the workload on cyber teams.

5: Many feel pressure to speed up onboard checking, especially for critical suppliers.

If suppliers don’t complete or bother to return the survey, it can cause issues for the CISO. With the recent supply chain disruptions caused by trade disputes, COVID-19, the Suez Canal, etc., the need to onboard suppliers quickly and correctly has never been more critical. A CEO telling the CISO that the company is shut down until they complete the risk report is an all too uncommon experience. There is unrelenting pressure to pass suppliers regardless of holistic vetting. 

6: Little or no ability to remove a supplier for cyber reasons if they were in good standing otherwise.

The importance of properly screening new suppliers is often only realized months later. Interos gives cyber teams more time to analyze the situation. For example, Interos checks U.S. federal and EU sanctions lists automatically in the risk profile to detect if the new supplier is using a sanctioned entity. With this extra time, a CISO would guide the purchasing team to include language in the contract that this forbidden entity cannot be used in products. Therefore, a CISO would avoid a future problem instead of telling the factory to scrap the entire production line.

Conclusion: Visibility, automation, and better insights help everyone 

The stress on cyber teams to onboard and monitor suppliers will worsen as supply chain disruptions continue. CISO and cyber teams need to get it right, in the beginning, to avoid future disruption and breaches. Interos empowers the CISO to correctly score the risk promptly, reducing the stress on them and their teams. In turn, benefiting the organization and its customers.

Interos Operational Resilience solution can provide the CISO a vital advantage in dealing with supply chain issues. Please see it in action at https://www.interos.ai/resources/interos-product-overview/

Help Procurement Teams See Total Supplier Value

It’s time to assess suppliers through a risk and resilience framework

Procurement teams are acutely aware of how their sourcing and spending decisions impact operational resilience. For instance, those who work in financial services recognize the necessity of meeting regulatory and compliance requirements. Within consumer goods organizations, procurement professionals have to ensure that products are available, and that their brand image is well represented. While in industrial manufacturing, they know all too well what happens within the supply chain when a supplier’s reliability or quality degrades. In many ways, supplier selection is the most important task for a procurement team given the potential for positive or negative business impact.

Given that, procurement and sourcing professionals have gone to great lengths to ensure that they evaluate suppliers according to the total value they bring to the table. But what is supplier value and how is it measured? Do those considerations only apply to the primary supplier, or to the extended supplier network?

What determines supplier value to a procurement team?

Measuring supplier value is part science and part art. Depending on the category of spend, the criticality of what is being sourced, and your overall objectives, value determinations can vary greatly. And so can the methods for arriving at that value.

For commonplace goods and supplies (say, wire hangers or office supplies), a supplier’s value may be primarily measured by unit price and speed to fulfill. But for more complex or hard-to-source goods or services, things like warrantees, add-on services, and customization can increase value. The more critical the supply is to the business, the higher the value of supplier reliability, quality, positive relationships, and stakeholder preferences.

Similarly, methods of evaluating the value attributes can vary as the complexity and criticality of the purchase increases. A simple Request for Information (RFI) to tick off pre-requisites may suffice before holding a reverse auction for basic goods. More extensive RFI and profile questions, with weighting and scoring of responses within a Request for Proposal (RFP)/Request for Quote (RFQ), may take procurement deeper into a value assessment.  In some cases, external data augmenting extensive RFIs and constraint-based scenario analysis may provide a more detailed evaluation of supplier value. Site visits, prototypes, references, in-depth research, and background checks may also come into play.

But these are somewhat narrowly focused evaluations of what value the supplier can bring to the table and where they can add value in the course of supplying a specified good or service. What about the negative aspects of value, the risks the supplier may bring along as well?

The increasing relevance of supplier risk

It’s now all too clear that businesses are increasingly interconnected and dependent upon extended and often specialized supply chains. There are innumerable examples of supplier failures, supply disruptions, and other business challenges stemming from extended supply chains.  It’s not just manufacturers suffering from disruptions within the critical supply chains that serve as the lifeblood of their operations. Businesses across all industries and of all sizes have been cast in these stories.

When a key supplier fails to deliver, your entire business could come to screeching halt. If a sub-tier supplier is using forced labor, or is damaging the environment, your brand reputation could take a major hit. A data breach at an outsourced service provider could expose you to embarrassment, fines, and even lawsuits.

Unfortunately, these aren’t hypotheticals or even rare occurrences anymore, as shown by the results of a recent Interos survey. A full 94% of 900 organizational supply chain decision makers reported they had suffered a supply chain disruption over the last two years, amounting to an average of $184 million in lost revenue. On top of that impact, 83% also suffered reputational damage because of issues that arose in their extended supply chains.

The list of supply chain threats is long. Supplier financial instability. Global health pandemics and rising case counts. Natural or man-made disasters. ESG and reputational impacts. Cyber attacks, ransomware, and data breaches. Shifting geopolitical and trade policy winds. Regulatory changes, sanctions, and restricted lists. All of these are having an increasingly visible impact on local and global, physical and digital, primary suppliers and extended supply networks.

Procurement’s expanding view of supplier value and risk

Executive teams and their boards are now meeting monthly, on average, to discuss supply chain risk and disruptions, per the responses received in our global survey. And the discussions are leading procurement towards a broader assessment of supplier risk and operational resilience, and at deeper levels within the supply network. Procurement teams that haven’t taken the initiative to apply new approaches to supply risk are being asked to get onboard quickly.

