Supply Chain Risk Management: Best Practices

2020 forced everyone to learn what a supply chain is and why it matters. When the COVID pandemic caused interruptions to global shipping operations and logistics, businesses faced shortages of goods and materials ranging from steel and lumber to computer chips and semiconductors. 

The pandemic was an outlier event, but the fragility it uncovered in our global supply chains remains. Doing business in an interconnected world means accepting the risk that international events might affect your business. 

A supply chain risk management program helps increase your company’s resilience against the unexpected. Pandemics aren’t the only disruptive events; extreme weather, geopolitical strife, and malicious system incursions can snarl supply lines in a similar manner. The one thing these events have in common is how hard they are to predict. The only thing you can do is be prepared to adapt. 

A trust management platform helps you centralize and automate your supply chain risk management efforts. Here’s what you need to know to get started.

What Is Supply Chain Risk Management?

Supply chain risk management (SCRM) is the process of identifying and mitigating vulnerabilities and threats throughout your supply chain ecosystem. This includes being prepared to respond to threats across several different domains. 

Here is a quick look at the kinds of risks involved in SCRM:

Cybersecurity and IT Risks

Everything from employee timetables to logistics to vendor records is handled digitally. Ransomware, malware, hacks, and other cybersecurity threats can easily disrupt these essential processes, as seen by the cyberattack that caused Jaguar Land Rover to pause production for over a month. 

Operational and Logistics Risks

Some threats come from an organization’s practices or policies. This is perhaps the widest risk category, because internal/worker errors can cause issues ranging from product deficiencies to delivery delays to payment processing issues. 

Consider Boeing, which has repeatedly seen safety concerns regarding its 737 Max plane due to increased outsourcing and now has a backlog of over 5,000 unfilled orders.

Financial and Supplier Stability Risks

Price fluctuations, currency depreciation, and instability or insolvency at partner companies or third-party vendors can cause supply chain disruptions. When a necessary component doubles in price overnight or a big industry supplier folds, companies without backup plans or redundancies often flounder. 

For instance, pharmaceutical and medical technology companies almost unanimously (87%) believe the costs of materials will “increase significantly in the next 12 months,” according to PwC. Those who don’t diversify or make contingency plans in time could take a big financial hit.

Compliance and ESG Risks 

To stay competitive in global industry, it’s important to maintain your reputation and trust management. Companies must prove compliance with laws and ethical guidelines. Environmental, social, and governance (ESG) reporting asks companies to publicly affirm and take responsibility for their efforts toward sustainability, support of human rights, and controls on unethical behaviors. 

When the companies you contract with fail to comply with regulations or engage in unethical activity, that affects your reputation—and can necessitate a quick change in suppliers. Recently, Nestlé and Starbucks have been accused of buying coffee from Chinese farms that employ child labor, which has hurt their public image.

Geopolitical and Natural Risks 

Sometimes, the risks to a supply chain lie outside of an industry’s sphere of influence. Wars and other conflicts shift a country’s focus away from “business as usual,” affecting companies that rely on partners in affected regions. 

Natural disasters like flooding, fires, and other extreme weather can interrupt trade or even destroy critical infrastructure. For instance, the Red Sea shipping crisis, caused by Houthi attacks on cargo ships, has increased transit times by 30% and caused costs to double or triple.

Why Supply Chain Risk Management Matters

The more work your company does to prepare for the unexpected, the better you’ll be able to weather the fallout. Supply chain disruptions can impact your business continuity and lead to big losses if you’re not prepared. However, Deloitte found that proactively managing supply chain threats means you’ll spend 50% less to navigate a disruption.  

Being aware of potential threats allows you to build supply chain resilience. Instead of relying on a single company or sourcing exports from a specific region, your company can start to diversify its supply chain. Then, if financial, natural, or geopolitical risks hit one of your partners, you’ll have somewhere else to turn to alleviate the resulting shortage of goods. 

