Category Archives: Risk Management

Supply chain cybersecurity: better protection and policy alignment

Posted on by
Supply chain cybersecurity: better protection and policy alignment

Supply chain cybersecurity: better protection and policy alignment

According to a recent study conducted by the World Economic Forum, 39% of surveyed organizations in 2022 had been affected by a third-party cyber incident. In other words, they were “collateral damage” of a cyberattack on companies via their supply chain. Increasingly, threat actors are targeting small and medium-sized suppliers that may use less robust cybersecurity practices, with the aim of then surreptitiously accessing the systems of an intended target among their clientele. By breaking into the provider’s system, an attacker could potentially compromise any organizations which use the product or service – including larger companies, government agencies, and even critical infrastructure or essential services.

These incidents show the interdependence of companies, and the increasing need to address the security of the ICT supply chain as a whole by identifying and strengthening the weakest links. There is also a growing regulatory concern about supply chain security that is being translated into proposals ranging from reporting, or vulnerability disclosure, to restrictions or obligations on providers under various regulatory standards and frameworks.

How can companies better protect their supply chain to reduce risk and enable a more agile response?

Traditional approaches to supply chain risk management can present limitations, as they don’t increase cyber protection, are not generalized in their approach to diversifying and securing the supply chain, waste time and money, and lack cyber risk context. Importantly, small and medium-sized enterprises in the supply chains may struggle with responsible cybersecurity practices, including complying with recognized standards. Below is a selection of best practices on supply chain, some of which have been extracted from the RSAC ESAF Report “How Top CISOs are Transforming Third-Party Risk Management” based on Chief Information Security Officers (CISOs) interviews, and Telefónica’s own experience.

It is also necessary to standardise the approach to risk management, in a joint procurement and security strategy based on a principle of co-responsibility of employees and suppliers in meeting pre-established cybersecurity requirements, including on diversification. Management indicators to be periodically checked (including with audits) are needed to monitor and identify improvement points for action throughout all the supplier lifecycle, even at the termination. Key elements of such a strategy include the following:

  1. Focus on a set of priority security requirements based on an assessment of risk, a short list instead of overloading the supplier, and ensure monitoring, oversight, and compliance.
  2. Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain, applying zero trust policies, developing incident response plans, conducting tests, and demanding early reporting of incidents by suppliers.
  3. Actively partner with suppliers to help them improve their security programs, offering service mechanisms and trainings to protect against or respond to incidents as they occur. Third-party incidents will happen, so preparing to manage the impact on the enterprise must be a core priority.
  4. Consider leveraging emerging technologies such as blockchain for information sharing and asset management to minimize the consequences of third-party cyber-incidents, as well as artificial intelligence and advanced analytics to scale incident detection and response capabilities.
  5. Add incentives and enforcements to contracts, setting requirements for suppliers based on international standards (e.g. ISO 27001 Information Security, ISO 27701 Privacy, ISO 22301 Security and resilience).
  6. Establish processes to increase business leaders’ involvement in managing third-party cyber-risks. Doing so needs to be a priority at the most senior levels.

Read more at Supply chain cybersecurity: better protection and policy alignment

Subscribe to us for new updates and leave your comments below.

The growing importance of supply chain risk management

Posted on by
The growing importance of supply chain risk management

The growing importance of supply chain risk management

Against the backdrop of a highly disruptive and volatile market environment, supply chain risk management has risen to the top echelons ofboardroom agendas. Vivianne Courte-Rathwell, a Consultant at Sourcing Champions, explains why the concept is gaining importance – and outlines some of its main benefits.

A review of the historic supply chain disruptions of the past few years would hardly be news to anyone. In an unprecedented ‘risky’ period, with a pandemic, climate change, a Russia-Ukraine war, geopolitical pressures, and much more, it is no surprise that global supply chains have recently been dealing with heightened risks.

However, it is key to keep in mind that such disruptions do not only occur in unfortunate periods of history. Risks are by nature ubiquitous and unpredictable, and that means that leaders need to embrace an approach that helps them mitigate, adapt and learn.

