As linguists and lexicographers ponder “Word of the Year” candidates, it’s a safe bet that “complexity” is in the running. Risk managers and supply chain leaders would no doubt argue the term’s merits over “vaccine,” “variant,” “ransomware” and other words competing for the honor.
Complex supply chains are not unique to 2021, but supply chains were exceedingly complex during the past 12 months given the numerous disruptions (including ransomware and COVID-19 variants among others) affecting partners and nth parties during the past 12 months.
“The supply chain was getting more complex prior to the pandemic because the number of links in the chain was increasing,” notes Shared Assessments’ Senior Advisor, Bob Jones. “During the pandemic, many of those links have broken, including links that outsourcers didn’t even know existed.”
The Shared Assessments Best Practices Awareness Group, whose work Jones facilitates, invested significant time and effort in the past year examining the implications of the complex supply chain (see the links that follow), and Jones expects supply chain complexity to remain a top third party risk management issue in 2022. That’s why risk managers are wishing for – and working toward — the following improvements:
- Greater Resilience: “Resilience was a big element of 2021,” Jones notes. “In response to the complex supply chain, organizations worked to develop greater resilience.” He stresses that resilience centers on being able to respond effectively to unexpected events and disruptions. “Resilience requires a complete understanding of the interdependencies with other organizations, whether they be third parties or competitors,” Jones and three co-authors write in a Shared Assessments article that examines strategies for building resilience. “Robust risk management anticipates where problems are most likely to occur and develops approaches to minimize disruptions. Organizations need to design and exercise a repeatable process to guide the review of their own and their vendors’ business operational procedures, controls, and continuity recovery plans. Mapping business processes end-to-end is critical.”
- Sharper Nth Party Visibility: As Jones, notes, COVID-19 disruptions shed a harsh light on nth party risks. Gaining a higher degree of visibility into nth party suppliers requires a comprehensive effort – one that involves mapping the entire supply chain so that sufficient due diligence can be collected on the parties. “To identify critical dependencies, the complete supply chain needs to be mapped,” writes TPRM experts Kaelyn Lewis, Brenda Ferrraro, and Angela Dogan. “To conduct a complete risk analysis across your supply chain requires a targeted information management effort that covers both inbound (supplying the outsourcer’s product) and outbound (to the customer) supply chains. Completing this process allows your organization to adopt a proactive stance in which resilience planning can be taken before a disruption occurs.” The authors also stress that mapping is not a one-size-fits-all process, and their article also identifies challenges that require attention and more than a half-dozen approaches to developing a more proactive nth-party risk management capability.
- More Risk Operations Centers: Jones describes a Risk Operations Center as a key element of a mature risk management program and one that manages and produces “real-time, automated, curated data” that equips third party risk management teams with valuable insights on nth parties and other third party risks (e.g., cybersecurity risks, the financial viability of vendors, environmental, social and governance (ESG) issues and more). “Its goal is to gain significantly greater insight into the issues that you face on an ongoing basis,” Jones and his co-authors write in an article that examines how these mechanisms also facilitate predictive analytics and horizon scanning. “A Center provides an established pathway to receive data, validate and synthesize the information, and report to the necessary functions across the organization to manage the risk. It also provides a path for risk managers to use information more collaboratively and effectively than a decentralized process.”
Other enablers and mechanisms (e.g., greater C-suite involvement) also help risk managers contend with complex supply chains. All of those approaches will be important to consider adopting and refining in 2022 as supply chain complexity intensifies.