Modern companies also must think about their digital supply chain—the software they rely on to power day-to-day operations. An attack or other incident that takes trusted software offline can result in heavy losses. The widespread Windows outages caused by a buggy 2024 CrowdStrike update cost U.S. Fortune 500 companies a combined $5.4 billion. 

Finally, a resilient supply chain helps you build and maintain trust. Your customers rely on you to provide your products and services; any disruption to your operations means they can’t do their jobs. A data breach in your supply chain can result in your customers’ sensitive information being leaked. If you’re less than reliable as a partner, customers will look elsewhere—it’s in your best interest to decrease the risk of such incidents.

Core Components of a Supply Chain Risk Management Program

There are six main elements in an effective supply chain risk management program. Here are the processes and practices your company should have in place. 

Governance and Policy Framework

Standardize and formalize your company’s approach to risk management with an SCRM governance and policy framework. Your framework should cover internal SCRM duties and responsibilities, guidance for vendor management and SCRM processes, and requirements for your vendors. 

The framework(s) you choose must address the complexities of your company structure and supply chain. Companies with a large software supply chain might use frameworks like the National Institute of Standards and Technology’s Cybersecurity Supply Chain Risk Management framework (NIST C-SCRM). 

A more traditional supply chain might only call for a simple internal framework that addresses industry requirements and your company’s long-term plans. If you rely on third parties for both digital services and physical goods, you may need to combine the two approaches to ensure your framework fully covers your needs.

Your governance and policy framework should:

• Lay out the objectives of your SCRM program.
• List requirements you hold vendors to—like regulatory compliance or security certifications.
• Note which roles hold responsibility for supporting and executing SCRM activities.
• Specify what individuals’ responsibilities are, both in terms of actions and outcomes.
• Lay out goals and/or KPIs and establish processes for ensuring accountability. 

This framework will form the foundation for the specific processes individuals will complete as part of your SCRM program. 

If you already have a governance, risk management, and compliance (GRC) program, the requirements of SCRM will feel familiar. Like other risk management efforts, you can organize your programs using frameworks and controls (we’ll go into those later) designed to keep your supply chain strong against potential disruptions. 

Supplier Identification and Segmentation

Start developing your SCRM program by asking leadership to map out all third-party dependencies at your company. Finance may be well-equipped to provide a list of all vendors your company contracts with, but after this initial identification, bring in the individual who owns each relationship. This individual will be the stakeholder responsible for executing any SCRM actions relating to a vendor.

For instance, your head of IT may identify tools like your email and two-factor authentication providers that employees need every day to perform their work. Physical concerns like your servers and hardware suppliers would also be under their purview. A VP of sales may identify services necessary for signing contracts and sending invoices. Leaders in departments that deal with physical products should identify all suppliers and logistics providers.

Record any company or entity that’s part of your supply chain in a centralized location. This is the start of your risk register, which you’ll use to track threats to your supply chain and your company’s mitigation strategies.

Supply Chain Risk Assessment and Scoring

Risk management starts with knowing what your risks are and how serious their effects might be. Start your risk assessment process by asking stakeholders to think about what risks might be connected to the third parties your company relies on:

• Outages might render essential software useless.
• Hacks and data breaches may expose your or your customers’ sensitive data.
• Audit failures or regulatory penalties can signal to your company that a third-party vendor is not capable of safeguarding your or your customers’ data.  
• Extreme weather may delay shipments, cause offices of third-party vendors to temporarily close, or threaten the physical environment of servers.

It may help to provide stakeholders with a list of the types of risks we introduced earlier in this article as they consider each vendor under their purview.

Once you’ve finished with the risk identification, assess your risk exposure: Have stakeholders determine how likely a risk event is to occur, how it will affect your supply chain in the immediate and long term, and how serious the consequences would be. 

Though each risk should be evaluated by the stakeholder with the most in-depth knowledge of the domain, make sure everyone is using the same risk assessment methodology. If your team doesn’t assess risks in the same way, you can’t properly identify the urgent risks your mitigation efforts should prioritize.

