SCM & Risk Management: A Guide to Securing your Supply Chain
The UK’s National Cyber Security Centre (NCSC) has published guidance on Supply Chain Mapping (SCM).
NCSC defines SCM as the process of recording, storing, and using information gathered from suppliers involved in a company’s supply chain. The goal is to have an up-to-date understanding of the network of suppliers to manage cyber risks effectively and perform due diligence.
NCSC notes that “SCM follows the principles of all good risk management. Organizations need to understand the risks inherent in their supply chain and then introduce security measures that are in proportion to the likelihood (and impact) of those risks materializing.”
What is Supply Chain Mapping (SCM) and why is it important?
If you’ve read the word ‘mapping’ and imagined some fancy graphical visualization of supply chains, you may have jumped to thinking about technology solutions before business requirements. Instead, the guidance addresses the need for a repository of data that informs organizations about the risks in their supply chain.
For example, the repository should include information such as who the suppliers are, how they are connected, the products and services provided by the suppliers, the value of the information flow, assurance contracts, details of recent assessments and outstanding activities, due dates for next assessments, proof of ISO certifications, and so on.
Different organizations will have their specific requirements to collect and link data, but the starting point should be clear objectives for an overarching Supply Chain Risk Management (SCRM) program.
The role of SCM in Supply Chain Risk Management (SCRM)
For example, an SCRM program might aim to keep supply chain risks that could cause a material adverse impact on business objectives within tolerance. This triggers an immediate set of questions, such as what are the business objectives and what would be considered a material adverse impact, what supply chain risks involving which supplier(s) could potentially cause these material impacts, what is the current assessment of these risks, and are they tolerable. If not, what actions are needed to bring these risks within tolerance?
Risk is, by definition, uncertain, and we can’t avoid data breaches, disruptions, and other events across the supply chain. But we can focus our attention on those that could cause serious harm. There won’t be too many material, intolerable risks—if there were, we would already be out of business! The SCRM objectives will then drive the SCRM strategy, processes, data, and technology.
Getting our thinking straight: Objectives, strategy, and process
A valid strategy might focus on the ‘material and intolerable’ risks and ensure that ‘inconvenient, but tolerable’ risks are addressed through contract, such as the regulations and standards that we require compliance with, incident notification and response procedures, and so on.
It’s important to get our thinking straight and in the right order because certain SCRM processes and technologies won’t help you achieve your SCRM objectives on their own. For example:
- Onboarding questionnaires focused on suppliers’ general security policies, processes, and controls won’t help you unless they are specific to identified material risks.
- Security ratings platforms identify vulnerabilities at suppliers visible from the outside. This is part of the picture, but vulnerability does not equal risk, and not all risks are external.
- Supply chain data sources, such as credit ratings and ESG ratings, similarly provide part of the picture.
Once we are clear about objectives, strategy, and process, we can identify the data from suppliers that we need to collect and map. This SCM data model can then be delivered by a technology platform that also provides the required process workflow, analytics, dashboarding, and reporting.
Figure 1: Top-down approach to SCRM
To deliver on objectives a robust SCRM programme requires a top-down approach – from strategy, through process and data model to technology solution.
The data model will hold the supply chain mapping and be implemented on a technology platform that also provides workflow, analytics, dashboarding and reporting.
Challenges in implementing SCM for large organisations
The NCSC guidance recognises that acquiring SCM information, especially for large organisations with complex supply chains, can be a massive undertaking. The information, in itself is an attractive target to attackers, so all SCM assets should be held in a secure repository with strong security architecture underpinning its design.
A further complication is the rate of change within organisations as they embrace the digital era. With business models, technology, the risk landscape, regulations and geo-politics all changing rapidly and the advice from analysts, regulators and consultants evolving continually, there is a real possibility that SCRM programmes could fail badly if they are unable to adjust to these changes.
Governance, Risk Management and Compliance (GRC) solutions based around document management and workflow have a terrible reputation for very long implementation projects and inflexibility to change.
Critical requirements of a SCRM technology platform
A new breed of GRC technology platform is emerging with ‘no code’ configurability which allows for rapid implementation and provides agility to react to changing strategy, processes and data models.
Critical requirements of such a platform are:
- A flexible and configurable data model that can adapt to change quickly
- Configurable web-forms and API’s to allow collection of data from questionnaires and external data sources
- Analytics to assess risks in relation to business objectives, usually in quantitative, financial terms
- Configurable process automation workflow with scheduling and alerting
- Real-time updating of risk status when risk-factors change, e.g. increased level of threat, emergence of critical vulnerabilities
- Flexible and configurable dashboarding and reporting for decision support.
The need for flexibility and agility in SCRM technology solutions
Flexibility and agility in risk management is now critical – if your technology platform can’t be deployed within a few weeks or adjusted to accommodate new strategies, processes or data models within a few days – if you need to rely on a vendor to make changes – you do not have an agile platform and will struggle to implement SCRM.
To discuss further, or see a demonstration of a flexible and agile SCRM technology platform please contact us.
Acuity whitepaper – Getting value from Third-Party Risk Management