The subject of supply-chain risk is high on the agenda of business executives today. Many companies bear scars of past disruptions, including a spate of natural disasters over the past decade. But they haven’t necessarily given the subject the full attention it deserves, especially in the age of COVID-19. In this conversation with SupplyChainBrain Editor-in-Chief Bob Bowman, Atul Vashistha, founder of Supply Wisdom, proposes a big step forward in corporate awareness, in the form of a risk operation center.
SCB: Do you see a general acknowledgment among companies today of the need for risk managers in their organizations?
Vashistha: Absolutely. What COVID-19 has done is enabled risk leaders to shine. Because they became the key component in most organizations' response to COVID-19, companies definitely recognize the importance and the value of those roles.
SCB: Where is that individual in the organization today?
Vashistha: That's a really interesting question, because I think it depends on many factors. It depends on what vertical it is, and how that company thinks about risk in an organization. Let's take an example. In banking and financial services, the chief risk officer might be reporting directly into operations, so it’s kind of a COO or chief administrative officer position. In other cases, the risk function is under a chief procurement officer. In industries that aren’t as regulated or as strongly compliance-focused, you might see risk under supply chain, or some kind of a vendor-management organization. So it really differs across industries and companies.
SCB: Does the role tend to have visibility and influence in the C-suite?
Vashistha: I would say that with cyber threats, particularly, the influence of risk has increased. Some companies have created risk committees. The roles of the chief risk officer and chief information security officer have risen dramatically. But my observation is that in most organizations, risk is not yet a seriously elevated concern. COVID-19 is going to go a long way toward elevating key risk roles.
SCB: What is a risk operation center?
Vashistha: One of the things you'll notice in most companies is that they might have somebody who has risk either as a primary or secondary function, and when incidents happen, they or their teams respond to it. Sometimes that might simply be a vendor manager or risk manager. A risk operation center is about creation of an ongoing capability that has a competency, to not only monitor risk, whether in the form of people, data or technology, but also to respond to it on an ongoing basis.
SCB: Does it involve any permanent staff, or does it draw from staff throughout the organization on an as-needed basis?
Vashistha: There are two kinds of risk operation centers. One is like you described, where when an incident happens, it draws from different parts of the organization and you basically create a response team. It’s purely reactive, and by the time you put it together and respond to an incident, you're often running behind the ball. What I'm talking about is a risk operation center that’s an ongoing entity, has people assigned and dedicated to it. In the case of a significant incident, you might staff it up, but it does have an ongoing functionality and competency that's attached to it.
SCB: What’s its relationship to the rest of the organization? Does it communicate on a regular basis in the absence of any disruptive event? Does it educate or prepare individuals in various roles? What role does it play on a day-to-day basis?
Vashistha: In companies that leverage a risk operation center well, it has an ongoing function in monitoring risk and responding to it, but also one that I would call risk prevention. It might be doing a number of activities, depending on the investment a company is making. It could be education. It could be standard operating procedures. It could be simply keeping people updated, informing them.
As an example, one of the cascading impacts of COVID-19 has been an increase in cyber attacks. In fact, a few weeks ago, there was a significant ransomware attack that impacted a few companies. A good risk operation center would not only have notified people that there was a ransomware attack, but would have recommended certain actions for vendor managers and others to take, like check the cyber susceptibility of your other partners. Have they had changes? Did they do the last security update?
SCB: Does a risk operation center sometimes put the rest of the company through any kind of simulation or exercise that would create the scenario for a potential risk, thereby helping to prepare the organization for such events?
Vashistha: Many companies do that. They have some kind of a cycle, often annually, where someone might do a desktop scenario. Others might do actual scenario testing in the field, whether it's testing disaster recovery or business continuity. What COVID-19 has done is revealed the need for looking at scenarios beyond those we had looked at before. For example, many risk operation centers have run simulations with 20% or 40% employee absenteeism. Nobody ran one at 100% — total work from home. So, yes, there has been a learning that more exercises like these need to be done, so you can imagine what you would fundamentally change about your business, and what you would do differently with your third parties in the case of disruptions than are much bigger or longer than previously considered. A risk operation center would be responsible for not just conducting such exercises, but also sharing the lessons from them.
SCB: Is it also the job of a risk operation center and risk manager to reach beyond the walls of the organization, to communicate with suppliers upstream and customers downstream?
Vashistha: Yes. It’s important to focus on your partners, and inform them of a risk you might be seeing that they don’t. I'll give you an example. Recently we noticed that the cyber susceptibility of a supplier had been declining significantly. They were at 9.8 out of 10 just a few months ago. Now it's sitting at 7.1. A good risk manager and risk operation center would be working with that supplier, not just informing them but also understanding what they’re going to change, recommending certain actions to consider, then tracking their efforts to achieve closure. You definitely want to make sure you're not just focusing internally.
SCB: Do you depend on reporting by outside parties to assess the state of their own cybersecurity, or do you have other ways of assessing that without necessarily relying on direct input from them?
Vashistha: Of course you can be intrusive. But there are a tremendous amount of tools that allow you to take a URL today, basically an IP address, and do that without requiring any permission. Patch management, e-mail security, compromised domains, compromised passwords — all that can be done through an external scan.
SCB: It’s still a new concept though, right? I imagine that not a large number of companies are embracing the notion of a risk operation center at this time.
Vashistha: I would say that a typical company historically has under-invested in risk. They have often considered events to be novel and not frequent. One of the things we've been noticing is that the number of disruptive risk events isn’t just rising in frequency, but also in severity. There have been four pandemics in the last 20 years. Or go back 10 years and see how often companies been impacted by a significant event, whether it's weather or a protest that made it impossible for employees to go to work. I think risk prevention will become an ongoing capability that more and more companies will adopt, because I believe that risks will only accelerate, not decrease.
Timely, incisive articles delivered directly to your inbox.