Operational Resilience, Business Continuity, and the CISO: A White Paper ​

The Increasing Role of the CISO in Operational Resilience and Business Continuity

As supply chain attacks and disruptions are becoming more common, Interos sees the increased need for the Chief Information Security Officer (CISO) to become more proactive in dealing with business continuity and risk management to achieve operational resilience. This need is discussed in detail in Michael Rasmussen’s paper from GRC 20/20 Research.

Michael is a well-known figure in the cybersecurity and governance, risk management, and compliance (GRC) community. He was for many years a top Forrester Research analyst, and now runs GRC 20/20. In this paper, the need for the CISO to look at operational resilience as an achievable task is well laid out both in approach and goals.

CISOs Must Consider Business Continuity and Risk Management

Operational resilience is the ability of an organization to plan for supply chain disruption, be able to execute correctly, and take advantage of new situations. Many organizations lack the agility to deal with supply chain disruption because they fail to see it as a regular part of business continuity & risk management planning. Recent events have shown how some organizations have been caught entirely off-guard by disruption, but others have pivoted and thrived. 

The CISO’s role is one of protecting the organization. This is now increasing to include active threats, including supply chain cyber disruptions and risks. A cyber-attack can disrupt a supply chain because a supplier was found to be using counterfeit goods or subject to sanctions. The recent Log4J event highlighted this problem. Most vendors provided a patch, which was the most straightforward approach. For instance, some vendors’ solutions had to be repositioned within the network behind a Web Application Firewall (WAF). Still, others that could not be mitigated had to be removed and replaced, which was the most disruptive. 

Supplier issues are addressed in the same way. A supplier may have a cyber-breach, but most can address this with patches and taking a positive approach to resolving the problem. Suppliers found to be using counterfeit goods may have some products discarded or re-worked with new material, fixing the problem. But a vendor who cannot come into compliance or has fundamental issues like bankruptcy must be replaced, which has the most negative effect on the organization. The CISO must look at more risk factors than cyber to address this proactively. They must coordinate with the other teams within their organization to discuss business continuity & risk management concerns, and ultimately guide executive leadership on the best way to achieve operational resilience and prepare for supply chain issues.

The GRC 20/20 paper addresses this subject in detail. Interos suggests you review it and learn from Rasmussen’s vast experience the best approaches for a CISO to become a master of operational resilance. To learn more about the Interos platform, and how it can help CISOs with challenges tied to business continuity and risk management, visit interos.ai.

Download report.

Russian Invasion of Ukraine: More Global Supply Chain Ripple Effects

By: Margaret D’Annunzio, Trevor Howe & Michael Eddi

Russia’s invasion of Ukraine has created a humanitarian crisis and is the most profound conflict in Europe since the Second World War and countless supply chain ripple effects. Amid the suffering and chaos, companies and governments are both acting and reacting to the challenges presented, creating a cascading and unpredictable sequence of events.  

Global supply chains that were already stretched by COVID-19 have been significantly and, in some cases, permanently altered. While it is relatively easy to discern what key materials have been immediately impacted by physical and political blockages of goods, the medium- to long-term impact of the invasion is complex and will require ongoing analysis at both the policy and logistics level.  

It is all but certain that second-order and unintended disruptions will occur. Some of the key elements include: 

  • Logistics routes changes and higher costs 
  • Energy sourcing strategy changes and price volatility
  • Realignment of the geopolitical landscape 

Logistical changes: reduced shipping in the Black Sea, altered air and costlier routes 

Ukrainian exports account for a significant part of several commodities’ global trade: Ukraine exports 13% of global corn and 12% of global wheat, and is the fifth largest exporter of iron ore in the world.   

Shipping routes through waters on Black Sea are likely permanently altered. Trade will be affected as enterprises classify the area as an increasingly risky area in which to operate. Even prior to Russia’s invasion, London’s marine insurance market had already added the Ukrainian and Russian waters around the Black Sea to its list of areas deemed high risk.

Since the start of Russia’s invasion, insurers have raised the cost of providing cover for merchant ships through the Black Sea driving up the overall cost of transporting goods through the region which has already experienced upward pressure from elevated fuel costs. 

European airspace closures and global Russian aircraft bans are also expected to create protracted international shipping timelines and increased air-freight costs. These after-effects will manifest as a byproduct of longer contingency routes around restricted airspace, creating longer journeys that, in turn, require greater amounts of fuel to move cargo.  

It is estimated that fuel represents a quarter or more of a given airline or airfreight organization’s cost base.

Energy supplies and the impact of sanctions 

Sanctions against the Russian energy sector were initially avoided, largely due to concerns over the resulting price increases. But as President Putin has relentlessly continued his assault on Ukraine, policymakers in the U.S., U.K. and E.U. announced plans to curb the import of Russian energy in coordinated moves, driving prices even higher. 

President Biden signed an Executive Order to ban U.S. imports of Russian oil, liquefied natural gas, and coal, as well as the prohibition of direct or indirect U.S. investment in Russia’s energy sector.

The British Government announced it will phase out Russian oil and oil products by the end of 2022.  Although many countries have not directly banned oil imports from Russia, sanctions in the Russian finance, banking, insurance and freight industries have targeted their relationships and effectively caused disruptions in the logistics of the oil market, along with elevated costs and market price volatility.  

