Third Party Risk Management
Supply chain risk is a popular subject of concern at the moment.
There have been a number of recent papers and studies undertaken surrounding supply chain complexity and risk assessments.
As one would expect, some of these are informative and worthwhile whilst others are fueled by fear, uncertainty and doubt. There are also a number of vendor papers which need to be taken with a pinch of salt and if you feel that your organisation may be "supply chain wounded" then salt is exactly what you don't need rubbing in.
I read a worthwhile paper produced by Deloitte entitled "The Ripple Effect" containing worthwhile commentary and observations surrounding the complexity of supply chains and the effect of disaster on one supplier and how it can be told sometimes amplified and sometimes attenuated through the supply chain.
When it comes to supply chain risk though, I see lots of uncertainty in the analysis and commentary and often the complexities are talked up in order that services and products can be sold.
Examples of disaster effects are often limited to environmental catastrophe, something which I see this as being a generally attenuated effect where those affected rapidly adjust and find ways to adapt and reduce resultant impact in each step of the chain.
However one noticeable trend is the rapidly increasing reliance on inter operational use of information technology. Sometimes, this can even be synchronous where two parties in the supply chain are reliant on the integrity and availability (and sometimes even confidentiality) of information which they exchange through a symbiotic business relationship. As a result, risks become considerably more complicated and the potential impacts hard to quantify.
Something which in my view actually amplifies is that supply chains are generally managed by procurement departments and more often than not procurement professionals are generally very immature when it comes to understanding risk generally and information risk specifically.
I recommend that a good place to start is one which should appeal to procurement professionals as it is one where they should get most assurance "bang" for their buck. This approach also keeps assurance relatively simple and avoids too much time where one risks getting sucked into the complexity of the problem.
This solutions is to use a certification process such as Cyber Essentials as a mandatory (or strongly suggested) requirement of an organisation's suppliers. Doing so will NOT address all risks. However, it will address a large and important chunk of cyber risk; that driven by threats from external hacking and malware, through the implementation of a reasonably inexpensive benchmark.
Less talk, more action is the order of the day when it comes to attaining a more acceptable level of supply chain risk.