In 2012, there was a disastrous tsunami in Japan which impacted the automotive industry worldwide. In 2015, an immense explosion at one of the largest ports in the world, the Port of Tianjin, caused significant costs and losses. In 2018 the US – China trade war negatively impacted profit margins and created tense times of uncertainty.

It is impossible to conceive to avoid all risks. Instead, the key is to mitigate significant damages through foresight in strategic management.

After the tsunami of 2012, automotive organizations had nowhere to turn as many realized that their single source of materials was Japan. Even OEMs with a multi-sourcing strategy encountered issues because many tier-1 suppliers procured materials from the same tier-2 supplier. As a result, the challenges of tier-2 suppliers became a direct concern as well.

Had there at the time been a multi-layer supply chain risk management (SCRM) program in place, these issues could have been (easily?) avoided and impact to the business would have been minimized. SCRM tools and processes act as guardrails and shields protecting the business from potential perils, hence providing a competitive advantage.

Read more at The growing importance of supply chain risk management

Leave your comments below or write to us if you have any questions.

The future of supply chain risk management

Posted on by

The COVID-crisis has prompted a period of introspection as organisations question how to best structure their supply chains and manage their risk

Trends towards global sourcing, mobile warehousing, just-in-time production and lean manufacturing have created supply chains that are highly optimised, but also increasingly complex. When things are going well, this means cost-effective operations, less waste and companies can react flexibly and in an agile way to customer demands.

However, these trends also expose the supply chain to new, sometimes hard to recognise risks. And when there is interruption, the complexity of these supplier systems and the immediate nature of production can mean businesses are suddenly facing significant disruption with immediate impact to bottom lines, or even market share and reputation.

For instance, when governments imposed lockdowns to curb the spread of coronavirus, many firms found that manufacturing ground to a halt as the transportation of goods was interrupted. Where once a business was likely to have spares and back-ups in warehouses, just-in-time practices mean that many businesses are now left without access to the services or parts they need to operate.

Shifting sands

The uniquely volatile business environment of the past year has brought to the forefront of the business agenda the supply chain vulnerabilities they face. For some, this could signal a change in practices in the future to increase supply chain resilience – whether that’s looking at near shoring and onshoring, reintroducing back-up stock in warehouses or installing alternative production sites.

Kocher said: “What’s changing is how risk managers, management and insurers alike recognise and factor supply chain risk into their decision-making. With more and more severe supply chain interruptions materialising, businesses have started to reconsider certain aspects, such as having suppliers nearby to eliminate certain risk factors from their business activities.”

The role of risk engineering

As organisations continue down the path of introspection and question how to best structure their supply chains and manage their risk, it becomes ever-more crucial that risk managers understand the full extent of the vulnerabilities in their own production process. Kocher believes that risk engineering plays an increasingly key role in this process.

“One of the key value drivers is to understand your supply chain and the assumptions you are making about it in case of disruption. This may sound trivial, but it is a fundamental condition to be in place before conducting impact assessment, quantification, deciding on the mitigation strategy and implementing mitigation measure. A structured approach to ensure adequate understanding in sufficient depth is critical. ”

Empowering better decisions

Often, when a company considers key or critical suppliers, it is examining its supply chain with a financial lens, or with a strong focus on individual business sections. A realistic company-wide, impact-oriented view, underpinned with decades of actual loss experience, supports the identification of key exposures which may otherwise go unnoticed.

Kocher concludes: “There is no one perfect way of managing supply chain risk. The risk engineer brings to the table a wealth of experience of what the process could look like, and is able to pick up the individual client where they stand in their supply chain risk management journey, with the goal of bringing them further towards a comprehensive supply chain risk management adapted to their specific needs.”

Read more at The future of supply chain risk management

Leave your comments below or contact us for discussions.

How to analyse third-party risks in the supply chain

Posted on by
How to analyse third-party risks in the supply chain

How to analyse third-party risks in the supply chain

What are the cybersecurity, financial and other risks posed by third parties in the supply chain, asks Sri Rangachary, a Senior Director with ISG
Do you truly know your exposure to risk? With every third-party supplier an organisation uses, there is increased risk of being exposed to a security breach, a damaging reputational issue, or a human rights or environmental issue that could be buried within the supply chain.

