The following is a modified excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.
The success of an organization’s business resilience process depends on agile and informed teams, intelligent use of data, and fast adaptation to changing circumstances. The Resilience Operations Center (ROC) framework — which involves modernizing your supply chain risk management (SCRM) and third-party risk management (TPRM) approaches—helps deliver on those requirements. Whether you build a virtual or organizational ROC, it will be the foundation you rely on when facing adversity and will empower your organization to deliver for all stakeholders, no matter what challenges arise.
Laying the ROC Groundwork
Risks are everywhere in today’s landscape. The ability to identify ongoing and emerging threats and vulnerabilities and proactively adapt and respond to them through your business resilience process can help your business thrive. Nowhere is this more important than in your third-party risk methodology — specifically, your approach to managing operational risks arising from supplier outsourcing decisions.
Organizations need to focus on the operational resilience that is derived from building a joint business-supply chain ecosystem. The concept of a supply chain ecosystem is at the center of effective management of supplier risk in our complex, constantly evolving world. Resilience is the ability to mitigate the consequences of unplanned events, manage adversity, and navigate manmade as well as natural disasters. Resilience demands forecasting and planning for different scenarios while continuously evaluating key organizational risk factors. Connectedness—a willingness to understand your suppliers’ interests, build trust, and act together with them for the strategic good of all—contributes to resilience and should be a key component of your third-party risk methodology.
Aligning SCRM/TPRM with Your Business Resilience Process
Aligning your SCRM or TPRM program with strategic business objectives can help you bolster your business resilience process planning. As a risk management practitioner, you must understand which assets are critical to your business. To begin identifying them, ask the following questions:
- What are your industry’s critical assets?
- How are they used?
- How are they derived, manufactured, and transported?
- Where are information assets stored, sent, and shared?
- Who has access to your assets at each step throughout the supply chain process?
Critical assets vary across industries, and could include the following:
- Financial services: Banking customer Personally Identifiable Information (PII), including name, address, and account number
- Healthcare: Patient Protected Health Information (PHI), including name, date of birth, and Social Security number
- Retail: Customer payment card industry data, including card number, expiration date, and Card Verification Value
- Pharmaceuticals: Proprietary drug formulations
- Manufacturing: Process patents and other proprietary information
This knowledge, combined with risk appetite (the amount of risk a business is willing to assume to achieve its strategic goals), allows you to implement effective, efficient, and resilient business operational strategies and third-party risk methodology. This provides the ability to prevent disruptions in service or product delivery. It also enables organizations to minimize the impact of and recover quickly from unforeseen events, including unlikely black swan events.
Identifying Key Business Operational Risks and Improving Your Third-Party Risk Methodology
Which operational risks are greatest for your organization? Not all risks are created equal, and every industry has a different business resilience process. Once you have identified the risks, you need to understand how the organization is monitoring and responding to them. These risks could include the following:
- Financial: Trending, growth, solvency, soundness
- Operations: Bankruptcy resiliency, counterfeiting, business cost trends
- Governance: Compliance practices, including U.S. and international regulations, country-specific risks, management turnover
- Geographic: Pandemic impact, corruption, and political violence concerns, infrastructure stats
- Cyber: Data breaches, emerging cyber risks
To achieve resilient operations, you need to expand your third-party risk methodology to include the operating environments within your extended supply chains, including all tiers and their risk factors. This process should be ongoing so you can spot and address current and emerging risks before they affect the business.
Beyond the obvious cybersecurity and disaster recovery/business continuity risks affecting the supply chain, you should consider geographic and concentration risks, financial disruptions, operations process risks, geopolitical instability, regulatory changes, and gaps in SCRM programs. Environmental, social, and governance (ESG) risks also need to be addressed. This requires working with suppliers to proactively communicate and exchange information to create a strategic advantage and safe operating environments for all participants. The end goal is creating a business resilience process that can leverage modern technology to identify emerging threats and respond quickly to protect the business and its customers.
More Disruptions are Coming—Get the ROC Book
The Resilience Operations Center book goes into more detail on these and other topics, including identifying stakeholders, telling your SCRM story, and creating business value through supply chain relationships.
Get a digital or physical copy of the book here and put your supply chain and your organization on the road to operational resilience. To learn more about Interos, visit Interos.ai.