Finally, make sure stakeholders add their assessments and scores to your risk register. Keeping this information readily available in a centralized platform like Drata is necessary for accountability efforts and can inform your compliance efforts and reassure auditors.

Due Diligence and Onboarding

Supply chain risk management starts in the contracting process: Before you bring on a new vendor, you need to know that they take security and continuity concerns seriously. Relationships must begin with a clear communication of your company’s expectations of and requirements for vendors.

The due diligence process helps you select vendors who have strong risk management practices of their own and are therefore less likely to endanger your operations or reputation. It’s also a way for your company to gather information to help with risk assessment. 

Self-assessment questionnaires are an excellent due diligence tool; by asking companies to share details about their business policies, you can evaluate their resilience and security practices. They also make it easy to ask about past incidents that have disrupted their supply chain, like shortages or cybersecurity events. The existence of disruptions isn’t a red flag, but a company with a history of multiple similar incidents and/or a lack of policies that appropriately address their causes might not be a good partner.

For vendors that pass your due diligence process, your business agreement should lay out the level of continued security you expect. For instance, you may need software partners to comply with certain security frameworks or regulations. Or, you might require suppliers of physical goods to ensure they source products in an ethical and environmentally friendly manner. Take advantage of the onboarding period to establish regular reporting requirements and lines of communication so neither company is caught off guard when an incident occurs. 

Risk Mitigation and Incident Response Planning

No vendor relationship comes without risk—so think about how you’ll reduce risks and respond to adverse events before they happen. The solutions your company comes up with should directly address the risks you face. Refer to your risk register for guidance here. 

Where possible, diversifying suppliers of raw materials and goods decreases the likelihood that your operations will be interrupted. In other cases, you may be able to introduce backups or contingency plans in case of software outages. Managing your software supply chain may include steps like requiring certain certifications or security controls from all vendors. Regardless of the steps you take, the most severe threats should be mitigated first. 

Incident response planning must be paired with your risk mitigation efforts, unless you’re positive you’ve reduced the likelihood of a threat occurring to zero. Like your risk mitigation efforts, your incident response plans should be tailored to each specific risk in your risk register. Check out these incident response plan templates to walk you through the planning process. 

Continuous Monitoring and Evidence Collection

Finally, an effective risk management initiative requires ongoing, real-time awareness of systems and operations performance. When working with third parties, your visibility won’t be as robust since you won’t have access to the same depth of information. That's why it's important to monitor vendors’ performance, security posture, and risks by regularly sending questionnaires or requesting updates to vendors’ risk mitigation practices. 

You can also gather data on situations that may impact your vendors—whether that’s extreme weather alerts that may disrupt physical supply chains or cybersecurity incidents that threaten software suppliers. Effective monitoring looks different for each company, so refer to your risk register to determine which threats are most important for your company to track.

Some third-party risks require active management efforts by your vendors. For instance, if your company requires regulatory compliance and undergoes frequent audits, you may need to prove that your vendors comply. If you identified a severe risk during due diligence and a vendor promised to manage the issue as a condition of your contract, you’ll need to see the evidence of their efforts. Gathering and logging this data is not only a good practice to protect against unwelcome surprises in your supply chain—it could also protect your company’s reputation if supply chain problems cause trouble for your customers. 

Companies can monitor vendors and gather evidence manually, but most modern businesses choose to invest in risk management software or a GRC solution like Drata. Risk management or GRC tools can help streamline most of the tasks in this article, but continuous monitoring and evidence collection are tasks these tools can easily automate.

Supply Chain Risk Management Frameworks and Standards

A comprehensive supply chain risk management program is built on a system of controls and policies that address all potential threats. These four SCRM frameworks and standards will help your company make sure all its bases are covered when it comes to risks to your supply chain. 

NIST SP 800-161

The National Institute of Standards and Technology’s Special Publication 800-161, Revision 1 (NIST SP 800-161 Rev. 1) provides guidance on identifying and managing cybersecurity risks throughout your software supply chain. 

