How should you approach supply chain risk management?
In our blog on risk management challenges for 2019, we referred to the perennial risk attached to suppliers, as third parties continue to be a major source of incidents. Linked to the Brexit issue, understanding the risks your suppliers face and the measures they are taking to mitigate those risks is vital. In this blog, we are stepping back to look at some of the key issues surrounding supply chain risk management and what approach you should be taking.
Every organisation uses third parties, to a lesser or greater degree, in order to support the delivery of key products and services. However, whenever we introduce a third party organisation, we introduce a number of risks that are not fully under our control or even outside of our control. Supplier risk management, or vendor risk management, is the discipline that tries to understand this risk by using a framework that:
- Identifies risks associated with those suppliers which support your critical activities
- Analyses and evaluates the level of risk that each supplier introduces
- Identifies appropriate risk treatment decisions to ensure that risks introduced by your third parties are effectively managed.
- Ensures that ongoing changes to suppliers and the services they provide to you are captured and the changing risks are understood.
Typical supply chain failures
Whilst there are the headline-grabbing incidents where supply chains are disrupted by environmental disasters (e.g. floods, storms, earthquakes) wars or cyber incidents, you could equally be disrupted by the loss of a key member of staff or a local IT issue in one of your suppliers. As such, it is essential for you to take a holistic approach when understanding and managing your supplier risks.
For example, if you have suppliers connected to your network then a breach in their network could lead to a compromise in yours. Or you could suffer a personal data breach due to information shared with a supplier where the necessary protections aren’t in place.
And don’t forget, we are talking supply chain, so it may be a supplier’s supplier where major risks lie.
How does URM suggest you approach supply chain risk management?
We suggest a 5-step approach to managing your suppliers:
- Ensure 100% coverage of all suppliers are included within the supply chain process (easier said than done!)
- Establish a level of criticality based on the information the third party has access to or the services they provide
- Categorise each supplier based on the services they provide to your organisation and the potential risk they pose
- Send a tailored questionnaire to each supplier to ensure that they only need to complete relevant questions (this is essential in terms of maximising supplier engagement)
- Clearly report the risks associated with each supplier based on your risk appetite, enabling you to make informed decisions and be in a position to discuss and track any risk treatment actions necessary for any specific supplier.