We tend to think of disruptive events as happening once in a lifetime, but in reality, we should plan for them to be a regular feature of supply chains and manage them accordingly. Proper governance and rigorous supply chain review are critical.

What are the risks posed by third parties in the supply chain? The most obvious risks are cyber security or financial. Imagine if one of your supplier’s suppliers has a ransomware attack that spreads up the chain. Your security is only as strong as the weakest link in the supply chain. An event like this could severely disrupt your ability to do business.

But there are less obvious, newer risks from suppliers. Increasingly we’re seeing emerging threats from areas like environment, social and governance (ESG), and human rights.

Perhaps there are modern day slavery practices that you haven’t spotted, deeply embedded in the supply chain, or a supplier has been found guilty of corruption, or other unethical behaviour. It’s not enough anymore to claim ignorance, and you could lose your hard-won reputation by association with such practices.

You need the right processes in place to catch and head off these kinds of issues, early on.

Managing supplier relationships

The key to good supplier management is good information. What information do you need to mitigate your risk? I’m often asked: “How do I assess the risks from my supply chain?” The answer is in the information you get from that chain.

Look first at the information you have internally available. What is the acceptable risk level in your own business? Every organisation will have a different appetite for risk. A risk heat map is a great way to visualise the impact and likelihood of different risk categories, so you can develop the appropriate response.

The role of technology

It’s simply not possible for a person – or even a full team – to monitor every change and movement that could pose risk within the supply chain. This is where technology can help.

A good third-party risk management system can give you the information you need to monitor and mitigate risk, as well as keep on top of contractual commitments and the performance of your suppliers (including their ability to meet those commitments).

Read more at How to analyse third-party risks in the supply chain

Leave your comments below and subscribe to us for new updates.

Autoliv’s Supply Chain Risk Management Journey

Posted on by
Autoliv’s Supply Chain Risk Management Journey

Autoliv’s Supply Chain Risk Management Journey

In February, Klaus Niebur, the director of global supply chain risk management at Autoliv, and Jan Thiessen, the managing director at targetP!, spoke on best practices on supply chain risk management at ARC Advisory Group’s Digital Transformation in Industry conference.

Autoliv is the world’s largest safety system supplier in automotive industry. This global, Tier 1 manufacturer is headquartered in Stockholm and had revenues of over $8 billion last year. It supplies airbags, seatbelts, and steering wheels to most of the Automotive OEMs – companies like Renault/Nissan, Volkswagen, etc. targetP!, in turn, is a boutique procurement consultancy.

Autoliv’s Continuing Journey in Supply Chain Risk Management

Mr. Niebur’s and Thiessen’s presentation was taped in November of 2021 and then played online in February. At the time we spoke, Mr. Niebur spoke of risk management as a continuous improvement journey that would never end. There were several things they were looking to accomplish in the near term. I wanted to circle back to Klaus and Jan and get caught up on their journey.

Steve: Klaus, when we talked, you mentioned Autoliv was already doing digital supplier management, had digital sourcing solutions, and was looking at real-time transportation visibility solutions to provide better predicted times of arrival for inbound and outbound shipments. In short, this risk management solution needed to integrate into your IT ecosystem. Your future vision was for risk management to be seamlessly integrated into an advanced control tower. Can you talk about how this journey is going?

Klaus: This is correct and it is still our goal to create this Control Tower. It will link all initiatives within the supply chain function and be enabled by our digital solutions and all data sources. And we are making progress.

Read more Autoliv’s Supply Chain Risk Management Journey

Subscribe to us to get updates and leave your comments below.

A Methodology to Quantify the Cost of Supply Chain Risk Management Strategies

Posted on by
The importance of supply chain risk management has grown exponentially since the onset of COVID-19.

The importance of supply chain risk management has grown exponentially since the onset of COVID-19.

