U.S. Supply Chain Disruptions Task Force: 7 Steps to Improve Supplier Risk Management

On June 8, 2021, U.S. President Biden announced the Supply Chain Disruptions Task Force to Address Short-Term Supply Chain Discontinuities. The Task Force was announced alongside results from the President’s 100-day review of critical supply chains in the wake of widespread shortages, such as for semiconductors, as a result of the COVID-19 pandemic. The Task Force will identify and combat trade practices that undermine U.S. supply chains, onshore essential medicines production, and identify U.S. sites where critical minerals such as those for batteries can be produced.

7 Steps to Simplify Suppler Due Diligence

The findings from the 100-day review will likely result in manufacturers, transportation companies, construction firms, and pharmaceutical companies offboarding old offshore suppliers and onboarding new domestic ones as production of critical materials shifts back to the U.S. To simplify and accelerate the inevitable due diligence process and ensure that suppliers are securely offboarded, organizations should consider these 7 steps for supply chain risk management:

1. Implement a comprehensive supply chain partner pre-screening program

Ensure that procurement and sourcing teams have access to insights pertaining to all new supply chain partner security, operational, data privacy, and financial practices. Pre-contract due diligence should consider existing cybersecurity and privacy assessment results, reputational information, breach history, legal actions, sanctions and other intelligence to inform sourcing decisions – alongside any inherent risk data.

2. Include multiple internal teams when onboarding new suppliers

Typically, the procurement team is responsible for managing the supplier relationship lifecycle, but multiple departments that interact with suppliers (e.g., production teams) may have insights to contribute or specific requirements for supplier assessments. That’s why it’s important to knock down the siloes that sometimes separate teams and open onboarding tasks to any party that interacts with the supplier. A simple intake form can accelerate the process.

3. Assess supply chain partners regularly – especially for business resilience and SLA performance

Antiquated spreadsheet-based risk assessment processes aren’t going to cut it anymore – especially if you are assessing a new supplier critical to the products you deliver and can’t afford the risk that comes with manual work. Instead, leverage an automated solution that hosts vendor assessment questionnaires, automatically raises risks if results don’t line up with expected risk tolerance levels, and offers specific remediation recommendations to close potential vulnerabilities. Regularly assessing suppliers on their SLA performance, business continuity, incident response and disaster recovery plans provides insight into how resilient they will be in the face of a disruption (e.g., another pandemic) and can better inform contract renewal discussions. An outsourced model will enable you to offload complex supplier assessments to risk management professionals so you can focus on risk remediation instead.

4. Fill gaps between assessments with continuous cyber, business and financial monitoring

Regular – usually annual – assessments are essential to documenting third-party supplier controls, policies and processes, but they are static in nature. Adding dynamic, real-time third-party monitoring across the following sources will help to catch potentially adverse supplier events before they impact your business.

• Cyber Intelligence: Criminal forums, onion pages, dark web special access forums threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability databases.
• Supplier Reputation: Public and private sources of reputational information, including regulatory and legal actions, M&A activity, sanctions, adverse media, politically exposed persons, and conflicts of interest.
• Financials and Investments: Financial performance, turnover, profit and loss, and shareholder funds transparency.

The challenge that many organizations face here is that it typically requires multiple tools to obtain these insights. When they do get this intelligence, it’s usually not aligned with the results of regular risk assessments – making validation a challenge. Look for solutions that unify periodic assessment results with continuous monitoring to make risk identification and mitigation faster and more complete.

5. Validate critical controls

Sometimes a supplier is so critical to the success of your company that standard risk assessments won’t suffice. For these truly critical suppliers, extend your risk analysis to include a review of assessment responses and documentation against established control testing protocols to validate supplier-indicated controls. Validation can be performed by third-party experts or auditors and is recommended for suppliers whose failure is not an option.

6. Know your Nth parties

Your suppliers rely on their own suppliers to deliver goods and services to you and other customers. And you need to respond quickly when an adverse event crops up in your extended supply chain. That’s why it’s important to identify and visualize relationships between your organization and third, fourth and Nth parties to discover dependencies and risks and avoid disruptions.

7. Manage offboarding just as diligently as you manage onboarding

A recent study showed that 60% of companies do not actively assess supplier risks during offboarding. Risk doesn’t end when the business relationship ends; organizations must ensure that their supply chain partners follow data destruction parameters, eliminate access to their networks, and terminate financial agreements. Integrating offboarding and termination workflows with regular risk assessments ensures that vendor management teams have an end-to-end view of supplier relationships and can track risks to closure.

Next Steps for Supply Chain Risk Assessment

Your organizations can be exposed to a tremendous amount of risk as it onboards and offboards critical suppliers. Having a prescriptive process in place that automates the required tasks ensures that important risks aren’t missed, while adding confidence and repeatability to your third-party risk management program. Get started assessing your own internal processes for third-party risk management with our free maturity assessment or contact us for a strategy session.