The New Riskonomy

Section 3: Risk openings in the supply network

Much of today’s exposure to tech risk is outside of the organisation’s direct control. Are businesses sufficiently protecting themselves, or are they underestimating and, consequently, under-preparing?

Dependencies on external partners, suppliers and vendors are a considerable source of risk, potentially impacting an organisation through service disruption, quality issues or security breaches. Although organisations have limited control over the individual links in their supply chain, there are still ways to manage associated risks effectively in order to protect stability and performance.

Riskonomy radar reading

Our Riskonomy Radar suggests that the business network is the area in which businesses are least exposed to risk. Four in five business leaders work in organisations that fall into the low risk range, indicating they can maintain and monitor their current risk management practices when it comes to internal processes.

4%

High
risk range

55%

Moderate
risk range

41%

Low
risk range

Supply chain risk formations

When considering their network, 91% of C-suite and GCs state that they assess the technology risk profile of their relevant suppliers, confirming that they recognise the potential for risk exposure.

However just 39% always assess the tech risk profile of relevant suppliers, while 53% only do sometimes.

Not pursuing proper due diligence checks means that businesses can open themselves up to potential liability – especially if they are unable to supply their customers with the services or goods that have been promised. Essentially, you are only as secure as your most vulnerable supplier.

Expert perspectives

There is a lot of tension in the supply chain at the moment, and the pressure is not going to die down. When you integrate suppliers into your process or service you need to have a true due diligence process, but when some organisations have thousands of suppliers, it isn’t easy.

With increasing and expanding regulation in this area, people are finding more innovative ways to conduct audits – especially without them having to be in-person. This is all good as long as it does not mean cutting corners as one may come to regret not having conducted proper human rights/environmental due diligence in light of the huge impact these issues might have on an organisation in the long run.

Christelle Coslin
Partner, Compliance & Litigation

Assessing the risk profile of suppliers is extremely important, especially from a regulatory perspective. We should be approaching all risks practically. Running cyber security assessments can help build up a strong defence in case of an incident. Suppliers also need to improve any measures they have in place in order to prevent incidents. Solutions can be put in place to create back-up systems in case of crisis. For example, in the retail sector, maintaining a backup e-commerce platform enables businesses to switch to the other one in case of an incident. Another example is – where possible and economically feasible – diversifying your supply chain in order to be able to pivot in a crisis.

Detlef Hass
Partner, Disputes

Although, that’s not to say that business leaders trust their supply chains to be watertight. Only sixty-eight percent believe that their supply chain partners can identify and mitigate potential data management vulnerabilities, and two-thirds (66%) are confident that their supply chain partners have adequate data management regulatory and compliance practices. Fewer (63%) trust that their supply chain partners are able to identify and mitigate potential cyber security vulnerabilities, and 61% believe that their suppliers/supply chain partners have adequate cyber security regulatory and compliance practices.

Overall

Our suppliers / supply chain partners can identify and mitigate potential data management vulnerabilities.

Our suppliers / supply chain partners can identify and mitigate potential cyber security vulnerabilities.

Our suppliers / supply chain partners have adequate data management regulatory and compliance practices.

Our suppliers / supply chain partners have adequate cyber security regulatory and compliance practices.

This leaves over a third of C-suite and GCs uncertain about whether their suppliers or partners can identify and mitigate cyber security and data management vulnerabilities, or adequately manage regulatory and compliance practices.

Building and maintaining this trust takes ongoing transparency, monitoring and communication, with suppliers upholding their commitments and actively addressing emerging tech risks or vulnerabilities. From a practical perspective, these assurances can be supported through due diligence, cybersecurity and data protection evaluations, and confirming compliance with industry standards and regulations.

Expert perspectives

At a time of crisis, the real-life relationships you have with your partners and suppliers will be invaluable. The most difficult situations to deal with are those that are a surprise. Suppliers are important to the network of any organisation – but they also come with risks. Having an open dialogue and not hiding issues from your network is the way you can have the biggest impact on building trust and ultimately a positive impact on your organisation.

James Atkin
General Counsel, Equifax

Many organisations are looking to develop their own technology as a key part of their strategy to get ahead in a competitive market. But larger organisations are more concerned about the scarcity of resources, and who and what they can utilise in their network, when considering their organisation’s tech aspirations.

Overall, just over half (54%) of C-suite and GCs believe that when considering their organisation’s technology aspirations, scarcity of resources (i.e. the limitation of financial, human and physical resources) is a growing concern. However, around half of smaller organisations believe this to be the case (50% and 53%) compared to 61% and 60% of larger organisations.

Expert perspectives

Scarcity of resources puts another layer of pressure on companies. But this should not lead companies to take shortcuts. One always needs to reflect on the depth required when investigating its supply chain in light of regulatory requirements, especially as it can take time to dig into the details around the environment and human rights.

Organisations do need to take the time to do a proper risk assessment to avoid increased litigation risks. They must ensure that processes are robust and in line with what can anticipate in terms of regulators’ expectation. The effort in the short term will only have a positive impact on your long-term growth.

Christelle Coslin
Partner, Compliance & Litigation

During, and after, the COVID-19 pandemic we have seen the direct effects of scarcity of resources on supply chain relationships. With such a large reliance on specific components, which contain semiconductors for instance, businesses are keen not to let themselves become victims of market uncertainty. As a result, many larger businesses are deciding to engage in direct sourcing of semiconductors instead of relying on component suppliers to secure their own supply with semiconductors – especially when these components are such a core part of product quality and value.

With this shift, there is a whole process change. With direct sourcing from manufacturers their indirect customers can now have greater influence on the design of semiconductor devices and ultimately components too, providing an opportunity for them to drive innovation.

Detlef Hass
Partner, Disputes

The frequency of assessing tech-related risk varies across different sectors, despite comparable concerns at a macro level, their internal processes, and their network. Currently, just 38% of business leaders in tech and telecoms claim to always assess the technology risk profile of their relevant suppliers, which contrasts with the sector’s above-average concerns surrounding cybersecurity – suggesting their approach to risk management may be too internally focused.

There is also significant variation in how seriously different sectors are approaching potential risks emerging from their internal teams. While 43% of respondents from tech and telecoms acknowledge that their internal processes present a risk, this compares with just 29% of financial institutions, 28% in consumer and 27% of those in life sciences.

This disparity may have to do with factors like growing compliance and regulatory expectations related to data, privacy and cybersecurity, where employees play an active role. Additionally, since many technology companies are responsible for deploying IT systems and technologies within other businesses, factors like human error and access to sensitive information have a significant impact on tech-related risk.

Sector spotlight

Tech and telecoms

Next chapter

Section 4: Macro risk

Read now

Chapters

Executive
summary

Read now

The Riskonomy Radar

Read now

Section 1:
Navigating the new risk economy

Read now

Section 2:
Organisational vulnerabilities

Read now

Section 3:
Risk openings in the supply network

Read now

Section 4:
Macro risk

Read now

Conclusion and recommendations

Read now

About this report

Read now