You are the manager of a firm’s large global supply chain. The philosophy that guides your network planning decision-making is to minimize total landed costs subject to meeting defined customer service goals. In recent years, especially since the onset of COVID-19 and the supply chain vulnerabilities exposed and unleashed by this pandemic, you have struggled to find the right balance between minimizing costs and minimizing risks. In particular, how do you quantify the costs of different risk mitigation strategies such as using additional suppliers in disparate geographies, maintaining extra plants and/or capacity, and other similar strategies? How can you view these decisions from a holistic perspective?

In this article, we offer an illustration of a technique to develop a quantitative perspective on the cost of risk management strategies. This quantitative approach can be coupled with other more qualitative factors to facilitate the development of a well-informed supply chain risk management decision-making process and strategy.

We begin with a brief review of the types of risk that firms must assess in creating their risk management strategy. This review provides background context for the methodology we will introduce. Further, recognizing that we cannot explore in detail the topic of risk management strategies in this short article, we also provide additional references at the end of this article for readers interested in exploring this topic in depth. After our brief review of risk types and strategies, we then present our risk management quantitative methodology using a manufacturing network design strategy example for illustrative purposes.

Risks in Developing a Supply Chain Risk Management Strategy

When constructing a supply chain risk management strategy, a firm can assure that it undertakes a holistic view of all potential threats by first evaluating general categories of risk, and then considering specific individual risks. Why take this two-step approach? The danger of immediately focusing on a few specific known risks to a firm before first performing a broad review across all risk types is that immediately diving into specifics may cause some less obvious but important risks to be overlooked. Hence the need for a two-step approach.

Quantitative Methodology for Supply Chain Risk Management Assessment

To illustrate our methodology for quantifying the cost of a supply chain risk management strategy, let’s assume that a firm is developing its global manufacturing and distribution network strategy for the next three to five years. In this example, we will focus on plant locations and capacity plans, and note that a similar process would occur for distribution network locations. For illustrative purposes, we narrow our example to evaluations of supply, operational and natural risks only.

Conclusion

The relative importance of supply chain risk management was increasing rapidly in practice prior to the coronavirus pandemic, and it has grown exponentially since the onset of COVID-19. Making well-informed decisions on the appropriate level of risk mitigation actions to invest in represents a difficult challenge for a firm and its supply chain professionals. Good decision-making requires a careful balancing of both qualitative and quantitative factors.

Read more at A Methodology to Quantify the Cost of Supply Chain Risk Management Strategies

Leave your comments before and subscribe to us for further updates.

Rethinking Risk Management

Posted on by

Anticipating emerging risks means reshaping the board.

Risk management is often cited among the top two or three items on board agendas, yet many companies have found themselves unprepared for a variety of recent shocks, including the COVID-19 pandemic, the Great Resignation, cybersecurity events, labor shortages and supply chain disruptions.

The breadth of risk for public and large private companies has grown exponentially in recent years, but few organizations have gone far enough in evolving and expanding their risk management approach to keep up with the pace of change. This is one reason regulators have stepped up enforcement of board requirements around fiduciary duties.

In some cases, boards may need to update their views about the world’s ability to deal with risks. These views may include the expectation that supply chains are infinite, labor is unlimited and the United States is always able to innovate its way out of problems.

That’s not the world today’s companies operate in. World Economic Forum, the Control Risks global risk survey, McKinsey and others have identified several of the most significant areas of current and emerging corporate risk. The top risk areas include:

  1. Proper understanding and articulation of company risk appetite, risk review objectives, and existential and emergent risks.
  2. People and talent.
  3. Mergers and acquisitions.
  4. Digital transformation.
  5. Cybersecurity.
  6. Climate risks and action.
  7. Future pandemics or similar situations.
  8. Supply chain vulnerabilities.
  9. Regulatory risks.
  10. Political risks.

These risks present challenges on many levels. Boards must identify, assess and manage risks intelligently, while simultaneously focusing on business opportunities that may arise from the very same issues. They must communicate risks not just to shareholders, but also to other stakeholders.

Today’s boards need to consider whether they have the right people, expertise, committees and processes to address today’s higher-risk business environment. Crises are likely to come faster and hit harder. However, boards that make changes to better address risk can succeed in making their companies more resilient.