There is ample evidence of procurement’s expanding view of supplier risk. Initiatives to include more multi-source options, alternates, and backups in case of a disruption. Diversifying geographical concentration to ward off the threat of supply problems caused by weather events, infrastructure constraints, labor issues, or political strife. Deeper financial analysis, ESG alignment, and contractual obligations have been used to protect the business from surprises. Contingency planning and scenario analysis can provide much needed agility and reduce negative impacts to the business.

As supply networks grow and become more complicated, so too do the risks that are hidden from casual evaluations. Supplier self-reported survey responses, point-in-time assessments, and a shallow review of primary suppliers just don’t cut it anymore. Claiming a lack of visibility into sub-tier supplier risks or an inability to anticipate problems across the supply network are poor excuses, and ones CEOs will not tolerate any longer.

Incorporating risk and resilience into supplier value

An overnight shift to reign in extended supply networks isn’t in the cards. Businesses and their supply chains have evolved over decades to focus on core competencies, strengths, and specializations. Today’s (often global) extended supply networks have created nested dependencies across multiple tiers of suppliers. As such, a shortage, quality issue, or even a reputational hazard in a lower-tier supply node has the potential to cause a debilitating ripple effect.

Multi-sourcing strategies, safety stocks, and other contingency plans are in place to ward off the immediate impacts of a failure somewhere within the supply network. But there is only so much “what if?” analysis that can be done when there are risks hidden within your supply chain.

Uncovering the hidden risks and identifying and assessing their potential impact to the business, can help procurement organizations build resilience into their supply networks proactively. Deeper visibility into your supplier’s suppliers, down to the original sources, can help identify sole-source situations in lower tiers, unseen geographic concentrations, and financial problems that could undercut a healthy primary supplier’s ability to support your business.

“When you can see everything, you can do anything” is Interos’ motto, because visibility into hidden risks is a key factor in building resilience into your business. A deeper view of multi-tier relationships and dependencies, and a broad view of multiple risk factors, can show you more about the value, or the risk, a supplier brings to the table.

The value lies in that supplier’s resilience—a state that includes not only their own resilience, but resilience at their sub-tier suppliers as well. And with that information at hand, procurement teams can evaluate suppliers more holistically, with a keen eye towards the potential risks of one supplier over the other, to make better decisions.

Get more actionable insights for procurement teams

Watch this in-depth and revealing discussion on how procurement and sourcing professionals can:

  • Gain insight into how existing supplier evaluation approaches are falling short
  • Leverage technology to avoid risk and build resilience
  • Improve what they bring to the table as organizations look for ways to see and avoid risks

 

 

 

Supply Chain Risk Management Methods Lag Behind New Risks—and Costs are Rising

Monitoring Frequency

Supply chain shocks are causing debilitating effects on large organizations, especially financially. This impact alone is enough to cause significant damage. With so much on the line, businesses need to know if their current supply chain risk management (SCRM) tools and processes are up to the challenge.

Our new whitepaper, “Supply Chain Disruptions and the High Cost of the Status Quo,” based on a survey of 900 enterprise decision makers about their risk management practices, found:

  • Only 34% assess their global supply chain on a continuous basis.
  • The remaining 66% do so every month or less.

That means the majority or organizations are operating with large gaps in their supplier visibility and risk mitigation solutions. As discussed in a previous post, that vulnerability is costly:

  • On average, global supply chain disruptions cost enterprise-level organizations $184 million in lost revenue per year.

Assessment Methods

The frequency of measurement depends on the type of SCRM methods an organization uses —manual or automated. The former measures supply chains on an irregular basis and at one point in time, while the latter provides feedback in real time on a continuous basis. Nearly three quarters (74%) of organizations use manual methods at least some of the time, with only just over a quarter (26%) solely using automated methods.

There is a current reliance for infrequent monitoring in all sectors. The enormous financial impact many suffer proves current methods are ineffectual, and organizations need to focus on switching to more automated methods because they are still blind to many of the shocks occurring in their supply chain.

Therefore, it’s not surprising that the majority of decision makers (63%) admit that they need to make improvements to their ability to continuously monitor their supply chains.

 

Visibility is currently a critical weakness among many organizations, especially the ability to see in-depth across sub-tiers in the supply chain. Automatic methods can alleviate this deficit in organizations’ supply chain risk management systems. In fact, when asked to name the benefits of using a fully automated method would be, 64% rank supply chain visibility (ecosystem awareness) as the greatest benefit.

Automatic methods may help to reduce the financial burden brought about by disruptions, with two other benefits which rank highly including cost avoidance (56%) and cost reduction (56%). What is clear is that all supply chain decision makers (100%) believe there are benefits to using automatic methods.

Organizations should view an effective and robust monitoring system as essential. Current methods are likely inadequate at preventing large-scale financial damage as a result of supply chains shocks. Those who employ the most efficient methods are likely to be in the best position to protect themselves going forward.

Get More Data on SCRM/TPRM Practices and Improving Risk Mitigation

Our paper goes into more detail on the importance of visibility and supply chain risk management needs, as well as what current practices are helping organizations mitigate risk and which are not up to the task. Get all the insights here.

