The Harvard Business Review recently made a stark statement with regards to global supply chains: The vast majority of global companies have no idea of what their risk exposure is; that's because few, if any, have complete knowledge of all the companies that provide services or parts to their direct suppliers.
The unfolding coronavirus pandemic has thrown into sharp relief just how complex and interdependent today's international supply chains are — and how little visibility companies can have over those interdependencies. Organizations are being forced to adapt and plan for dramatic impacts up and down their supply chains, with some deploying all-new tools and solutions in order to facilitate last-minute remote working — often with very little understanding of how those new solutions might affect their own security and risk levels.
These issues go far beyond third parties alone. The chain of security and risk responsibility goes much further; a substantial proportion of supply-chain disruption is due to problems with fourth parties. Fourth parties are the suppliers of your third party who more often than not you do not have clear visibility and assurance over them.
Effective visibility over today’s global and fast-moving supply chains needs to strike a careful balance. Members of that supply chain need to be properly scrutinized — certain processes, tools and technologies need to be confirmed. Yet this scrutiny needs to be done in an efficient and agile way, without requiring organizations who may be several links away in the chain to undertake really onerous processes.
What’s the Solution?
The answer, then, is a lightweight assessment questionnaire focused on the most important aspects of managing business operations through adversity. This assessment must be able to be pushed out to any organization in your supply chain — whether they are third parties, qualified fourth parties or beyond — to rapidly gain a clear picture of their response to security and risk in the current climate. To provide additional business context, users of the application should be able to add their own questions to the assessment.
Organizations deploying such a solution need to combine documentation of their own key assets and processes with assessment of their critical suppliers’ management of security and risk. And all this intelligence needs to be reported in a clear and intuitive way, through flexible dashboards which can be tailored to the needs of different stakeholders within the organization.
Questions to Ask
Supply-chain assurance needs to take in a broad spectrum of information. It's not just about the obvious — what cybersecurity tools do they have in place, who is responsible for which process, what the contingency plans are — but also 'softer' information like where their offices are based and who their customers are. Supply-chain audit solutions need to be able to collect all this data as efficiently as possible, which means that cloud-based solutions are often most appropriate. Third and fourth parties and beyond can respond to digital questionnaires with the information collated and aggregated automatically. The result is a snapshot view of the health — or risk — of the supply chain at any time.
This approach gives businesses a time advantage as questionnaires can be sent directly to crucial suppliers in a matter of days or even hours, enabling a quicker understanding of affected products and/or services. This, in turn, helps measure the potential impacts posed by supplier risks and determine wider impacts on the supply chain.
There are broader impacts with a cloud-based solution too. With multiple organizations using the same tool, they can collectively build valuable global insight into the current state of the supply chain, which then supports other organizations with their resilience strategy.
If the results of such supply-chain audits are anonymised and aggregated, suppliers can use them to measure and report on global trends relating to the impact and readiness of supply chains. In turn, such analysis can be used to develop new guidance and create a dialogue to further improve supply-chain management. It’s about building an international, dynamic knowledge base.
Effective supply-chain management is particularly important in this time of global crisis. The effects of the coronavirus pandemic have transformed the way suppliers are managed and relied upon and created uncertainty for third party risk programmes. As with so many other areas of response to COVID-19, by working together, organizations can make a really powerful difference.
Richard Hibbert is cofounder and CEO of SureCloud.
Timely, incisive articles delivered directly to your inbox.