The following are changes boards should consider to enhance their risk management approach and better help their companies navigate and mitigate emerging risks.

Read more at Rethinking Risk Management

Subscribe us to get updates and leave your comments below

10 Supply Chain Risk Management Strategies

Posted on by

10 Supply Chain Risk Management Strategies

The supply chain is the gas that makes the motor run for manufacturing and retail. Without it, you have no product to sell, no inventory to stock, and no revenue to earn. Unfortunately, there will always be disruptions to the supply chain that throw everything out of whack and force both retailers and manufacturers to scramble to pick up the pieces. In a Gartner survey, only 21% of respondents stated they had a highly resilient network, though more than half expected to be “highly resilient” within a few years. That’s a positive sign, but what exactly can be done to get ahead of those supply chain risk factors?

Proper supply chain risk management enables businesses of all shapes and sizes to take advantage of tried-and-true strategies that mitigate risk and set them up for success. In order to develop your own risk management strategy, it helps to first understand what supply chain risks you might face.

What Are Some Supply Chain Risks?

Supply chain risk management refers to the process by which businesses take strategic steps to identify, assess, and mitigate risks within their end-to-end supply chain. There are both internal and external risks that can disrupt your supply chain, so it’s helpful to understand the difference between the two.

External Supply Chain Risks

As the name implies, these global supply chain risks come from outside of your organization. Unfortunately, that means that they are harder to predict and typically require more resources to overcome. Some of the top external supply chain risks include:

  1. Demand Risks: Demand risks occur when you miscalculate product demand and are often the product of a lack of insight into year-over-year purchasing trends or unpredictable demand.
  2. Supply Risks: Supply risks occur when the raw materials your business relies on aren’t delivered on time or at all, thereby causing disruption to the flow of product, material, and/or parts.
  3. Environmental Risks: Environmental risk in the supply chain is the direct result of social-economic, political, governmental, or environmental issues that affect the timing of any aspect of the supply chain.
  4. Business Risks: Business risks occur whenever unexpected changes take place with one of the entities you depend on to keep your supply chain running smoothly — for example, the purchase or sale of a supplier company.

Internal Supply Chain Risks

This refers to any supply chain risk factors that are within your control, and that can be identified and monitored using supply chain risk assessment software, robust analytics programs, IoT capabilities, and more. Although internal supply chain risks are more manageable than external ones, they’re still — to some degree — unavoidable. Here’s what to look for:

  1. Manufacturing Risks: Manufacturing risks refer to the possibility that a key component or step of your workflow could be disrupted, causing operations to go off schedule.
  2. Business Risks: Business risks are a product of disruptions to standard personnel, management, reporting, and other essential business processes.
  3. Planning and Control Risks: Planning and control risks are caused by inaccurate forecasting and assessments and poorly planned production and management.
  4. Mitigation and Contingency Risks: Mitigation and contingency risks can occur if your business doesn’t have a contingency plan for supply chain disruptions.

Read more at 10 Supply Chain Risk Management Strategies

If you have a question, please write it in the comment, and subscribe us to get updates.

A blueprint for cyber supply chain risk management

Posted on by
A blueprint for cyber supply chain risk management

A blueprint for cyber supply chain risk management

One challenge for supply chain security practitioners is choosing which of the multitude of guidance documents and best practice frameworks to use when building a cyber supply chain risk management (C-SCRM) program. There is no touchstone in this arena; instead, we have shades and gradations of goodness and a plurality of approaches.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), SAFECode, The East-West Institute, Critical Infrastructure Coordinating Councils, and many others have published guidance on methods to address cyber supply chain risks. But to date, there is little evidence that C-SCRM practices are effective in stopping or reducing cyberattacks.

This lack of objective evidence of efficacy makes it difficult for a practitioner to choose which guidance or practices or framework to use in our own operations.

When faced with this problem several years ago, at the outset of developing a C-SCRM function for a large enterprise, I created a compilation of different practices from various publications. This article is based on the compilation and provides a short narrative about why certain practices are included.