As Disruptions Grow, So Does the Quest for Better Supplier Risk Management

The diverse and successive nature of supply chain shocks is challenging every organization. Combine that with the high costs associated with disruptions and businesses have a loud and clear wake-up call: better supply chain risk management and improved monitoring are critical needs in today’s environment.

It’s therefore no surprise that supply chain risk management and resilience are going to become increasingly important to organizations. Our new whitepaper, “Supply Chain Disruptions and the High Cost of the Status Quo,” based on a survey of 900 enterprise decision makers about their risk management practices, found:

  • 50% of all surveyed organizations say supply chain risk management (SCRM) and resilience will be their top business priority in two years’ time—while just 39% say they are top priorities today.

As SCRM becomes more critical, the frequency with which those at the board-of-director level discuss the topic reflects this. Overall, over two-fifths of boards (21%) are talking about supply chain risk on at least a weekly basis, with 78% doing so at least monthly.

Supply Chain Visibility

A crucial element of supply chain risk management is the level of visibility that organiza­tions have throughout their supply chain. The less the organization can see across its supply chain, the less it can accurately predict. Intuitively, organizations experience more significant fallout due to disruptions when visibility into their supply chains is lower.

With that being said, it’s not a surprise that the vast majority (88%) of organizations say visibility into their global supply chain is more important now than it was two years ago. The succession, and at times, overwhelming number of recent shocks and related impacts demands that greater importance is placed on visibility.

However, while decision makers note the value that visibility into supply chains can provide them, this does not necessarily translate across the different tiers in an organization’s supply chain.

In fact, visibility levels drop off sharply below the second tier of organizations’ supply chains:

  • 80% say their organization has instantaneous visibility/the ability to continuously monitor their supply chains in the second tier
  • This drops to only 50% at the third and fourth tiers, and only 22% say they can do this at the ninth tier and below

Get More Data on SCRM/TPRM Practices and Improving Risk Mitigation

Our paper goes into more detail on the importance of visibility and supply chain risk management needs, as well as what current practices are helping organizations mitigate risk and which are not up to the task. Get all the insights here.

Supply Chain Disruptions Cost Millions—Here’s How they Add Up

Ensuring supply chain risk management (SCRM) methods are robust enough to keep threats at bay and help organizations stay secure is a critical need today. But a succession of large shocks—including the COVID-19 pandemic, multiple high-profile cyber breaches, and ongoing international trade disputes—have exposed deep supply chain vulnerabilities and revealed shortcomings in SCRM and third-party risk management (TPRM).

Surprisingly, when shocks do occur, little is known about the true extent of the disruption, the wider organizational costs, or damage extending beyond that of a financial nature. Our new whitepaper, “Supply Chain Disruptions and the High Cost of the Status Quo,” based on a survey of 900 enterprise decision makers about their risk management practices, fills in many of those knowledge gaps:

  • On average, global supply chain disruptions cost enterprise-level organizations $184 million in lost revenue per year
  • 83% have suffered reputational damage because of supply chain problems

Looking Deeper at Disruption Data

Our survey found that supply chain events impact geographies and industries in unique ways.

The average revenue loss rises to $228 million for U.S. organizations, compared to UK and DACH where it costs $146 million and $145 million, respectively. There is also a large difference between sectors, with disruptions costing those in IT and technology ($194 million) and aerospace and defense ($193 million) more than financial services, where the average cost to revenue drops to $164 million. However, no matter the location of the organization or the sector they operate within, these costs are an unsustainable and debilitating expenditure.

The cost of supply chain disruptions extends beyond an organization’s revenue, as brand, reputation, and customer perception are also negatively impacted. It’s therefore no sur­prise that more than four in five (83%) of those surveyed say their organization has suf­fered reputational damage as a result of supply chain disruption. Again, those in the U.S. see the most severe impact in this regard, where 87% have suffered, compared to organi­zations in the Nordic countries where 77% say the same.

Understanding Supply Chain Risk Factors

The number of supply chain shocks has grown in recent years. Each disruption proves troublesome for organizations who are likely still reeling from the effects of the previous one. In fact, fewer than 1 in 10 enterprise organizations (6%) say they have not been impacted by supply chain disruptions over the past two years. We can attribute these disruptions across a variety of supply chain threats, with risk spread fairly evenly across all factors. To illustrate this, over the past two years, decision makers report that shocks have been spread across cyber risk and breaches (52%), financial risks (50%), and environmental/social/governance (ESG) (41%), among others.

Decision makers understand the critical need to use SCRM and TPRM to protect themselves against all types of supply chain risk. More than four in five (88% to 81%) believe it is important to guard against all six risk factors. This demonstrates that even if they are not directly impacted by every threat, decision makers understand the wide-ranging sources of disruptions to their supply chains.

Get More Data on SCRM/TPRM Practices and Improving Risk Mitigation

Our paper goes into more detail on the importance of visibility and supply chain risk management needs. It also includes current practices that are helping organizations mitigate risk. Get all the insights here.

The Big Takeaway from the Kaseya Supply Chain/Ransomware Cyberattack

This month, the world of enterprise security was badly shaken, as the Russia-based cybercriminal syndicate REvil launched yet another high-profile ransomware attack. The hackers, responsible for the recent attack on JBS Foods, infiltrated Kaseya VSA, an endpoint protection software solution used by large Managed Service Providers (MSPs). Through the software supply chain, REvil was able to quickly spread to at least 50 of Kaseya’s direct customers, with somewhere between 800 and 1500 small-to-medium sized businesses further down the supply chain.