Cybersecurity risk management is one of the harder parts of SCRM because typical SaaS products incorporate components from many sources, and each one could have a vulnerability. SP 800-161 lays out guidance for roles, including:

• Security and risk management
• Engineers and developers
• Project managers
• Acquisition and procurement 
• Auditors, inspectors general, and other oversight positions
• Executives

The publication explains how to integrate your supply chain risk management program into wider risk management strategies. Following the guidance in SP 600-181 will help companies learn to manage risk and adapt to an evolving risk landscape.  

Its supply chain security practices align with the larger NIST Cybersecurity Framework (NIST CSF) and complement NIST SP 800-53, so companies already in compliance with those publications should find this an easy addition. 

ISO 28000 and ISO 27036

ISO 28000:2022 and ISO 27036-3:2023 together cover the information you’ll need to secure your software and hardware supply chains. 

ISO 28000 provides best practices for creating a security management system to protect your assets from supply chain-related risks. The framework lays out how to assess the security environment of your supply chain, determine what protective measures are already in place, identify new measures to be implemented, and align security processes and practices with larger organizational goals. It also offers guidance on how to ensure your supply chain is in compliance with any regulations or security frameworks your organization uses.

ISO 27036, also called IEC 27036, offers guidance to secure your software, hardware, and information technology supply chains against data breaches. This framework covers all the complexities inherent in understanding and managing risks specific to information systems. ISO 27036 references many of the controls and concepts laid out in ISO 27001 and ISO 27002, so organizations in compliance with those frameworks will find many familiar concepts here. 

O-TTPS (ISO/IEC 20243)

The Open Trusted Technology Provider Standard, or O-TTPS, is a standard also published as ISO/IEC 20243-1:2023. It addresses how organizations can secure their software supply chain against counterfeit or other malicious products. 

We already mentioned how the multiple components in most SaaS or commercial software products can introduce vulnerabilities; O-TTPS was built in response to cybersecurity incidents that stemmed from bad actors creating components that got incorporated into commercial software products. Its goal is to help software developers prove the integrity of their products. The certification is open to software suppliers, providers, and integrators. Organizations that don’t fall into one of these categories should know about O-TTPS so they can require their software suppliers to be certified. 

O-TTPS maps to the NIST CSF and is referenced in NIST SP 800-161. If you’re also using one of those frameworks, adding this standard will likely complement your existing practices. 

How Frameworks Tie Into SOC 2, ISO 27001, HIPAA, and PCI

Compliance with respected supply chain risk management frameworks may strengthen your standing within other security frameworks. For instance, the actions you take under NIST SP 800-161 and ISO 27036 will complement any frameworks or regulations that require you to identify and mitigate risks within your supply chain. ISO 28000 works alongside any regulations that require compliance from third-party vendors. And O-TTPS certification complements any frameworks that focus on securing your system through policing your software supply chain. 

SOC 2

SOC 2 reports cover your vendor management practices: the way your organization assesses and monitors risks from third parties. SOC 2 requires you to have visibility into your vendor relationships, ensure third parties align with your security practices, be aware of third-party risks, and create incident response plans, among others. 

ISO 27001

To comply with ISO 27001, your company must perform risk assessment, due diligence, and regular audits of third-party vendors to ensure they do not compromise your information security. Organizations are responsible for making sure vendors are in compliance with the standard and must ensure that any gaps found during vendor system assessments are promptly remediated. 

HIPAA

Any vendors who transmit, process, or store electronic protected health information (ePHI) are subject to HIPAA as a “business associate.” These vendors must comply with the HIPAA Security Rule and safeguard ePHI against unauthorized access. Organizations covered by HIPAA are responsible for assessing potential risks to ePHI, including those introduced by third-party vendors, and taking steps to mitigate those vulnerabilities. Their Business Associate Agreements (BAAs) with vendors must require HIPAA compliance.

