1 Introduction
Managing supply chains of business never was a simple task. Many businesses are dealing with complex, multi-tier supplier landscapes. The level of vertical integration in manufacturing has massively decreased over the past decades. In the age of Digital Transformation, the complexity of supply chains further increases. Today’s supply chains not only involve traditional manufacturing and physical goods, but also software and services that form the final product or service. Many components of suppliers are either pure software or contain software that must work smoothly with other components.
On the other hand, the pressure from laws and regulations, on areas such as product liability and quality assurance, but also data privacy and information protection, is growing. Factually, there are a variety of risk categories that affect the supply chains of businesses:
- Financial Risks that e.g. take a supplier out of business
- Geopolitical Risks that e.g. might restrict deliveries due to changing export regulations or the disruption of physical delivery
- Environmental Risks that e.g. violate specific labor or materials regulations or lead to increase in cost due to penalties
- Regulatory Risks that e.g. cause fines or disqualifications
- Cybersecurity Risks that e.g. affect the security and safety of the produced goods and services and cause potentially severe global security incidents
- Privacy Risks that e.g. violate privacy regulations and cause fines
The biggest challenge arising from these risks is the disruption of the supply chain, leading to stops in the manufacturing process and delays in the delivery of goods and services, or worse. Third-party risk poses one of the greatest dangers to business continuity, loss of revenues, loss of profits, reputational damage, and physical as well as property damage.
In complex supply chains, managing the risk becomes a major challenge that is difficult to solve. Some of the challenges include:
- Multi-tier relationships across the supply chain where not all levels of suppliers are known to the manufacturer, resulting in a loss of control
- The varying ability of suppliers to limit their risks and the risk they pose to their partners along the supply chain; small businesses may be less capable of managing such risks, while large suppliers might be better able to do so, but due to size and relevance for the supply chain might cause more significant damage if a major issue occurs
- Even small suppliers can stop manufacturing if they deliver essential components and are hard to replace
- Software-based risks, including cyber-risks, are even harder to track in quality assurance processes than physical goods
Cyber risks have become one of the major concerns amongst the supply chain risks, as they present a major opportunity for attackers collecting intelligence, stealing IP, and running other types of attacks, including blackmailing and causing physical damage to produced goods and their users.
Having a clear view on the suppliers along the supply chain, their qualifications, certifications, compliance risks, and their ability (and practice) to execute risk mitigating procedures is essential for today’s businesses. The challenges in this area include:
- Unclear risk status caused by lack of compliance processes or disjointed compliance processes
- Lack of, slow execution, conflicting, or incomplete supplier qualification and certification processes
- No coherent view on supplier data across multiple data stores
- No consistent enforcement of up-to-date supplier certifications and risk of expiration
- Manual and repetitive certification processes for suppliers, which need to run similar or related processes for various customers
There is a need for Supplier Risk Management, which isn’t covered well by today’s common applications. As of today, businesses still mostly rely on home-grown solutions, frequently only covering a subset of the supply chain. Enterprise-level Supplier Management solutions focus less on the risk along the supply chain, but more on formal management and on-boarding of suppliers. IT GRC (Governance, Risk, and Compliance) solutions, on the other hand, frequently serve more as a tool and less as solutions specific to the challenges of Supplier Risk Management, and they do not span the supply chain. Factually, none of today’s solutions enable efficient management of risks across the entire supply chain, involving multiple manufacturers and suppliers.
Supplier Risk Management must deliver capabilities such as:
- Risk identification across a variety of risk factors and regulations for relevant suppliers
- Efficient implementation of self-assessment, assertion, and other forms of proof for suppliers, in a re-usable manner that allows suppliers to perform assessments once for multiple customers
- Validation of self-assessments and other attestations
- Segregation of information between various parties such as competitors and across multiple tiers of the supply chain
- Aggregation of 3rd party risk and threat information and linkage to suppliers
- Risk scoring and related services for supplier selection by buying agents
Exostar, a US-based company, started off as a collaboration network for the Aerospace & Defense industry. As part of its secure business collaboration services along the supply chain, Exostar offers a Supplier Risk Management solution.