This is not the first such attack, though it is REvil’s most ambitious (and successful) to date. Over the past year, we’ve endured SolarWinds, Colonial Pipeline, JBS Foods, and now Kaseya. This seemingly endless litany of supply chain-centric cyberattacks grows every week. As it does, companies and governments are simultaneously dealing with a host of other disruptions like COVID, the Suez Canal blockage, Brexit, international trade disputes, and more.

While these cyberattacks and global disruptors may appear dissimilar, having wildly varying causes and impacts, there is strategic value in considering them – and the supply chains they spread across – as a collective. Together, they represent a rapid learning opportunity for both adversaries and defenders – an open-source global weapons development program. The adversaries – hostile nation states and cyber criminals – are already studying these elements for future tweaks toward enhanced weaponization. So should we.

What have they Learned?

Every supply chain disruption – be it a successful hack, a natural disaster, or an international political dispute – increases the information adversaries and defenders have on the effectiveness of techniques, viability of targets, and the favorability of global circumstances. All of which can be mixed and matched, refined over time to discover not just the ideal avenue for an attack, but the optimal conditions of the greater supply chain and business ecosystem under which to conduct one.

Major Revil and DarkSide Ransomware Attacks
Major Revil and DarkSide Ransomware Attacks

What everyone is learning is that the battlefield we’re on is considerably larger than previously imagined. We’re used to thinking about the enterprise as a collection of endpoints that need securing. The effectiveness of these supply chain shocks shows that our enterprises are also individual nodes of a much bigger macro-network. It’s a battlefield so large that drawing up a strategic defense using conventional tools and tactics won’t work. To do so effectively, we need to learn about this broader playing field in all of its dimensions – from enterprise networks to transportation/logistics tools to environmental and labor concerns.

Understanding the interplay between these elements is crucial. In addition to the direct damage done to Kaseya, this latest attack shut down 800 supermarket locations that could no longer operate their checkout software, interrupted Swedish rail service, and disrupted the operations of a Swedish pharmacy chain. A more holistic understanding of the possible knock-on effects of a cyberattack could have enabled defenders to better prepare for the situation or, at the very least, understand the level of digital concentration risk posed by having so many critical systems in one country connected to a single application.

Attacks like the recent strike on Kaseya have upended how we think about crime. Conventionally, attackers strike on a single target, and receive payment from that target. Today, attackers are essentially able to, using the supply chain, probe endlessly for small fissures in our digital armor, and strike many victims simultaneously, while collecting untraceable ransoms in an endless variety of cryptocurrencies.

Nested Networks

This is a problem of networks within networks. Consider the ongoing supply chain disruption facing the semiconductor industry. On the surface it’s a simple matter of demand exceeding supply. But when you examine it from a more holistic, networks-within-networks perspective, it becomes infinitely more complex.

An expected, COVID-driven dip in automotive sales led to a reallocation in silicon production resources. When that dip failed to materialize at the same time as a spike in consumer electronics purchasing, combined with a litany of natural disasters affecting production: the great silicon squeeze was on. This representation is, of course, still greatly simplified from the reality of the situation, which involves thousands of companies, millions of workers, and impacts practically every person on this planet.

With a holistic understanding of multi-factor supply chain risk — how the non-obvious connections and dependencies were poised to amplify this shortage — we could have limited the impact, or strategically allocated resources. This problem of understanding exposure and how the supply chain can magnify small disruptions into massive ones, lies at the heart of the ransomware challenge as well. If we are to have a hope of preventing supply chain-based cyberattacks, understanding their potential impact, and mitigating the proliferated “fan-out” damage when they occur, we need to understand the entire picture.

The Supply Chain Challenge

Kaseya is, in many ways, a microcosm of the entire problem. MSPs relay on the convenience of tools like Kaseya VSA to easily connect and deploy software across complex ecosystems. This interconnectivity creates convenience but also magnifies the potential impact of a single attack. This is also true of the broader global supply chain, where the closeness created by globalization similarly magnifies the potential impact of any one supply chain disruption.

Both of these problems, the security concern and the greater, global supply chain problem, reflect the same fundamental security challenge (as described in Matt Tait’s excellent blog on the attack): defending a network or system with countless endpoints on the edge requires centralization of defensive resources; but that centralization inherently creates ideal attack points that, when compromised, immediately create massive risk to the entire system.

What’s more, both the Kesaya and SolarWinds attacks, though hugely impactful to a handful of customers and industries, are almost insignificant when compared to the potential impact of a similar compromise to one of the truly universal software providers. Imagine the situation if Amazon, Microsoft, Apple, or Google were similarly compromised. These organizations regularly push updates that affect the virtual entirety of consumer and enterprise computing resources on the planet. Their respective cybersecurity measures are obviously among the most stringent on the planet, certainly for the private sector — but still the point is made.

To have a hope of blunting the inevitable impact of such a potentially devastating attack, security leaders, company C-suite leadership, and governments need to stop looking at the problem in isolation and begin considering the broader context. We must implement comprehensive, multi-tier, multi-factor, continuous risk monitoring across the entire supply chain if we are to understand how and where we are most vulnerable, and where to concentrate defensive resources. The goal is not only to survive these constant attacks, but to thrive in spite of them.