Geopolitical landscape changes and strengthening alliances 

Russia’s invasion of Ukraine has already had significant ripple effects for countries not actively engaged in the war. Germany has announced several major policy decisions contrary to previously stated positions, leading to an allocation of €100 billion euros in its 2022 budget, one of the largest injections of capital recently seen into the European defense sector.  

The potential spread of the conflict to neighboring countries in the area such as Moldova could further complicate the situation and undermine significant supply chain nodes in the automotive industry. And geopolitical shifts could occur regarding NATO membership for Finland and Sweden, exacerbating tensions between Russia and Northern Europe, as well as potentially more energy price shocks.  

For the first time, there appears to be a majority of the population in Finland and Sweden in favor of NATO membership. 

The war also seems to have driven China and Russia closer together, strengthening an already dangerous alliance. While most of the world is sanctioning Russia, China has signaled its intent to continue to trade with its strategic partner, and in some instances such as for wheat, to step up trade 

With Russia and Ukraine making up 30% of global exports of wheat, food costs have risen. Food shortages and rising energy prices create an even more dangerous environment in some regions of the world, and in a more deglobalized, fragmented economy, growth and demand will stall.  

Changes to the global economic order are already foreshadowed and, with it, ultimately comes possibly profound and fundamental shifts in most supply chains as payment networks are restructured, reserve currency dependencies reconsidered, and energy trade transformed. 

To read our full report, Russian Invasion of Ukraine: Second-Order Developments, click here. To see all of Interos’ analysis and reports related to the war in Ukraine, click here.

Why Taiwan Could Be the Next Source of Global Supply Chain Disruption

When supply chain executives are asked about the risks that most concern them, geopolitical issues such as wars, social unrest, and major terrorist attacks are typically low on the list. Or at least they used to be. Soon, the supply chain impact of a Chinese invasion of Taiwan may top that list. 

We’ve already seen how war can shift perceived supply chain risks. Just prior to Russia’s invasion of Ukraine, for example, an Interos survey of 1,500 procurement and IT security professionals found that geopolitical considerations were by far the lowest ranked risk factor when evaluating suppliers. Less than a quarter placed it in their top 3 risks.

Asked the same question a few weeks into the war, however, and that figure had more than doubled to over half of the sample.

The events in Russia and Ukraine demonstrate how military conflict can quickly disrupt global supply chains that are heavily dependent on a particular region or country. This is often referred to as concentration risk. 

In this case, the impact is largely around the availability and cost of key commodities and raw materials — oil and gas, metals such as titanium and palladium, and agricultural crops such as wheat and corn. 

The supply chain impact of a Chinese invasion of Taiwan would be rather different — and, in all likelihood, much greater.

The Impact of China Invading Taiwan

Russia’s action has reignited fears about China’s intentions towards Taiwan, an island of almost 24 million people situated 100 miles off the Chinese mainland.

Since Taiwan’s declaration of independence in 1949,  China has claimed sovereignty over Taiwan and regards it as a rebel region that must be reunited with the mainland, by force if necessary.

Taiwan is a vitally important hub in global electronics supply chains, with 53% of its exports by value in 2021 being electronic components and technology products, according to official data.

While China is Taiwan’s main trading partner, accounting for 28% of these exports, the U.S. (15%), Europe (9%), Japan (7%), and Singapore (6%) are also significant importers.

Analysis of Interos’ global relationship mapping platform reveals that:

  • More than 23,100 U.S. companies buy directly from Taiwanese suppliers at tier-1, while more than 112,500 buy indirectly at tier-2, and over 237,500 at tier-3.
  • More than 3,600 European firms buy directly from Taiwanese suppliers at tier-1, while over 68,000 buy indirectly at tier-2, and over 184,000 at tier-3.
  • More than 1,200 companies in Japan and Singapore, along with Australia, buy directly from Taiwanese suppliers at tier-1, while over 11,300 buy indirectly at tier-2, and over 26,000 at tier-3.
  • Electronic equipment and components, semiconductors, machinery, household durables, software, and chemicals are among the main industry segments represented in these trading relationships.

The impact of China invading Taiwan: disruption of vital electronics supply chains

In both geopolitical and supply chain terms, Taiwan’s importance to the world economy is heavily skewed towards semiconductor manufacturing.

In 2020, Taiwan had a 63% market share of global chip production and integrated circuits (ICs), and micro assemblies accounted for 35.6% of the country’s exports by value — 10 times more than the next highest category (see table below).

Taiwan’s Exports by Value
US$, 2020

"Taiwan's Exports by Value." Integrated circuits and micro assemblies top the list at over 122 billion USD in 2020.

Source: World’s Top Exports

Of particular strategic importance, Taiwan dominates the manufacturing of cutting-edge chips used in advanced commercial and military technologies, producing over 90% of global output featuring transistors smaller than 10 nanometers.

Interos data analysis suggests that while TSMC, as a contract manufacturer to the semiconductor industry, has a relatively small number of direct customers in the U.S. and Europe, its importance at tiers 2 and 3 is enormous.

  • Of U.S. companies being supplied by Taiwan-based semiconductor manufacturers, 12% are supplied by TSMC at the tier-1 level, but at tiers 2 and 3 the equivalent figures are 70% and 86% respectively.
  • Of European firms being supplied by Taiwan-based semiconductor manufacturers, 4% are supplied by TSMC at the tier-1 level, but at tiers 2 and 3 the equivalent figures are 65% and 85%

The COVID-19 pandemic has created a severe shortage of chips for automobiles, computers, games consoles, medical devices, and other electronic equipment.

