End of an Era: Legacy TPRM Solutions Do Not Create Operational Resilience (Part 4)

April 30, 2021
Jennifer Bisceglie

As discussed in “The Black Swan is Dead” blog, corporate boards and government agency heads are demanding visibility into their supply chain risk exposure and are starting to hold the organizations — and their leaders — personally responsible. They cannot wait days, weeks, or potentially months for answers. They want to know now, and they want to know what steps the company or agency is taking to prevent the next big COVID- or SolarWinds-like supply chain shock. In other words, they want to know executives have a plan for business continuity and Operational Resilience.

Even in this new world where “not knowing” is no longer an acceptable excuse, companies and agencies are still operating in silos. They are still using manual processes and point-in-time tools, such as Third Party Risk Management (TPRM), Supply Chain Risk Management (SCRM), spreadsheets, and surveys. These all fail to map, monitor, and model extended supply chains, capabilities without which you cannot reduce risk, avoid disruptions, and achieve dramatically superior resilience.

TPRM Is Too Limited in Scope for Modern Business Continuity and Operational Resilience

Building on existing vendor risk management and supplier risk management tools, TPRM attempts to broaden the focus beyond just vendors and suppliers to include all kinds of third parties. For TPRM vendors, this allows them to expand their market from manufacturing companies to all commercial entities. Most are point solutions, but the big Supplier Relationship Management (SRM) and Supply Chain Management (SCM) vendors have rolled out TPRM modules.

What TPRM solutions do:

  • Surveys
  • Single-risk focused

What they don’t do:

  • Visualize the extended supply chain
  • Provide ongoing monitoring
  • Look at the ripple effect of global events
  • Capture complex, multi-factor risks
  • Ensure comprehensive Operational Resilience and business continuity

Supply Chain Risk Management Attempts Operational Resilience Regulation (H2)

Through a series of Operational Resilience regulations and legislation enacted over the past decade, the US government has prompted organizations to leverage increasingly formalized approaches to SCRM, which is officially defined as:

“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the suppliers’ product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”

Unlike TPRM, SCRM enables a couple of critical elements needed for Operational Resilience:

  • SCRM clearly calls out that sub-tier suppliers need to be evaluated and tracked.
  • Cyber and financial stability risk are top priorities, but so are foreign ownership, location of facilities, counterfeit products, and other factors.

What is still missing with SCRM?

  • The process uses an Operational Resilience regulation and compliance approach. This means setting mandates for an unwieldy 300,000 defense companies and their extended supply chains. Companies see this as a compliance issue and the cost of doing business instead of a way to ensure Operational Resilience.
  • It still relies heavily on self-reported, annual surveys to collect information, which is inadequate for supply chain security and continuity.

Operational Resilience is the New Standard

To achieve Operational Resilience and business continuity, organizations require tools that can:

  • Instantly discover the Nth tiers in your supply chain.
  • Provide situational awareness based on automatic, broad, multi-factor risk assessment.
  • Evaluate “what if” scenarios and alternative suppliers.
  • Be updated on a continuous basis in near-real-time.

In addition to these tools, “risk and resilience leaders” must find a structured approach to implementing organizational change. The Resilience Operations Center (ROC), described in Part 2 of this series, more than fits the bill. The ROC represents a new approach to modern supply chain security and continuity, delivered through an enterprise-wide framework that ensures supply chain risk management (SCRM) objectives are tied to organizational goals. It brings previously siloed groups together to form agile and informed teams that are empowered to use data intelligently and to react quickly to changing circumstances.

We’ve seen it work in a variety of industries, and our customers are using ROCs to dramatically change business outcomes for the better.

To learn more about Operational Resilience and business continuity, the ROC, and the technology that can enable it, visit www.interos.ai.

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money