The Resilience Operations Center: Building Supplier Inventory and Leveraging Automation

The following is an excerpt from the Interos book, “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

Operational Resilience and Determining Supplier Inventory

Having identified risks and assets, and with a clear understanding of the challenges and success factors to creating a Resilience Operations Center (ROC), the next important phase is determining your supplier inventory. Here are some important questions to answer:

  • What is the scope of your supply chain risk management (SCRM) program? Organization wide, including all affiliate companies? Limited to a specific business unit? Something else?
  • Do you have an inventory, and if so, how do you know that it is complete and includes your extended supply chain?
  • Do you know who your critical suppliers are and who their critical suppliers are?
  • Is there a database where supply chain inventory information is stored and managed? Or are there multiple databases where this information resides? Is the database automated or manual (Excel spreadsheet)?
  • What organization and supplier information do you collect as part of the new supplier onboarding process?
  • Do you categorize your suppliers into risk domains based on the products or services they are providing to your organization or, alternatively, on the functionality provided or information that you shared with them? What role does your information classification scheme play in this process?
  • Which lines of business in your organization have been granted exclusions from your standard procurement process (and may not have been included in the overall supplier inventory)? Does documentation exist for any exceptions that have been made?
  • How is the supply chain inventory kept up to date to maintain the confidentiality, integrity, and availability of your organization’s key products or services, business processes, and information?
  • How can you use the available information to achieve quick wins to build program momentum with management and your board of directors?

If you do not know the services or products that are provided by your existing suppliers, then a review of how your suppliers are onboarded and what information is captured upfront is an important place to start.

Supplier Inventory Building: Automated Discovery Versus Manual Survey

The manual survey methods for building your organization’s inventory likely have gaps or inaccuracies, given that they are based on reporting of supplier relationships by individuals. What if there was a more objective way to discover, evaluate, build, and continuously verify your supply chain inventory?

Emerging automated tools and platforms, ones that leverage multi-tier, multi-factor, and continuous inventory discovery processes, demonstrate this possibility. These tools can use a variety of artificial intelligence technologies and include machine learning and natural language processing. This makes it possible to fill in important gaps, remove overlaps, and resolve conflicts in supplier and subcontractor inventory tiers, while continuously validating and adding to your existing supplier inventory.

These tools provide actionable insights into and alerts of the risks introduced to your supply chain. They continuously monitor changes in supplier relationships and associated risk factors. Machine learning can be used to discern relationships from public, commercial, and private sources of data that are not obvious in investor/ownership, board membership, and subcontractor relationships, to name a few. Machine learning can also be used to build out more robust risk information; for example, identifying ripple effects of geographic events. Natural language processing can immediately identify and alert you to negative information about suppliers in public news feeds, allowing for a proactive response before the news negatively impacts your organization.

Automated tools now exist with the ability to create and maintain a single source of truth for supplier risk, covering financial, operations, geographic, cyber, regulatory, geopolitical, and environmental/social/governance (ESG) risks. Such tools allow centralization of your organization’s aggregated supplier risk posture and can drive key operational risk mitigation and trends in your organization’s risk reporting.

What Supplier Inventory Information Do I Need to Get Started?

In order to leverage this opportunity effectively and efficiently, your organization would need a minimum amount of information regarding your suppliers. Otherwise, the high volume of data returned by these automated tools could overwhelm you. This baseline information includes:

  • Supplier name
  • Location of product or service being provided
  • Relevant URLs and internet hosting details
  • Critical software development organizations involved
  • Names of commercial products being used or deployed
  • Additional specific data, depending on defined individual use cases

Spending time upfront to carefully define use cases (for example, starting with new supplier onboarding) can help you discover supply chain relationships that you were unaware of and that may pose unacceptable risks that need to be addressed prior to contract signing. Being aware of the constant, rapidly evolving nature of SCRM through increased use of these automated tools, along with a clear understanding of and plan for integrating these tools into your organization’s existing operating processes, are important success criteria for SCRM risk management. Their contribution to maintaining operational resilience is a game changer in the rapidly evolving SCRM landscape.

Lay the Groundwork for a Resilience Operations Center

The Resilience Operations Center book goes into more detail on these and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.

 

 

The Resilience Operations Center: Challenges and Success Factors

The following is an excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

With the goal of reaching and maintaining operational resilience, organizations are looking for a modern approach to supply chain risk management (SCRM) and third-party risk management (TPRM). One way organizations are working to improve their preparedness—and overcoming the deficiencies of SCRM and TPRM approaches—is adopting Resilience Operations Centers (ROC).

The ROC framework can drive better outcomes because it is based on three simple but vital principles: 1) aligning risk management and organizational goals, 2) breaking down silos, and 3) modernizing threat detection and mitigation with technologies like automation, artificial intelligence, and natural language processing. Plus, it provides the insight and agility needed to capitalize on never-before-seen opportunities.

