How do we actually address Supply Chain Concentration and Resilience Risk? Disaster has a way of bringing ‘supply chain’ into the common lexicon. In the aftermath of the 2011 Tohoku earthquake, major companies including Apple and Toyota experienced shortages of components manufactured in Japan. At the beginning of the COVID-19 pandemic, we all experienced scarcity as demand for paper goods and pasta surged beyond store inventory. When household names and handheld objects are in short supply, global production becomes a pop culture preoccupation.
In Third Party Risk Management culture, awareness around the systems of organizations, people, activities, information and resources that drive our organizations is always in fashion. But the supply chain is an especially prominent concern in the field of risk with the underlying fragilities revealed by COVID-19. Accordingly, Shared Assessments’ Tom Garruba, CISO, met with supply chain risk expert Dr. Andrea Little Limbago, VP, Research & Analysis, Interos, and third party risk management leader John Beattie, Principal, Sungard Availability Services, to investigate the two key factors impacting the vulnerability of extended supply chains: Concentration Risk and Resilience Risk.
Concentration Risk speaks to risk arising from reliance on a single provider, sector or location. This includes relying on a single vendor to provide a certain product or service and it includes relying on multiple vendors in the same geographic location. Cloud services emanating from one availability zone or region also contribute to concentration risk. To address Concentration Risk, familiarizing ourselves with strategies developed during previous bouts of supply chain pressure is helpful. Before COVID-19, the Tohoku quake drove Toyota to evolve a sophisticated supply chain management system. This solution includes a meticulous parts tracking process based on surveys to suppliers in 650,000 sites. Additionally, Toyota’s approach invites collaboration with competitors who can manufacture redundant components when needed.
During COVID-19, Concentration Risk has been brought to the forefront by China. As the progenitor of the virus itself, China has seen a 14% reduction in manufacturing. Because of China’s deep integration in US supply chains, the drop in production is widely experienced and especially evidenced by US dependency on rare earth materials. 90% of rare earth minerals – critical to semiconductor/electronics manufacturing and the defense industry – are mined and processed in China. As tensions between nations rise, there is a scramble to repatriate supply chains to alleviate rare-earth concentration risk before the next natural or political disaster.
Resilience Risk is impacted by how organizations work through challenges with respect to Concentration Risk. Resilience Risk is a measure of how well an organization can bounce back and persist in light of disruptions. As the pandemic persists, can the vast business network itself survive? Can your organization respond and persist through disruptions? Fundamental forms of Resilience include:
- Cyber Resilience: An organization’s ability to continuously deliver end product/service despite adverse cyber events. What does your organization have in place from a security perspective so you will not have to enact continuity or recovery plan to get your systems back online?
- Data Resilience: The ability for organization to safeguard data and recover clean data after it has been compromised by cyberattack. Impacted by the growing threat of ransomware, where we see only 25-50% of organizations successfully negotiating to retrieve data back.
- Business Resilience: Ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.
To understand Business Resilience fully, a conceptual overview of the organizations resources, activities, products/services and mission is necessary. What happens if any one of these things or parts of these things is taken away? How does the organization respond? Business Resilience is a consideration of the unavailability of resources and the capabilities in place for you and your vendors to overcome unavailability. Business Resilience hinges on developing business continuity plans around the activities and resources detailed in this schematic:
Concentration and Resilience Risk permeate all aspects of an organization, internally and externally. In a recent survey by The Atlantic Council, 44-53% of respondents cited inadequate planning for near an long-term disruptions as a vulnerability in their supply chains. 2/3 of respondents anticipate moderate or significant adjustments to their supply chain in the long-term. 60% anticipate these changes to include prioritization fo contingency planning and crisis modeling.
By adopting a “resilience by design” mindset, your organization will navigate current and future supply chain disruptions. The supply chain fragility we have experienced during COVID-19 points to the essential need for preparation. Identify your critical operations and third parties and vendors. This means asking specific questions regarding your vendor’s Business Resilience Controls that extend to details about their supply chain. This means prioritizing critical business services to recover, establishing impact tolerances and determining what metrics should be monitored – a few key metrics are appended in the table below.