This crisis, and growing awareness of just how concentrated semiconductor manufacturing is in Asia (South Korea and China being the two other main producers after Taiwan), has prompted the U.S. and European governments to call for geographic diversification of capacity.

TSMC is currently building its first U.S.-based fab in Arizona, due to open in 2024, while Intel and Samsung — two other industry heavyweights — are investing tens of billions of dollars in advanced chip-making plants in Germany, Ireland, and Texas.

However, it will be several years before this new capacity comes online. In the meantime, the possibility of a Chinese invasion of Taiwan remains a critical threat to global supply chains that depend on semiconductors and other vital electronic components.

Caught in the crossfire between the U.S. and China

Taiwan is at the center of the superpower battle between the U.S. and China — a geopolitical and economic struggle for supremacy that was ratcheted up beginning in early 2018 with the trade war and tightening controls on the sale and usage of key American and Chinese technologies.

Sino-American friction over Taiwan has increased during the past year, with both nations stepping up air- and sea-based military drills in the area around the island.

This situation is of particular concern to neighboring Japan. In late February, an opinion poll found that 77% of Japanese people were worried that Russia’s invasion of Ukraine could increase the likelihood of Chinese aggression.

Whether China attempts to take Taiwan by force or not — and there are plenty of good reasons commentators think it won’t (see below) — the supply chain impact of a Chinese invasion on global semiconductor and electronics supply chains is concerning.

Will China invade Taiwan? Exploring why or why not

"Will China Invade Taiwan?" Two columns list reasons China would or wouldn’t invade, and are roughly equal in length.

Aside from the obvious geopolitical threat, Taiwan is also at risk from natural disasters. The island is situated on the Pacific Ring of Fire, a 25,000 mile (40,000 km) zone that experiences a majority of the world’s most powerful earthquakes and around three-quarters of its volcanic activity.

Any catastrophic event in Taiwan, whether caused by human or environmental factors, would have a rapid and financially damaging impact on global supply chains that could significantly outstrip that experienced during Russia’s war on Ukraine.

Time to re-assess risk exposure and rethink supply chain risk management

The message to global supply chain leaders with respect to Taiwan is fivefold:

  1. Assess your dependence on, and risk exposure to, Taiwan by understanding the direct, tier-1 relationships you have with Taiwanese suppliers and the components, parts, raw materials, and products you buy from them.
  2. Build transparency of your indirect connections to Taiwan by getting visibility of your extended supply chain in the country at tiers 2 and 3.
  3. Evaluate the extent to which key semiconductors, electronic components, and other items you depend on from Taiwan-linked supply chains are single- or sole-sourced — and where you have viable alternative options already in place.
  4. Where your dependence on Taiwan is deemed unacceptably high, according to your organization’s risk appetite, develop a strategy aimed at diversifying your supply base footprint to other geographies — either by sourcing from new suppliers and/or by working with existing partners to utilize alternate capacity.
  5. Ensure that you continuously monitor your Taiwan-dependent supply chains for both geopolitical and operational risk events, alongside those of a financial, cyber-security, and ESG nature.

If the above steps seem impossible within your current supply chain or procurement programs, it may be time to stop relying on the often-manual, reactive capabilities of supply chain risk management and time to start leveraging technology-driven solutions within an operational resilience framework.

Fill out the form below to download Interos’ full report on Taiwan and the semiconductor supply chain or, to learn more about the Interos platform, visit interos.ai.

Updated: China’s Zero-COVID Policy Exacerbates Supply Chain Disruptions

The Chinese government has escalated its response to a Covid-19 outbreak in Shanghai, sending in more than 10,000 health workers and 2,000 military personnel to conduct mass testing of every city resident.

The testing comes as the latest step in what started as a two-phase lock-down to reduce virus transmission and has a major impact on supply chains, the global economy, and companies such as Tesla and Volkeswagen who have major factories in that region. These factories have been forced to temporarily shut down during the initial phase of the most recent lock-down.

The aggressive testing approach comes as part of China’s zero-Covid strategy, which in recent weeks has led to rapid shutdowns of major economic and manufacturing regions to contain the spread of the virus. Shanghai, home to more than 26 million people, reported more than 9,000 new cases early Monday.

Although Chinese officials claim the port remains open, port workers, factory workers and truck drivers are not permitted to travel to work. This will limit the ability factories to deliver containers to the ports during this time.

Aside from Shanghai, over the past few weeks the Chinese government has also locked down the key business city of Shenzhen, and ten other areas due to new cases of domestic COVID infections. In the northeast of the country, Changchun and other cities in Jilin Province have shut and smaller cities such as Suifenhe and Manzhouli (on China’s border with Russia) have temporarily closed as well.

Many of these areas within China are critical international hubs for manufacturing and technology. The extreme and now-frequent shutdowns have further taxed already-stressed global supply chains.

The Global Impact of China’s Zero-COVID Policy on the Supply Chain

Data analysis from the Interos global relationship mapping platform illustrates the importance of Shanghai to US-based companies, for example:

  • 20,000+ US entities have direct relationships with tier-1 suppliers in the Shanghai region
  • This number grows to over 95,000+ entities when indirect suppliers at Tier 2 are included
  • At the Tier 3 level, 203,500+ US companies have indirect supplier dependencies in Shanghai
  • Software, machinery, textiles/apparel, specialty retail, commercial services and electronic equipment/components are among the main industry sectors covered by these buyer-supplier relationships

When including Shenzhen and Jilin to the Shanghai disruption, we find the following:

  • More than 25,000 US entities buy directly from suppliers in the Shenzhen, Shanghai and/or Jilin regions
  • This number grows to over 103,900 entities when indirect suppliers at Tier 2 are included
  • At the Tier 3 level, 206,700 US companies have supplier dependencies in Shenzhen, Shanghai and/or Jilin

China has been indiscriminate in its closures. The one-week shutdown of Shenzhen, included Yantian, home to another of the country’s busiest container ports. Other highly populated districts of the city, including the commerce hub of Futian and technology-based Nanshan, were also closed. These closures prevented millions of office and factory staff from getting to work.