Challenges to Operational Resilience

Of course, aligning around a new risk management approach is not always a smooth journey. There are several areas where operational resilience breakdowns can occur. The following issues and pitfalls can occur across the extended supply chain and within your own organization:

  • Weak, ineffective operational risk management governance processes at the board, senior management, business unit line management, and independent enterprise risk management levels.
  • Incomplete business continuity management for critical operations functions, including monitoring, scenario analysis, periodic testing and tabletop exercises, staff training, and availability.
  • Lack of scenario planning and analysis to anticipate potential disruptions in supply chains. Scenario planning should be combined with forecasting to assign probabilities of occurrence of scenarios to further refine plans.
  • Insecure information systems, including inadequate protections for sensitive information in transit and in storage at all locations.
  • Ineffective operations monitoring, log review, and follow-up actions and reporting.

Any one of these inefficiencies could result in the loss of significant financial resources and pose additional operational risk to your organization.

ROC Success Factors

Making a ROC successful involves many factors. But following these five fundamental principles will help any organization lay the groundwork for reaping the framework’s benefits.

  1. Be aware of your industry’s key operational risks. Different industries are exposed to different types of risks, along with varying levels of regulation. For example, financial services organizations focus on service interruptions to their supply chains caused by misconfigurations, misuse, and phishing/hacking. IT hygiene, focusing on active monitoring of your threat environment and proactive patching of security vulnerabilities, is a critical activity, as is having a mature software development life cycle. Manufacturing supply chain risk managers focus on disruption of logistics, transportation, and raw material procurement. Monitoring for and taking actions to address political instability, natural disasters, and the potential for black swan events such as pandemics can ensure greater operational resilience. Understanding your critical risks will allow you to focus on key mitigation steps to ensure operational resilience.
  2. Don’t think you can outsource business risk and accountability. Business units often assume that once a function has been outsourced to a supplier, they are no longer accountable for that functionality or the performance of their suppliers and extended supply chains. That is not the case. Establishing appropriate oversight of these relationships is management’s responsibility. By performing quarterly supplier performance reviews based on pre-determined success criteria, this can be easily done. Outsourcing oversight also includes the ability to preserve, and, as necessary, recover services in the event of a supplier failure. All outsourced critical business services need a contingency plan for either bringing the function back in house or migrating it to a new supplier in a timely manner.
  3. Maintain operating execution knowledge. Alongside accountability, the knowledge to effectively operate a business, if not carefully preserved by your organization, can disappear. You should always have a fallback plan for your suppliers to ensure your operational resilience should catastrophe strike. Preserving this knowledge within the business, with the capacity to insource or migrate the functionality should the need arise, is often neglected and can create a situation in which the ability to continue operating may be lost over time.
  4. Don’t equate compliance with risk management. Your SCRM program can become overly focused on compliance and “check the box” exercises to demonstrate that suppliers have been reviewed to identify operational risks. Focus on ensuring that proper steps have been taken to mitigate risks to a level that meets your risk appetite. Compliance isn’t resilience. Use KPIs to report trending changes in the delivery of critical outsourced products and services before product or service delivery resilience is negatively impacted. This leads to the next point.
  5. Focus on total cost of ownership (TCO) of your SCRM program. Your SCRM program can easily become a “Field of Dreams” endeavor in which you spend years building out an asset inventory, identifying supplier relationship managers, and performing increasingly large risk assessments without achieving risk mitigation. Risk assessments alone do not reduce operational risk. When combined with unfettered growth in the number of suppliers used by your organization, this can lead to inefficiencies in your overall risk management program and operational performance degradation. From the beginning of your program, identify quick wins that mitigate actual risks and report to all levels of management on progress being made towards greater operational resilience.

Need Operational Resilience? Get the ROC Book

The Resilience Operations Center book goes into more detail on these and other topics, including aligning a business operating model with strategic risk management objectives, identifying your risk management program’s maturity level, and defining key ROC governance processes. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.

A Founder’s Journey: A Blind Ad, A dream, and One Person Who Believed

It all started with a blind ad and one person that believed…

The summer after I graduated college, I had a BS degree in Finance (cue laughter) no job, and no idea of what I wanted to do. I responded to a blind advertisement looking for a customer service person – with no inkling that my life would be forever changed by the experience, and that this was just the beginning of my career at the nexus of global supply chains and technology.

My first boss (we’ll call him ‘Ron’) did a herculean job of funneling my energy into, first, process re-engineering every department in the supply chain headquarters for a major retail brand, and then as the #2 person for a brand-new technological capability – building an inventory management system for that global brand’s entire supply chain. Today, my role would be considered as a product manager, i.e. I would interview the users on their manual activities and then discuss with the programmers how to build and automate a solution.

From there my career progressed to leading similar initiatives on behalf of technology companies, traveling the world, and working with a wide variety of businesses ranging from automotive, to CPG, to food and agriculture. My final, and most critical, stop on this path was bringing that technology to the US Federal Government and the Dept of Defense.

During my journey I continually noticed the companies were focused on what was inside the building or their supply chains, but not what was outside – and paid no attention to whether or not those exterior factors and relationships were causing potential risks to their operations and success. This was the genesis for the concept of Interos.

In 2019 I met the one person who would believe in both me and my technology concept – Ted Schlein of KPCB – who led my Series A. In 2020, he was joined by Nick Beim at Venrock, who led my Series B. Just like my first boss, all it took was the support of a handful of believers to make the difference between a dream manifested and a dream deferred.

