Every company — no matter what they produce — is a part of a supply chain. Your suppliers provide the tools, materials, and services your organization needs to do business.
For companies that create a physical product, the supply chain includes everything from the companies that produce raw materials or components, the businesses that make machines, and the trucking companies that transport goods and materials. For companies that work in tech, suppliers can include providers who provide physical goods (such as the companies that produce devices) but more often, suppliers are part of a digital supply chain: cloud hosting providers, point of service payment vendors, Software As a Service (SAAS) providers, and every other supplier that helps your organization make, sell, or distribute your product or service.
While your suppliers are necessary for your business — they make it easier for you to do business by lowering costs and allowing you to work more efficiently, they also come along with their fair share of risk. According to the Ponemon Institute’s latest Cost of a Data Breach report, data breaches caused by third-parties increase the cost of a data breach by an average of $207,411, and data breaches aren’t the only problems suppliers can cause for a company.
What is supplier risk management and why do you need it?
Supplier risk management, or supply chain risk management (SCRM) is the process of vetting your suppliers so that you can understand the risks they may pose to your organization and the supply chain itself. Organizations with strong supplier risk management programs systematically identify, assess, and mitigate threats to their assets and data that might be caused by the organization’s supply chain.
This is critical because although suppliers are essential to business, they can also do quite a bit of damage if their security controls have not been adequately vetted. According to the National Institute of Information Technology (NIST), the very factors that make working with suppliers attractive: lower costs, interoperability, the ability to rapidly innovate, and product features, also open you up to risk.
While data breaches are a threat made possible by your supply chain, such risks can also include anything from physical threats (like theft or unauthorized production) to digital ones (like a breach of your cloud hosting provider’s servers). The damage from such breaches can result in business disruption, financial loss, and harm to your brand.
A word on vendors, suppliers, and other third parties
It’s easy to lump suppliers in with the rest of your organization’s third parties, but not all third parties are the same. Although the words “vendor,” “supplier” and “third party” are often used interchangeably, there is a difference between these different groups and the risks they pose to your organization.
Supplier risk management, as we stated earlier, is the process of vetting suppliers — any organization that helps you make, distribute and sell your product.
Vendor Risk Management, or VRM, is a bit broader. VRM is the process of vetting your vendors, suppliers, and service providers, to ensure that they do not pose a risk to your organization. Vendor risk management is specific to the third parties you buy from — your vendors and suppliers. Vendors can include any third party you regularly purchase from, from the companies who provide parts to a manufacturer to cloud storage providers or other Software as a Service (SaaS) providers.
Third-Party Risk Management (TPRM) is broader still. TPRM is the process of vetting all your third parties. While some third parties are certainly vendors and suppliers, there are many other kinds of third parties a company can have relationships with including partners, contractors, and consultants. Therefore, TPRM is an umbrella that covers VRM and SCRM.
Strategies for supply chain risk management
Best practices for SCRM and supplier risk management revolve around being aware of your suppliers, knowing the threat landscape, and being able to classify vendors by their level of risk.
1. Understand who your suppliers are
Listing your organization’s third parties can be daunting for any organization. Some departments may own one or two contractors or may have purchased software without talking to IT first, for example. Understanding those suppliers will help you know your risk. Do a thorough audit and create a list of all suppliers.
2. Know the cyber risks
Once your organization has inventoried its suppliers, you can then identify and qualify your risks. McKinsey recommends this four-step process:
- Create an inventory of risks, and map them against a standardized risk taxonomy.
- Estimate the likelihood and severity of each risk, and consider potential correlations among them.
- Aggregate the risks, and rank them in order of priority.
- Manage the risks by linking them to regular business processes, such as strategic and financial planning, enterprise risk management, and controls.
3. Calculate your risk
Not all cyber risks are the same. Perform a risk analysis for each supplier using the following formula (or whichever formula you use for your organization’s risk management):
Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
4. Assign a risk rating
Once you analyze the risk a supplier poses to your organization, set a risk rating of high, medium, or low. This rating will let you prioritize your vendor risk monitoring strategies.
The third parties who handle the most critical operations or the most sensitive data will likely be rated medium or high. Suppliers who do not interact with critical systems, networks, and data will be rated “low risk.”
5. Set up a system for oversight and monitoring
Once you’ve determined your organization’s appetite for risk, it’s time to set up a system of controls for your vendors, as well as a system of oversight. Continuous monitoring is also important when it comes to third-party risk. Suppliers may fall out of compliance, and it’s critical that you know exactly when that happens.
How SecurityScorecard can help
SCRM can be a time-consuming process. To reduce the amount of administrative time and effort spent managing relationships with suppliers, consider a smart tool that automates parts of the supply chain risk management process.
SecurityScorecard’s Atlas is a tool that streamlines your vendor risk assessment process. Using our platform, your organization can upload vendor responses to questionnaires. Atlas’s machine learning compares their answers to previous questionnaires and the platform’s analytics, verifying responses almost immediately and alerting you to any issues immediately so you can take action and secure your cyber assets.