Desperate Times Call for Creative Measures

Because most Chinese factories do not disclose inventory details, it is difficult to predict the immediate impact of these closures. Existing stocks and spare capacity at alternative plants outside the locked-down areas can absorb orders for a short time.

Some manufacturers resort to creative measures. For example, Apple contract manufacturer Foxconn was able to restart some production at its Shenzhen factory using a “closed-loop” system where workers living on-site must remain on the company’s campus. GM and Volkswagen have also been able to keep their Shanghai plants open. But even creative solutions like this don’t work for all companies: Tesla attempted to use the closed-loop system when Shanghai was closed, but ultimately could not due to lack of provisions.

Because of the global reliance of US, British and other companies on suppliers in these affected areas in China, delays to finished products, parts and components from the region are likely. As a point of reference, last year’s one-month disruption at Yantian port, the world’s fourth-largest, held up thousands of shipping containers. The ensuing backups caused a massive ripple effect on global supply chains.

Any extended lockdown would likely affect semiconductors and electronics used by multiple sectors, including the automotive industry, extending long lead times for these products further.

Click the video to learn how to use the Interos platform to monitor Shanghai supply chain risk exposure.

Understanding the Inflationary  Impact

China’s zero-COVID policy may also increase pressure on the global economy by intensifying the impact of inflation. Supply chain bottlenecks were expected to “materially ease in the early months of this year,” with downward pressure on producer and input prices and shorter lead times, according to Katrina Ell, a senior economist for Asia-Pacific at Moody’s Analytics. “But given China’s zero-COVID policy and how they tend to shut down important ports and factories — that really increases disruption.”

The US Federal Reserve and the International Monetary Fund have both issued similar warnings. The IMF also revised up its near-term projection for inflation “in response to the anticipated slower resolution of supply issues”.

This post has been updated from its original version to include new information.

The Impacts of Removing Russia from the Supply Chain

Pressure on U.S., European and other companies to cut ties with Russia has been building over the past month since Vladimir Putin’s invasion of Ukraine.

Most of the public debate and media attention has been on companies that have closed their shops, offices, and factories and stopped selling to Russian customers. This growing list includes the likes of McDonald’s, Coca-Cola, Starbucks, Apple, H&M, IKEA, and Ford.

This is both a sales revenue and inbound supply chain story. It is a sales revenue issue because these companies will be foregoing income from Russian customers due to their decision to stop operating in the country. It is an inbound supply chain issue because, in many cases, they will either have to cease shipments of ingredients, raw materials, parts, and finished goods imported into Russia and/or cancel planned orders from suppliers manufacturing there.

However, the mass exodus from Russia is also an outbound supply chain story – and this arguably has more severe implications for Western companies.

Russia’s supply chain a major source of raw materials

Russia remains a relatively small economy by international standards. For example, it is slightly bigger than Australia in GDP despite having more than five times the population. The sales losses from shutting down operations there are something that most foreign firms will be able to absorb.

But Russia is also a significant exporter of essential commodities such as energy, metals, and crops that aerospace, automotive, industrial, food, and other manufacturing companies operating outside the country depend.

Russia is:

  • The world’s second-biggest exporter of crude oil and the largest source of natural gas
  • A significant producer of nickel, platinum, titanium, steel, aluminum, palladium, copper, and uranium
  • The world’s top wheat exporter, selling over 38 million tons globally

Additionally, Ukraine is a major exporter of corn, barley, and rye and produces more than half of the world’s supply of semiconductor-grade neon.

While most of these commodities are currently not the subject of Western government sanctions, supply availability and shipping delays are growing concerns, and prices have skyrocketed as markets exhibit significant volatility.

Given this situation, and amid uncertainty about how long the war will continue and how far-reaching its impact could be, many organizations have to rethink their sourcing strategies concerning Russia and Ukraine.

A case in point: on March 7, Boeing announced it was suspending its purchases of titanium from Russia, which accounts for around one-third of its total supply needs.

Getting visibility of Russian suppliers

Many U.S., European and Asian companies don’t want to be seen as supporting the Russian economy, let alone helping to fund its war machine. They are, consequently, reconfiguring their supply chains and sourcing strategies for both operational and reputational reasons.

To avoid doing business with Russia from outside the country, companies first need to understand who directly buys vital materials, components, and products. They also need to get visibility of other Russian-based entities they are indirectly connected to further upstream in their extended supply chains.

This is far easier said than done.