Today, we are exposed to many stories articulating the need for greater diversity in business – and specifically on my personal passion, building greater support for more women in leadership- to bring their energies and companies to scale. I couldn’t agree with these stories more.

To close out International Women’s History Month, I‘d like to celebrate some of the women who are already in the pipeline and making it happen, paving the way for the next generation of female entrepreneurship, and a more just and inclusive world of business.

A Few Female Entrepreneurs of Note

Muriel Siebert – It’s fitting to start with the woman who, arguably, started it all. Muriel Siebert, who became informally known as the “first woman of finance” was, simultaneously, the first woman to found a brokerage, the first woman to take a company they founded all the way to an IPO and hold a seat on the New York Stock Exchange. Siebert’s application for the seat was rejected 9 times before she succeeded, and she accomplished it all without even holding a high school diploma. Siebert credited her idea to buy a seat on the exchange to investor and friend Gerald Tsai. Despite the many obstacles she faced, her indomitable entrepreneurial spirit just needed the push of a single believer to help her change history.

Cathy Hughes – An American entrepreneur, DC public figure, and broadcast entertainer, Cathy Hughes became the first Black woman to head a publicly traded company when she took her media company Radio One (now Urban One) public in 1999. Hughes achieved all of this despite her family’s struggles with poverty and her station WOL is still the capital region’s most listened to radio station. In the 1970s, when Hughes aimed to purchase her first station, she was denied by 31 banks. All it took was one lender to see the promise in her ambition for her to take the first steps towards revolutionizing American radio. Today Hughes owns over 55 radio stations across the country.

Whitney Wolfe Herd – A recent addition to the growing ranks of highly successful female founders, Whitney Wolfe Heard became the world’s youngest female self-made millionaire in 2021, when her company, Bumble (makers of the eponymous, female-focused dating app) went public. Herd’s experiences grappling with the challenges of being a female technology executive led her to give this advice to aspiring businesswomen: “Cherish being underestimated,” she said in an interview with The Wall Street Journal. “That’s your superpower.” Herd credits the friendly belligerence of Russian entrepreneur Andrey Andreev, the founder of Badoo, a dating app with 330 million users, for energizing her to build Bumble, after Herd weathered a storm of online harassment following her departure from Tinder, her previous company. Three years later, 17.5 million people had registered with Bumble, and the app has been responsible for more than 1.2 billion matches.

Sheila Lirio Marcelo – the founder and CEO of Care.com, the world’s largest online service for finding medical care. Sheila’s world-changing medical technology vision began with a simple, maternal need: as a young college student, immigrant, and mother, Sheila struggled to balance caring for her two sons, ailing father, and school. 5 years later, in 2006, she founded Care.com. Sheila ultimately raised over $111 million in funding before taking the company public. Sheila shares an early investor with Interos, Nick Beim!

Ruth Zukerman – a co-founder of SoulCycle and Flywheel, Ruth Zukerman’s rise to entrepreneurial stardom, began with the acceptance that her career as a dancer would never take off. A Long-Island native, Ruth had no exposure to business growing up. After attempting to make it as a dancer in NY with little success, Ruth began building a following as a fitness instructor for Reebok. Zukerman’s entrepreneurial career was kicked off when a dedicated student approached her about front Zukerman the money to open her own dedicated, boutique spin business. With a single, devoted believer behind her, Ruth built a fitness empire.

Katrina Lake – The founder and CEO of Stitch Fix, the online personal shopping service, Katrina Lake started the company out of her Cambridge apartment while she worked on her MBA at Harvard. Buoyed by her experience consulting for the retail industry, and having watched her sister’s work as a buyer, Lake set up to create a data-driven styling solution that would make a tailored, personalized shopping experience available across America. At 34 she became youngest female founder ever to lead an IPO. Stich Fix’s success began with just 29 clients and the venture backing of Steve Anderson (Baseline Ventures) in 2011.

Beating the Odds

All of these women had to fight incredibly difficult battles against the odds, and the system itself, to bring their vision to the world. But they couldn’t do it alone. At critical junctures in each of their careers, they found support from someone else.  It’s my hope that these stories of success resonate with each one of you, to inspire you to pursue your dream or be that one person to support someone else achieve theirs.

And remember, it just takes one person to believe….

RSA 2021 Recap – Supply Chain Resilience & Techtonic Geopolitical Shifts

2020 was a global inflection point for supply chains – and so much more. Economic nationalism, a splintering internet, and geopolitical tensions were simmering long before 2020, but were accelerated by the pandemic. The global shock also deepened the growing global divide between authoritarian and democratic ideologies around technology, expediting the emergence of distinct technospheres of influence. Driven by geopolitical shifts and the rapid evolution of emerging technologies, these techtonic shifts are already reshaping and redefining global supply chains. At last week’s RSA, I had the opportunity to discuss these global shifts and what forward-leaning companies should consider when seeking “Supply Chain Resilience in a Time to Techtonic Geopolitical Shifts”.

In addition to the horrific human toll, the COVID-19 pandemic punctuated the global order between Before Times and the post-pandemic era.

A Tale of Two Techno-Ideologies

The Chinese model of digital authoritarianism has spread aggressively. The model leverages technology to surveil, repress, and manipulate domestic and foreign populations. The tools and tactics inherent in this techno-ideology increasingly wreak havoc on both citizens and supply chains. With the steady beat of digital supply chain attacks, internet shutdowns, digital sovereignty stifling cross-border data flows, and government surveillance and mandates to access data, the digital authoritarian model is taking root across the globe.

