The new year has brought with it an increased effort by companies to assess, anticipate and react to global supply risk. In this conversation with SupplyChainBrain Editor-in-Chief Bob Bowman, Jim Wetekamp, CEO of Riskonnect, lays out the major issues and programs that managers are pursuing today, to shore up the security of their end-to-end supply chains.

SCB: What are the various aspects of supply-chain risk that you see emerging as big concerns in 2020, and how they are affecting companies, especially relating to the 2020 presidential election?

Wetekamp: They’re coming from a number of different areas, but the first is uncertainty. We’re seeing customers reconsidering any sort of budget carryover from last year, probably more so than in prior years. They’re putting a lot of things back up for reconsideration, even those that were previously part of the annual operating plan. You're seeing a lot of hesitancy, at least where there’s discretionary decision-making tied to how things will develop. There will be a lot of other impacts beyond the election in terms of regulatory change. And there are concerns about consumer confidence. But the primary is one is just trying to measure the market, on the performance and sales sides.

SCB: Recently we heard of the signing of the new U.S.-China trade agreement. What additional risks are out there with regard to global trade trends and tensions?

Wetekamp: Customers are reacting to increased globalization and the overall global economy in a couple of areas. One is continuing to focus on internalizing operations around third parties. When you think about the extension of those trade relationships and digital acceleration, third-party risk now has a first-party impact. How are they taking a greater role in the verification and validation of security, data protection, and authenticity of products and goods throughout the multiple tiers of the supply chain?
A second type of response is around the diversification of sources of supply. Previously, companies might have been leveraging their suppliers based on cost considerations. You’re now seeing a bit more hedging, toward the development of near-shore or onshore manufacturing capacity. This also links up with climate risk.

SCB: What are the implications of companies adopting climate resiliency as a risk metric?

Wetekamp: The biggest change is in the design of supply chains. It's not something you can change overnight. Risk comes into the picture when you think about business-continuity management and resiliency planning, and related strategies. There’s only so much risk you can pass along relating to climate change. The second concern is in the resiliency of supply-chain design, and how you model that. You're seeing an increase in modeling and anticipating more drastic interruptions to supply-chain continuity. People are moderating a bit more between the cost of supply and the risk of climate impact, so that they’re able to continue operations in the event of extreme climate disruption. That’s especially the case for companies that are based in coastal regions.

SCB: What are some of the concerns relating to fraud and possible missteps with regulatory compliance?

Wetekamp: As we exited 2019, this was probably the most talked-about topic. It has pushed risk to the board level in an extremely material way. There used to be an audit committee responsible for reputational risk, corporate ethics, and commercial behaviors. There have been so many examples over the past year of those issues destroying shareholder value. There's a lot of discussion now about how long that lasts, and what the recovery period from those events looks like. In any case, enterprise risk management has been thrust to the forefront of the boards’ and shareholders’ minds. A lot of time is being spent on how to quantify operational risk, and how to react to it. I anticipate seeing this happen at a higher velocity in 2020.

SCB: What impact might cyber thieves have on networks in the age of the internet of things?

Wetekamp: The more connected we are, the more rapidly the bad guys can do bad things. We’re seeing increased sophistication and capabilities of the attackers, extending to third and fourth parties, and multiple tiers of the supply chain. Big companies don't have enough resources to cover all those gaps. They can't do what they used to do to protect the whole ecosystem. Yet their customers don't delineate between them and their suppliers. So when something happens to a supplier that puts the consumer’s data at risk, the company is harmed one way or another. As a result, companies are moving toward a continuous-monitoring mindset. They’re using automation to push the boundaries of coverage and broaden their scope of view. They're forcing standardization across their supply chains to get a better understanding of their coverage areas. And they're relying on third parties to help with monitoring.
Companies are asking, What is the likelihood of cyber attack? What do their frontline controls look like through unrequested testing? Are their credentials loose on the dark web? They’re using that information to assess supply networks without even necessarily asking the vendors, then making decisions about who they will or won't work with, which workflows they'll allow, and how deeply they'll let somebody integrate based on what that information is telling them.

SCB: Where does artificial intelligence come into the picture, as a means of addressing supply-chain risk?

Wetekamp: I don't know that anybody has an answer yet. You worry about bias or backdoors being introduced through automation in manufacturing lines, suppliers, retailers and all the way to online social media and marketplaces. How do you test AI components that may come from third parties? How do you look inside those code bases for leaks as they relate to personal information and consumer habits? A lot of effort is being spent on these questions, but I'm not sure the answers are that well-defined.

SCB: What should companies be doing to respond to the threat of cyber warfare?

Wetekamp: They're looking to add automation to the process to cover more territory. They’re using third-party clearinghouses for vendor data as it relates to their cyber and digital risk posture. They're automating their own workflows with new controls. And they're moving to more proactive and recurring monitoring and testing across pieces of their network, and their suppliers’. The additional resources and time being spent on identifying potential risk and how it affects business models, as well as who they integrate with, is probably the biggest change you're seeing right now.