Analysis of Interos’ global relationship mapping platform highlights the following in respect of two major Russian-owned metals suppliers, for example:

  • VSMPO-AVISMA, a subsidiary of Russia’s state-owned arms manufacturer Rostec, is the world’s largest titanium producer, with over 30% global market share. According to our data, it is a Tier 1 supplier to 42 international companies, including Boeing and Airbus. One-third of these are U.S.-based and more than half (56%) are in the aerospace & defense (A&D) industry.
    • VSMPO-AVISMA and its subsidiaries are tier-2 suppliers to almost 3,000 companies outside Russia, including airlines and A&D firms. This group is also a tier-3 supplier to more than 112,000 firms worldwide, making industrial machinery, electronic equipment and other products.
  • Norilsk Nickel (Nornickel) mines 40% of the world’s palladium – used in semiconductor manufacturing and catalytic converters to reduce vehicle emissions – and is a leading nickel producer used to make stainless steel and electric vehicle batteries.
    • While Nornickel shows up in our platform as a direct supplier to only 11 foreign companies, it forms part of almost 56,000 supply chains at tier 2 and over 323,000 at tier 3. U.S.-based firms represent 52% of these connections at tier 2 and 41% at tier 3, with the UK accounting for a further 6-8% and India 5%.

Understanding foreign company dependencies

As well as understanding the domestic Russian producers they do business with, directly or indirectly, international customers also need to be aware of foreign-owned companies operating within the country.

To get a sense of these connections, the Interos Resilience Lab reviewed the list of over 400 major U.S., European, Japanese and other brands compiled by Professor Jeffrey Sonnenfeld and his colleagues at Yale University that have announced plans to leave, scale back, pause or stay in Russia.

Of the 50 companies we looked at with manufacturing-based supply chains, many operate within Russia to supply customers serving the domestic market. They include glass producers, industrial gases, bulk packaging, and tires – items typically made at a national or regional, rather than global, supply chain level. However, some of these companies also use the Russia supply chain as an export base.

Three illustrative examples:

  • A sizeable U.S.-based conglomerate has more than 60 European or UK customers that it supplies directly from Russia. It also supports over 17,500 customers as a tier-2 supplier and 86,800 as a tier-3 supplier. The equivalent numbers of U.S. customers are significantly higher at all levels.
  • An American metals producer with manufacturing operations in Russia supplies over 25,000 firms in the UK and Europe at Tiers 1-3, and over 57,000 in the U.S.
  • A multi-billion industrial products manufacturer with a key subsidiary in Russia serves more than 175,000 customers at Tiers 1-3 in the U.S., and 95,000 in the UK and Europe.

Procurement and supply chain leaders need to understand these connections and dependencies, whether because these sources may be subjected to disruption over the coming weeks or because they wish to avoid purchasing from Russia.

For continued updates on the supply chain impacts of the war in Ukraine, please see our Ukraine Crisis Resource Center.

SEC’s Bold ESG Proposal Requires Bolder Actions

Fittingly, less than 24 hours after marking the Spring Solstice in North America, we’ve reached a true inflection point in the march to create smarter, healthier businesses and a better planet.

Today’s proposal by the Securities and Exchange Commission (SEC) to require businesses to begin measuring and disclosing greenhouse gas emissions in a standardized way is a huge milestone in the evolution of Environmental, Social and Governance (ESG) awareness here in the U.S. and around the world.

It’s also a momentous catalyst for ensuring greater visibility and resilience across your supply chain.

Per the proposed ruling, companies are obligated to disclose their direct (Scope 1) and indirect (Scope 2) greenhouse gas emissions and, crucially, emissions generated by their suppliers, called Scope 3 emissions. While the requirement for Scope 3 emissions will only be limited to companies above a certain size, their inclusion reflects a greater concern than ever before on the effect of extended supply chains on the global climate.

The ruling will be available for public comment for 60 days before a final ruling is handed down.

Strong Message Needs Strong Response

Regardless of outcomes, the announcement marks the most significant intention to overhaul corporate disclosure rules in decades and sends a strong message to businesses everywhere that climate change action is now among the most pressing concerns and priorities for Wall Street’s top regulator and investors.  Despite its reputation for lagging behind Europe on ESG matters, this announcement indicates that the U.S. is taking these issues just as seriously.

Today’s news certainly doesn’t come as a shock. According to POLITICO, thousands of companies already voluntarily provide emissions data to CDP, a nonprofit repository of corporate climate reporting. And in the U.S., nearly 32 percent of companies even disclose their supply chain emissions to CDP.

Over the past several months, I’ve participated in several climate, ESG and investor-related conferences, including Blackstone’s CEO Council last week. This issue – and the need for greater supply chain visibility – is right up there with Russia’s invasion of Ukraine as the most important conversations taking place among leaders across business, government and civil society.

It also follows a host of societal and business trends we’ve been following for the past few years as activist consumers and investors push for greater action and transparency on climate, social justice and economic equity issues.

And they’re putting their money where their mouth is. Sustainable investing is on the rise globally, with assets under management having surged from $30.7 trillion in 2018 to $35.3 trillion in 2020, according to the Global Sustainable Investment Alliance.

To put that into context, that $35.3 trillion is equal to the combined GDPs of the world’s two largest economies – the U.S. and China. And its rate of growth surpasses both.

With today’s announcement, the race is on for diligent, transparent, consistent and accountable ESG reporting.

From Compliance to Competitive Advantage

And let’s be clear: This is not just about compliance anymore. Rather this is all about competitive advantage. Companies that embed and integrate ESG into their operating and business models to enhance operational resilience, drive efficiencies, satisfy consumer demands and reinforce their values to employees will gain significant competitive advantage. And those that back these actions with clear visibility into their suppliers’ actions across their extended supply chain will be the undisputed market leaders of the next decade and beyond.

