Poor supply chain risk management, or a total lack thereof, will hurt the long-term success of your organization. Supply chain risk management is not just for organizations in the manufacturing, defense, or pharmaceutical industries. The supply chain of any organization could impact the delivery of computers for newly hired personnel, other hardware or infrastructure required to support internal operations, telecommunication service levels, professional services, or even supplies that are necessary to support daily services provided to customers or clients.
COVID-19, and the ensuing aftermath, highlighted the importance of supply chain risk management due to the global impact of the pandemic. Laptops were in short supply. Infrastructure devices were back-ordered. Professional services were impacted. To ensure your organization is protected to the greatest extent possible, supply chain controls should be defined and implemented. Safeguards should be used to protect against supply chain risks to systems, systems components, or system services. This is necessary to limit the harm or consequences from risk events that may impact your supply chain.
Implement supply chain risk management processes to identify and manage risks in your complete end-to-end supply chain. This should include all risks, all tiers, and all supply objects for your critical systems and operations.
Your overall risk management program’s supply chain risk management component should be implemented with appropriate control requirements. Processes should be defined to manage risks associated with systems’ development, maintenance, and disposal. Once documented, this information should be reviewed and updated regularly (e.g., at least annually).
Ensure your overall risk management and third-party risk management programs work in concert to facilitate the necessary processes for effective supply chain risk management. Suppliers and third-party partners that provide information systems, components, or services should be identified, prioritized, and assessed. Artifacts should be collected and maintained to serve as evidence of control effectiveness.
Contracts should be used to implement appropriate control measures to protect your organization’s supply chain. It is strongly recommended to conduct incident response and business continuity plan testing with critical suppliers and other critical third-party providers. This is often necessary to ensure that their products and services can be maintained during adverse scenarios. These testing activities may require extensive planning but will provide significant long-term benefits to your organization.