The compilation is primarily derived from practices described in NIST Special Publication 800-161, Cyber Supply Chain Risk Management Practices for Systems and Organizations, the results of a NIST-GSA-University of Maryland study (Sandor Boyson, Technovation), SAFECode supply chain guidance, the Build Security In Maturity Model (BSIMM), and a variety of other articles, blog posts, and documents in the public domain.

Much like the publications it is derived from, the compilation is intended to be used as a catalog of practices that is tailored by the user based on the particular circumstances of the supply chain that is being managed and which phase of the procurement lifecycle the practices are being used in.

The starting point is to identify which of the various practices in the document are best suited to your supply chain. For example, if you’re purchasing hardware, chain of custody and traceability practices are probably more important than they would be for a software purchase, and for software, secure development life cycle practices are probably more important than traceability practices.

The next steps are to incorporate the selected practices into your supply chain management processes, from onboarding to performance to closeout.

Read more A blueprint for cyber supply chain risk management

If you have opinions, please write to use in the comment box below. Subscribe to us for more updates.

5 WAYS TO KEEP VACCINE ‘COLD CHAIN’ SAFE FROM HACKERS

Posted on by
Rocky Mountain Regional VA Medical Center associate chief of pharmacy operations Terrence Wong opens a box containing a shipment of the Pfizer-BioNTech COVID-19 vaccine before storing it in a freezer on December 15, 2020 in Aurora, Colorado.

Rocky Mountain Regional VA Medical Center associate chief of pharmacy operations Terrence Wong opens a box containing a shipment of the Pfizer-BioNTech COVID-19 vaccine before storing it in a freezer on December 15, 2020 in Aurora, Colorado.

A major health system commissioned the study, which finds that an attacker located near equipment like freezers and coolers could use electromagnetic interference generated by simple devices like walkie-talkies to fool temperature sensors into giving false readings.

The interference could cause a cooler’s temperature monitor to falsely indicate that the vaccine inside has become too warm to use, or it could cause a freezer to malfunction and spoil its contents.

The good news is there are simple steps that hospitals and health systems can take to protect themselves. Kevin Fu, then associate professor of electrical engineering and computer science at the University of Michigan, led the study. Fu later joined the FDA as acting director of medical device cybersecurity. He recommends the following five steps:

1. Restrict access to data like temperature displays

A potential attacker might try to devise a hack using trial and error—trying several different types of electromagnetic interference (EMI), such as radio waves from walkie-talkies, while watching temperature displays or other data to see which type of interference is effective.

  1. Health systems can protect against this kind of attacker by making data points like temperature readouts less visible. This could be done by:
  2. Installing blinders on temperature displays, similar to those on ATMs and voting machines.
  3. Eliminating real-time temperature displays when possible.
  4. Moving displays to make them less visible—for example, turning a display so it can’t be seen through a room’s doorway.
  5. Restricting access to areas where temperature displays are located.

2. Keep the details about your sensors confidential

If a prospective attacker knows which sensors you use, they could buy an identical model, then work out the details of an attack off-site. Health systems can reduce the likelihood of this by keeping model numbers and other details about the temperature sensors in equipment like coolers and freezers confidential.

3. Keep the locations of your sensors confidential, and move them frequently

To successfully carry out an attack, a hacker must put an EMI device within a certain distance of the targeted equipment. There are a number of ways that health systems can make that more difficult. They include:

  1. Keep the locations of cold chain equipment confidential.
  2. Frequently moving equipment to different locations.
  3. Moving equipment toward the center of the rooms where they’re stored. This makes it more difficult to carry out an attack from an adjoining room.

4. Select the lowest possible sensor sampling rate

Temperature sensors take measurements at pre-set sampling rates—for example, once every five minutes. And a sensor with a lower sampling rate provides less data that a hacker could use to carry out an attack.

5. Use a sensor that’s less susceptible to electromagnetic energy

Depending on specific application, it may be possible to use a sensor that’s less susceptible to interference than a traditional thermocouple, like an on-chip integrated temperature sensor or a chemical-based temperature indicator.

Read more at 5 WAYS TO KEEP VACCINE ‘COLD CHAIN’ SAFE FROM HACKERS

Leave your comments below and subscribe to us for more updates.