In a comprehensive report issued by the University of Oxford, 88 percent of companies that embraced ESG reported higher operational performance, while over 90 percent experienced lower cost of capital and over 80 percent saw improvements in stock performance.

Driving optimal ESG business performance requires not only integrating sustainable practices and measures within your own operations but also working diligently with your suppliers which, in many cases, may bear most of your exposure. Scope 3 emissions are a great case in point. In most FMCG companies, for instance, including giants like Coca-Cola, more than 80 percent of carbon footprints resides within their supply chain.1

And for most of these businesses, it’s not so much a carbon-awareness problem as much as it is a data and visibility problem.

Interos Study Shows Deficits in Visibility and Data

Our own recent study on supplier sustainability at Interos shows that companies want sustainable supply chains but lack the data and visibility into their partners’ operations to truly meet their sustainability goals. The survey shows that 37 percent of responding businesses struggle to obtain the data to measure supplier sustainability accurately.

Additionally, 74 percent of businesses responding to the Interos study say they rely on manual methods and self-reporting. And perhaps most alarming, 41 percent of organizations report that ESG-related risk factors had caused detrimental impacts to their business in the past two years. ESG disruptions cost companies an average $35 million in lost revenue annually, and untold millions more in brand and reputation impacts.

With more than half of companies lacking supply chain visibility across their extended ecosystems, organizations face the possibility of both ESG reputational risks as well as regulatory risks as governments across the globe ban supply chain exposure to issues like human rights violations.

Whether it’s unethical child labor practices in China creating business concerns for H&M2 or environmental recklessness in the Amazon region creating problems for McDonald’s, Walmart, and Costco3, these days the C-Suite is working hard to gain real visibility into risks lurking deep in the supply chain that could cause serious negative repercussions back at headquarters.

In my own recent conversations with business and government leaders, it’s clear that more and more C-suites and boardrooms are focused on greater visibility and transparency. The power of transparency is that it turns doing the right thing into a massive business opportunity.

This goes beyond the investment world; this goes straight to the core of the corporate world and the myriad extended supply chains of finance, manufacturing, energy, aerospace and defense, pharma, automotive and beyond.

Done right, we can encourage the creation of a better, healthier, and safer global economy. We can help re-build trust in the global supply chain. We can reveal and reward the good, as well as see the bad and put a higher cost of doing business on pursuing environmentally unsound ways of operating.

The SEC has given us more reason to do just that.

  1. Coca-Cola’s GHG emissions worldwide 2020 | Statista
  2. H&M and Other Brands Face Backlash From Chinese Consumers – The New York Times (nytimes.com)
  3. https://www.onegreenplanet.org/environment/companies-linked-amazon-deforestation-mcdonalds-walmart/

The Supply Chain Implications of the Russian Energy Ban

The Biden Administration issued an executive order earlier this month that bans the import of Russian oil, liquefied natural gas, and coal to the United States and prohibits any United States citizen from initiating any new investment in the Russian energy sector, regardless of where that person is located. 

This is another punitive step as the United States ramps up its pressure on Russia for Vladimir Putin’s attack on Ukraine.  

The Downstream Impacts of the Russian Energy Ban 

Record high gas prices have fueled already high inflation and will have significant implications on policy, earnings, and many supply chains for the foreseeable future. According to the International Energy Agency, U.S. imported approximately 700,000 barrels of oil per day from Russia in 2021.

The United Kingdom is gradually detaching itself from Russian energy, and the European Union is cutting gas imports from Russia by two-thirds this year. Although the economic impact from the loss of Russian energy is much more significant for Europe than for the U.S., other supply chain consequences exist. 

Understanding Russian Energy Buyers

Data analysis by Interos found over 120 distinct U.S. entities that directly buy from Russian firms in the oil, gas, and consumable fuels sector. Looking further into the supply chain, the number of relationships grows to over 33,000 U.S. entities for Tier 2 suppliers and 157,000 for those at Tier 3. 

Most of the direct buyers of Russian energy are in the same or similar industries, but, notably, some are in sectors as diverse as software, retail, and food products. 

The relatively high numbers of U.S. buyers connected to Russian energy suppliers beyond tier 1 are significant considering how little the country directly depends on Russian energy. 

Even for those companies in which a Tier 1 supplier is not specifically dependent on Russian energy or impacted by the import ban directly might experience disruption further down the line. 

This could result from indirect relationships and dependencies that they may not be aware of. It also underscores the complexity and interconnectedness of global supply chains and the importance of having tools to identify and evaluate a company’s broader risk exposure. 

Impacts Felt in the United States

Although the US does not import enough Russian energy to significantly impact the Russian oil industry on its own, the move is still impacting energy prices and further pressuring other countries.  Indeed, many energy companies are severing relationships beyond what the EO requires.  

Although Europe is indeed more dependent, oil is a global commodity. It is traded almost exclusively in US dollars and these changes will affect the entire supply chain, both in terms of prices paid and further delivery delays. This will have a far-reaching impact on the energy and marine sectors.  

Stakeholders with connections to the energy and shipping sector will be immediately impacted and are required to examine their operations, supply contracts and charter parties to determine if the EO applies to them 

We expect even more restrictions to be imposed as the invasion sadly continues. 

For more information on the supply chain impact on the crisis in Ukraine, please visit our Ukraine Crisis Resource Center. 

Expanded analysis on Europe – Ukraine supply chains shows hidden connections

A comment from a Volkswagen executive in the Wall Street Journal this week sums up the challenge facing many European and international companies when it comes to the crisis in Ukraine. “Ukraine is not central to our supply chain, but suddenly we discovered that when this part is missing, it is.”