PCI DSS 

The Payment Card Industry Data Security Standard (PCI DSS) released an entire supplement on ensuring vendors are in compliance. Any vendor that stores, processes, and transmits cardholder data, or is responsible for part of your cardholder data environment (CDE), must be in compliance with PCI DSS. The standard calls for organizations to vet third parties, include security requirements in a written service agreement, and monitor vendors’ compliance on an ongoing basis. 

Best Practices for Effective Supply Chain Risk Management

Any approach to supply chain risk management requires ingrained practices that support a larger culture of security. The following best practices may not be included in every risk management framework, but they’ll help you no matter which you choose.

Establish cross-functional governance so all departments and leaders who own third-party relationships have a part in your SCRM program. Stakeholders should feel empowered to help determine policies and procedures, perform due diligence, help with risk assessments, conduct incident response planning, and manage the security side of vendor relationships. Greater involvement will lead to a stronger program, as each individual has the most insight and expertise around vendors they work the most closely with.

Implement structured risk assessment and scoring models to ensure everyone is on the same page when creating your risk register. For risk mitigation and incident response planning, organizations need to prioritize the most severe risks. If people aren’t grading risks on the same scale, your risk management decision-making will be skewed.

Automate vendor due diligence and monitoring to save time and resources. GRC platforms can send out vendor security questionnaires and follow up on outstanding issues, gather evidence that auditors will use, and continuously track and test controls to alert your team when a potential issue arises. Manually performing all these tasks is a huge burden on teams and can lead to lower levels of compliance with your SCRM framework. 

Align with standards and regulatory expectations to prevent duplicate work for your team. Most regulations or security frameworks include some requirements around managing the risk from third-party vendors. Choose an SCRM framework that works alongside existing compliance efforts. For instance, if you’re already compliant with other ISO frameworks, ISO 28000 and ISO 27036 will use familiar approaches to SCRM. Or if you’re already working under other NIST standards, use SP 800-161 to complement your efforts. 

Maintain transparent proof of controls for customers and auditors. SCRM benefits your company even if no one knows about it, but it also ties into larger compliance efforts and trust-building. Keeping full records that are easy for auditors to access will help your audits go faster. And potential business partners and customers who want to build security and resilience into their own operations will appreciate seeing your SCRM efforts laid out in a Trust Center.

Automate Supply Chain Risk Management With Drata

Companies ready to take their supply chain risk management program to the next step should start with a GRC tool with the right features to support them. Drata connects your SCRM program with other compliance tools with features like built-in control libraries, cross-framework control mapping, and even the ability to create custom compliance frameworks. 

Drata automates your SCRM program by integrating with your tech stack and providing continuous control monitoring across all your software. Automated evidence collection linked to its Audit Hub streamlines the entire audit process. Plus, Drata offers a Trust Center so you can publicly share your compliance efforts and your security posture.

Ready to see how you can make supply chain risk management easier? Book a demo with our team today.

FAQs

What is the difference between supply chain risk management and vendor risk management?

Vendor risk management is a broad category that covers all the risks and vulnerabilities that could come from working with a specific third-party. Supply chain risk management specifically focuses on risks to the integrity and continuity of your products and services. SCRM also goes deeper, requiring companies to know who their vendors partner with (fourth parties) and analyze how those relationships could affect business operations. Successful SCRM efforts cover the entire supply chain—the full network of organizations that contribute to business operations. 

Who is responsible for supply chain risk management in an organization?

A good supply chain risk management program should be cross-functional and championed by executive leadership. Support from the top is a must for building a culture that supports risk management efforts, because good SCRM takes time and resources. However, since many departments own vendor relationships, the individuals involved with choosing and maintaining these vendor ties are in the best position to handle risk management concerns. 

What tools help automate supply chain risk management?

Risk management software and governance, risk management, and compliance (GRC) tools can both help teams implement SCRM programs and automate many of the related tasks. An example of risk management software is SAP Ariba Supplier Risk. An example of a GRC platform that helps with SCRM is Drata.