A counter-weight is starting to emerge based on the aspirational visions of a secure, open, trusted, and free Internet. This nascent digital democracy model is beginning to address security and privacy through a multi-stakeholder lens and prioritizes collaboration and cooperation as well as individual data rights and protections.

Just as these distinct approaches continue to accelerate the splintering of the Internet, they are now leading to a splintering of supply chains and the technologies that undergird them. Government and private sector entities alike are increasingly reimagining supply chains based on trustworthy networks – with a specific focus on trusted suppliers and products.

Techno-spheres of Influence

How are these divergent ideologies impacting global supply chains? There are (at least) three core areas: trade wars, regulatory shifts, and global hot spots. In each of these, geopolitics and diverging approaches to technology are changing the risk calculus and cost of doing business at home and abroad.

  • Global Trade Wars: Just as the weaponization of cyber has shifted power structures across the globe, so too is the weaponization of trade. Governments are increasingly seeking to leverage industrial policy for national interests. Weaponized cyber programs are being paired with specific industrial policies to threaten supply chains. As the IMF recently summarized, “Technology wars are becoming the new trade wars.” And these technology wars are further exacerbated by opposing perspectives on the rules and norms surrounding the use of technology.

These disputes continue to influence corporate decisions regarding reshoring, onshoring, as well as alternative suppliers especially when geographic concentration risks are considered. In recent surveys, almost a quarter of companies plan to relocate supply chains and three-quarters have enhanced their scope of existing reshoring. Tariffs and market pressures have driven many of these changes, but a shifting regulatory landscape provides additional fodder for reassessing supply chain resilience.

  • Regulatory Shifts: To offset the risks posed by digital authoritarians, democracies across the globe have begun to prohibit or restrict foreign technologies. The U.S. Departments of Commerce, Treasury, State, Homeland Security, and Defense have all produced an uptick in export, re-export and capital flows restrictions. As the chart below highlights, the Bureau of Industry and Security at the Department of Commerce alone has added over 350 different Chinese entities to restricted lists since 2019.

Many countries are also leveraging industrial policy, such as the patchwork of 5G restrictions within Europe as well as India and Australia. China has also implemented its own unreliable entity list which could further pose challenges for global brands. Finally, the data protection and privacy landscape provides one more layer of complexity. Many countries are crafting similar laws to the GDPR. On the other hand, some nations are creating regulations in the mold of Cambodia’s internet autarky, Kazakhstan’s digital certs, and Ecuador’s all-seeing eye. All of these policy approaches introduce localized data risks.

  • Global Hot Spots: While major power competition dominates national security discourse, global supply chains are also impacted by a rise in instability. Cyber and emerging technologies have introduced asymmetric power, wherein small countries can have an oversized impact due to the minimal resources and diminished price required to harness offensive cyber or emerging technologies. North Korea, Russia, and Iran are the usual suspects when considering the asymmetric nature of power, especially when considering the reach of campaigns such as SolarWinds or Iranian and North Korean campaigns against the financial industry.

Similar capabilities are now available across the globe and further exacerbate instability and unrest. For instance, Vietnam and Lebanon both have advanced persistent threat groups (APTs) linked to global campaigns. Meanwhile, localized conflicts between Armenia and Azerbaijan, Western Sahara and Morocco as well as the Tigray region have integrated foreign-made drones and disrupted energy markets, trade routes, and manufacturing supply chains, respectively.

Building Resilience Amidst Techtonic Shifts

What can be done to build resilience under these dynamic conditions? First, a collective security approach is essential. As a Wall Street Journal logistic report noted, “A substantial investment in securing customer data at one company can easily be undermined by a supplier with weak financial incentives for safeguards.” Second, in preparing for the ‘new normal,’ avoid the inherent inclination to prepare for yesterday’s risks and disruptions. This is not simply a new Cold War or the end of globalization, but rather a new order that includes risks new and old. Finally, gaining visibility across your entire supply chain ecosystem – as well as the data that flows through it – is paramount. Data and privacy risks are increasingly localized, and borders do exist on the internet.

Of course, these ongoing global shifts introduce a range of challenges. Decoupling and reshoring are expensive and costly, but it is important to keep in mind that it is not an all or nothing approach: We must prioritize based on criticality and dependencies. Keeping up with the regulatory shifts is also increasingly difficult, especially since some of these changes may occur below the radar if you don’t have a way to track them. And of course, mental models are hard to shift. It’s easier to assume the new normal will look like it did in Before Times, but that could leave organizations ill-prepared for tomorrow’s disruptions.

Despite these challenges, there are also significant opportunities. Resilience can be a competitive advantage. Preparations now for the range of disruptions will pay off down the road. Collective security and collaboration    can further strengthen resilience and help lead to more trustworthy and reliable networks. Finally, technology can help overcome blind spots and provide greater visibility and insights into the range of current and potential future disruptions.

Now is the time to either shape the future or be shaped by it. Based on the fascinating interactive Q&A session at RSA, there seems to be growing interest in these shifts and desire to do the hard work of building more resilient supply chains. Now it is on us to avoid a collective failure of imagination and reimagine supply chain resilience on par with these techtonic shifts.