The war has already taken an extraordinary toll on individuals, families, and communities in Ukraine. Another added layer of anxiety comes from employees and businesses not knowing the full extent of their commercial ties and dependencies on Russia or Ukrainian supply chains in their extended supplier networks.

European reliance on Russia/Ukraine supply chains is greater than it seems

Bad intelligence derived from opaque supply chains can have perilous implications on businesses and individuals. For instance, data from Interos’ global relationship mapping platform shows that less than 250 German companies have direct tier-1 suppliers in either country. But, when the focus is expanded to include their suppliers’ suppliers the number of connections jumps massively.

Germany-based firms across all industry sectors have:

  • Tier-2 connections with more than 1,600 suppliers in Ukraine, and over 7,500 in Russia
  • Tier-3 connections with more than 12,200 suppliers in Ukraine, and over 18,200 in Russia

Broadening the focus to the European Union as a whole plus the UK, the number of tier-2 and tier-3 connections with Russian and Ukrainian suppliers is greater still:

  • More than 8,200 European firms have tier-2 suppliers in Ukraine, and over 38,000 have tier-2 suppliers in Russia
  • More than 109,000 European firms have tier-3 suppliers in Ukraine or Russia

A survey of German supply chain and procurement executives conducted by Gartner last year found that 80%  of companies thought they had good visibility of tier-1 suppliers (more than three-quarters of companies, parts and locations known). However, only 7% said the same about tier 2, and only 5% about tier 3.

Given these findings, the fact that a company like VW is unaware of its risk exposure to the war Ukraine until critical parts stop arriving at its car factories should come as no surprise.

In a lean and just-in-time industry like automotive, where every part is critical no matter how cheap or small, the impact of disruption is more immediate than in other sectors. Which is why VW stopped production at its plants in Zwickau, Dresden and elsewhere this week.

Visibility helps companies respond to crisis

European supply chain leaders – like their counterparts in the U.S., Asia and elsewhere – may not have all the data they need to optimize their scenario modelling and risk mitigation strategies, but they are working towards improving  these capabilities.

Gartner’s 2021 supply chain risk and resilience study found that “better supply chain visibility” was the biggest area for improvement. 70% of the sample ranked it in their top three. 40% said it was their number one priority.

  • Almost two-thirds of respondents (64%) said they were working on multi-tier mapping now, compared with only a fifth (19%) who said they had processes in place previously.
  • Almost three-quarters (73%) said they were looking at technologies to help them map their multi-tier supply chains and improve visibility – compared with just 11% who had already done so.
  • More than half (57%) said that having “better supply chain risk tools/technologies” was a top 3 priority for improving risk management in their businesses.

Many of these improvement efforts and investments will not come in time to enable European companies to avoid supply chain disruptions stemming from the war in Ukraine. It is also unlikely that most businesses have insulted themselves from the impact of sanctions imposed on Russian firms as a result of Putin’s invasion.

This horrific and unjustified conflict has already upended decades of conventional thinking about war and international business, as well as the supply chains that underpin them. The data on tier visibility shared above is crystal clear evidence that despite limited immediate connections, deeper analysis shows just how interconnected and interdependent our economies, businesses, and people are.

Greater awareness of the level and nature of that interdependence is essential to building a supply chain and business community that can withstand immense shocks and continue to provide essential services and information in times of crisis.

Continue to follow the Interos Crisis Resource Center and Blog as the crisis evolves in Russia and Ukraine. We will continue to post supply chain information and insights as they become available.

Russia/Ukraine: Aerospace & Defense Face Heightened Cyber Risk

Russia’s invasion of Ukraine and the imposition of sanctions by the U.S. and European countries has raised the cyber risk profile of aerospace and defense companies. Amid continued financial and economic fallout, there are concerns about an escalation in cyber-warfare that is fueling worries among western companies of a large-scale retaliatory cyber attack.  Several Ukrainian government websites have already been taken offline. Recent ransomware and other attacks against U.S. and European firms ranged from logistics (Expeditors International) to mobile communications (Vodafone Portugal) to fuel distribution (Marquard & Bahls) and food products (KP Snacks). All of these incidents caused severe services and supply chain disruption.

Authorities have attributed these attacks to cyber-criminals rather than nation states. Still, the Cybersecurity & Infrastructure Security Agency (CISA) recently posted a “Shields Up” warning to U.S. organizations. It urges them to take steps to protect critical assets against possible Russian government attacks. The UK’s National Cyber Security Centre also advised British companies to ensure their cyber defense measures are up to date.

Interos Insight on Cyber Risk

In addition to energy and critical infrastructure providers, companies in the aerospace and defense (A&D) industry are obvious targets for such attacks, both for denial of service and intellectual property theft. Their strategic importance to national security is one obvious reason, but another is high levels of concentration risk in the sector due to specialized products A&D firms rely on.

Concentration is a well-understood, but vitally important and often ignored risk in supply chain security. It refers to a cluster or a shared supplier within a supply chain. A cyber attack against Western companies could have disastrous effects.

If a shared prime A&D supplier were disrupted by a Russian cyber-attack, it could have a strong ripple effect across the entire sector – much as the shutdown of Taiwanese chip makers during Covid-19 ground U.S. automotive production lines to a halt.

