Procurement Risk Management: Supply Chains Under Attack

The truth is, procurement never really did have an easy go of it. It’s a tough gig. Those who procure build a tough skin, impenetrable by the daggers, launched from all directions. Production, sales, quality control, management, the list of stakeholders procurement needs to appease is a long one. The challenges faced in ensuring you buy, and they deliver, the right item, at the right time, in the right quantity, and of course, at the best possible price, have always been great.

And yet, they’ve just gotten greater.

Adebayo Adeleke, a leader in the supply chain risk management and geopolitics arena, warns, “While the landscape of risk has never remained static, 2020 brought an onslaught of new threats, most notably at the intersection of geopolitics and cybersecurity. For those looking to remain viable, fortifying your defences by increasing visibility, unearthing threats, and responding with robust mitigation efforts and action plans is no longer an option.”

From “JIT” to “JIC”

For many, risk management is a task done intuitively—habits formed after we’ve been burned. We’ve learned to worry when the radio announces snowfall or the news speaks of a rail strike. We know what is likely to happen and how to dodge the effects of a hurricane or that ocean container that never, ever arrives when you think it will.

We revert to our “just in case” plans, buffer our commitment dates, and beef up our safety stocks, and rely on the perhaps more pricey but also more dependable suppliers. But what happens when the world all of a sudden doesn’t look like it did? When that thing everyone always said you should fear, the one that sounded more like a Keanu Reeves movie than anything you actually had to worry about, gives rise, looming threateningly over every link in your supply chain?

COVID-19 showed us all too well that today’s supply chains are multi-tiered, interconnected, global networks with highly combustible soft points. As store shelves ran empty and life-saving supplies ran low, the repercussions of poor visibility (most often opaque beyond tier 1 suppliers), just in time (JIT) inventory and low-cost country sourcing (LLCS) practices were highlighted on the news channels for the world to see.

The year everybody is sick of naming made it all too apparent that our values had quickly shifted. As procurement professionals well know, price is top of everyone’s mind, until availability becomes an issue. When your machines are left idling, risk management is suddenly the prevalent motivation. Although there is no arguing that risk management builds supply chain and organisational resilience, it requires valiant effort, time and resources most organisations simply don’t have.

Luckily, there’s help.

Contingent is a revolutionary platform that looks to help its clients build operational resiliency by leveraging AI to identify, map and monitor supply chain risk. In December the company announced it had raised approximately €1.7 million in seed funding led by Connect Ventures, which it will use, in part, to focus on data analytics that will help to measure supply chain resilience.Tai Alegbe, CEO and co-founder of Contingent, said: “There’s never been a greater need to ensure our supply chains are robust and fit for purpose, and this fresh capital injection will ensure our customers have the tools they need to deliver operational resilience. To put it simply, traditional third-party risk management solutions have significant shortcomings, relying on static and reactive monitoring of suppliers which inevitably leads to inaccurate insights. That’s why we’ll be investing heavily in R&D and creating new enterprise partnerships, so more users have access to our proactive monitoring capabilities and deep insights and analytics.”

Supply Chains Under Attack

Cyberattacks are skyrocketing. Due to new “next-generation" stealthy tech, cybercrime has become highly profitable and is often politically motivated as well as government-sponsored.

Emboldened by their fine-tuning of tactics, throughout 2020, eCrime criminals and crime groups, upped their ransomware demands and initiated more attacks. These threat actors have begun weaponising the sensitive data extracted through data exfiltration for the purpose of monetisation by threatening to leak proprietary or just embarrassing, brand-harming information.

From Cybercrime Magazine, global ransomware damage costs are estimated to reach US$20bn by 2021, 57 times more than it was in 2015.

According to Sonatype’s 2020 State of the Software Supply Chain report, “In the past 12 months, the number of next-generation cyber attacks aimed at actively infiltrating open-source increased 430%. The attacks are a uniquely efficient way for adversaries to gain leverage and scale by exploiting software supply chains.”

Looking Ahead

Operational technology and industrial control systems reliant on 5G, industrial internet of things (IIoT) and machine learning are also expected to become hot targets. For all it’s advantages, internet-based technologies widen the scope of opportunity for our allies and deepen the potential impact, making it all that much more attractive.

From their 2021 Cyber Threat Trends Outlook report, “Booz Allen expects threat actor interest in targeting platform-as-a-service (PaaS) solutions—particularly cloud-based development environments—to rise as a potential vector for conducting supply chain attacks… Further refinement of tactics used by ransomware operators is likely to include threats against third-party data, suppliers, customers, and other relational targets.”

To put it succinctly, when it comes to risk management, cybersecurity throughout your value chain should be at the top of your list. However, the old menaces still exist, the risks of which we must continue to mitigate. The hurricanes don’t stop because e-crime is on the rise. Your volatile currency pairings are now likely even more volatile, bringing heftier financial risk. And as the world continues to change, we must remain vigilant on identifying where new threats may arise.

As Avetta, a leader in cloud-based risk management says, “Organisations are always at risk for losses through cost volatility, supply disruption, non-compliance fines, and safety incidents that cause damage to their brand and reputation. Knowing what’s at stake is the first step to understanding, measuring, and managing risk in your supply chain." 

Risk management is still, in large part, a daily task, a culture ingrained in those who have learned better. But this we ask you to remember — although acting on instinct is good, a sound, robust risk mitigation plan that follows the fundamental principles of risk management is even better. For managers who are under pressure to increase sales and profits or to shave days off of “time to market”, risk management must not be allowed to be a fleeting or reactive thought.

As management teams select their control mechanisms, allocate resources, build their risk mitigation strategies, and design processes, they must do so with today’s realities at the forethought of their minds.