Executive Briefings

Knowledge Management Key to Managing Supply Chain Risks

Analyst Insight: Top leadership involvement in governing IT risk strategies and identifying the right practices to manage those risks is a requirement for any organization looking to have effective supply chain security. Today's IT landscape requires an accelerated level of knowledge sharing of IT risk practices and solutions, both with suppliers and within the enterprise. Leaders have to change how information is communicated and shared throughout the organization. - Andrea Stroud, research program manager, APQC

Knowledge Management Key to Managing Supply Chain Risks

IT risk in the supply chain has become a growing concern for supply chain professionals in recent years. A majority of organizations have faced technology changes, unplanned IT and telecommunications outages, counterfeiting, cyber attacks and other disruptions. The risk presented by IT disruptions is of great significance given the technology necessary to support complex global supply chains. The only way organizations will be able to effectively manage IT risk is for leadership to ensure that the right risk management practices are in place, that risks are evaluated regularly, and that mitigation strategies are documented and shared enterprise-wide.

APQC’s study, The State of IT Risk Management in the Supply Chain, was conducted to learn more about how organizations are putting IT security measures into practice. A survey administered as part of the project indicated that many organizations have been affected by IT disruptions and that leaders are concerned about IT risk. However, survey respondents reported that their organizations only occasionally use IT risk management practices and that they do not find these practices to be completely effective.

A standardized process for prequalifying suppliers is the most frequently used practice to help manage IT risk. The practice least frequently used is the adoption of a C-suite board to help govern risk. These results suggest that organizations are addressing IT risks at the tactical, instead of strategic, level. Organizations use supplier evaluations as the primary way of managing IT risk, rather than relying on leadership to help govern risk. Organizations also rely on other practices, such as adopting an enhanced perimeter defense system to identify IT intrusions, rather than the loftier goal of creating a formal registry of IT risk data that can then be shared within the enterprise.

Organizations have limited the sharing of IT risk information within the enterprise and externally with suppliers due to fear of creating additional risks; however, knowledge management (KM) must be part of an organization’s risk management program. APQC defines KM as a systematic process designed to connect people to one another and to the knowledge and information they need to achieve results. Executives can lend credibility to knowledge-sharing approaches and convey their importance to the organization, which in turn promotes workforce buy-in.

If leaders actively promote and reward the sharing of IT risk knowledge, then employees are more likely to talk about risks in cross-functional communities and forums, capture them in lessons-learned repositories, and take additional steps to communicate so that others can avoid repeating the same mistakes. Without such encouragement, teams may let fears of revealing past errors or concerns that the information will be misused prevent them from sharing critical risk information and mitigation solutions.

The Outlook

Organizations should create a repository of IT risk management solutions from past IT disruptions that allow employees across the enterprise to adapt pre-existing solutions to meet current needs. By pulling relevant information from the repository, employees can decrease the amount of time required to respond to an IT disruption.

IT risk in the supply chain has become a growing concern for supply chain professionals in recent years. A majority of organizations have faced technology changes, unplanned IT and telecommunications outages, counterfeiting, cyber attacks and other disruptions. The risk presented by IT disruptions is of great significance given the technology necessary to support complex global supply chains. The only way organizations will be able to effectively manage IT risk is for leadership to ensure that the right risk management practices are in place, that risks are evaluated regularly, and that mitigation strategies are documented and shared enterprise-wide.

APQC’s study, The State of IT Risk Management in the Supply Chain, was conducted to learn more about how organizations are putting IT security measures into practice. A survey administered as part of the project indicated that many organizations have been affected by IT disruptions and that leaders are concerned about IT risk. However, survey respondents reported that their organizations only occasionally use IT risk management practices and that they do not find these practices to be completely effective.

A standardized process for prequalifying suppliers is the most frequently used practice to help manage IT risk. The practice least frequently used is the adoption of a C-suite board to help govern risk. These results suggest that organizations are addressing IT risks at the tactical, instead of strategic, level. Organizations use supplier evaluations as the primary way of managing IT risk, rather than relying on leadership to help govern risk. Organizations also rely on other practices, such as adopting an enhanced perimeter defense system to identify IT intrusions, rather than the loftier goal of creating a formal registry of IT risk data that can then be shared within the enterprise.

Organizations have limited the sharing of IT risk information within the enterprise and externally with suppliers due to fear of creating additional risks; however, knowledge management (KM) must be part of an organization’s risk management program. APQC defines KM as a systematic process designed to connect people to one another and to the knowledge and information they need to achieve results. Executives can lend credibility to knowledge-sharing approaches and convey their importance to the organization, which in turn promotes workforce buy-in.

If leaders actively promote and reward the sharing of IT risk knowledge, then employees are more likely to talk about risks in cross-functional communities and forums, capture them in lessons-learned repositories, and take additional steps to communicate so that others can avoid repeating the same mistakes. Without such encouragement, teams may let fears of revealing past errors or concerns that the information will be misused prevent them from sharing critical risk information and mitigation solutions.

The Outlook

Organizations should create a repository of IT risk management solutions from past IT disruptions that allow employees across the enterprise to adapt pre-existing solutions to meet current needs. By pulling relevant information from the repository, employees can decrease the amount of time required to respond to an IT disruption.

Knowledge Management Key to Managing Supply Chain Risks