Looking Inside the Numbers

To gauge the extent of concentration risk in A&D, Interos took the 2021 top 100 list of defense contractors published by the industry publication Defense News and used our global relationship data graph of more than 350 million entities to map their extended supply chains.

We found that this group of top defense contractors have 1,755 suppliers in common. This included six of the top 20 suppliers to the industry. One of these six suppliers had 27 separate connections to the top defense contractors. And the list doesn’t only include component and material suppliers, but also banks and financial institutions. Indeed, 29 of the A&D companies use the same bank, according to our proprietary data. The over-reliance of many defense companies on a limited number of suppliers makes them vulnerable to disruption if those shared suppliers are compromised. That compromise could come in many forms: a cyber attack, operational failure, or other unforeseen event. Most of the top defense contractors’ shared suppliers had strong cyber and financial risk scores, based on the Interos i-Score model. However, those scores began to weaken further down the list.

This does not mean that these top defense contractors are currently impacted by a new cyber threat from Russia. But the existing level of concentration risk revealed in the data, which is not atypical, could magnify the damage of a large scale cyber attack.

Because CISA’s “Shields Up” warning was directed to US companies, suppliers based outside of Western Europe and the U.S./Canada may not be responding in the way that is necessary. Criminal hackers pose a significant threat to companies with inadequate cyber security measures. State-sponsored hackers can draw on vastly bigger resources. They are therefore likely to be more successful in disrupting critical supply chains.

During this time of war, companies should make taking care of any employees affected by the devastation their first priority. And regardless of how the potential cyber threat posed by the immediate crisis plays out, companies need to monitor their supply chains for cyber risk and other sources of supply chain risk. Software supply chain attacks grew by more than 300% in 2021 compared to 2020. We expect them to increase even further in the coming years. A careful and continuous assessment of a supplier’s security posture, and their overall risk profile, will be critical to helping insulate organizations and their stakeholders from supply chain cyber attack or other disruptions.

Continue to follow the Interos blog as the crisis evolves in Russia and Ukraine. We will continue to post supply chain information and insights as they become available.

Critical Questions for Business Leaders with Commercial Ties to Russia and Ukraine

Over the past few days, we’ve been in close contact with a range of customers and businesses who are trying to determine the best path forward as the conflict escalates in Ukraine and as more multinational companies decide to dissolve, cut back or suspend operations in Russia.

As we engage these leaders and provide technical and in-kind support to help vulnerable and displaced communities devastated by this invasion, I wanted to take a moment and share some of the challenges facing our commercial and government partners at the moment and the counsel we are providing. Our hope is that some of this is helpful as you think through your own considerations.

CEOs and other prominent business leaders are confronting tough questions about their commercial connections to Russia. These questions can be difficult to answer given the complex interdependencies of today’s global supply chains. Consumers and employees want to know whether business relationships with the Russian government or Russian companies will be discontinued. Many more want to better understand how the invasion has impacted companies or their suppliers.

Large companies quickly curtail Russian operations

CEOs must be prepared to to answer these questions and some already have taken action. BP is expecting to take a $25 billion hit after its decision to cut ties with the Russian state-owned energy firm, Rosneft. Twitter has ceased selling ads in Russia and has added special labeling to tweets sharing Russian state-produced media. YouTube blocked Russian channels from earning ad dollars. Several prominent law firms and lobbyists have dropped Russian clients. Meta has established a special operations center and is prohibiting Russian state media from running ads or monetizing on its platform anywhere in the world. And just within the last 24 hours we’ve seen Delta, DHL, UPS, FedEx, Dell, Maersk and Shell announce significant measures to curtail operations in Russia.

While not all companies can move swiftly, CEOs need to communicate their organizations’ status and intentions with all critical stakeholders. This includes identifying business partners in Russia and employees from Russia who perform work delivered abroad. It also requires a clear rationale for firms who are not immediately severing ties with Russian commercial connections.

According to a recent LumApps/CMS poll, 76% of employees surveyed said they want to work for companies with a strong social impact. Employees will be carefully watching the actions their companies and organizations take. Business leaders should over-communicate to employees all efforts in the name of transparency.

Key questions you need answers to:

As the war in Ukraine continues, business leaders should also answer the following questions to ensure operational resilience, and maintain trust with their employees and customers:

  • Do you have long-term plans to accommodate impacted employees in Russia and Ukraine?
  • Have you developed a plan to work with relief organizations in Ukraine?
  • Do you have visibility into your supply chains beyond first- and second-tier suppliers?
  • Have you evaluated required levels of inventory and labor in the short to medium term?
  • Are you actively discussing business continuity plans with key suppliers?
  • Do you have contingency plans in place to switch to, or qualify, alternative sources for essential products and services?
  • Are you prepared for cyber attacks?
  • Are you in close contact with your people and suppliers in other parts of Eastern Europe?
  • Are you tracking new sanctions and export controls from various markets?
  • Are you in contact with your elected officials in the U.S. and Europe as conditions continue to evolve?
  • Has your organization developed an integrated communication plan that includes timely updates to employees, customers, suppliers, investors, government officials and media?

With proper analysis, planning, and unyielding  compassion for every person and business caught up in this tragedy, it is possible to mitigate significant risk, ensure operational resilience, and avoid supply chain disruption.

Interos will continue to update our blog with updated supply chain data and insights as the events in Ukraine evolve. Please check back frequently and reach out to help provide visibility into your supply chain to ensure all business relationships meet company standards. Most important, keep the people of Ukraine in your thoughts. The world can and must help all nations find a path to peace.