The gradual digitization of the enterprise and migration to the cloud has resulted in untold amounts of digital data being stored and shared across business partners. It’s for this reason that cybersecurity risks have climbed to the top of procurement professionals’ minds as they develop their supplier management strategies.
But third-party risk is complex and multifaceted, demanding a juggling act of coordination, collaboration and research.
“You have to know who your suppliers are and what risk they’re posing,” said Todd Boehler, vice president of product strategy at ProcessUnity. “That process of gathering data and having your expert personnel evaluate it to determine that risk is definitely the biggest challenge.”
Speaking with PYMNTS, Bohler explored how the pandemic has added an even greater level of complexity to the risk mitigation process, and why diversifying the supply chain can mean diversifying risk — if done properly.
Risk Focus In Flux
Pre-pandemic, cybersecurity risks among third-party partners like suppliers had been top priority. With the high volumes of digital data being shared with vendors, organizations must understand and verify how those partners store and manage that information. With a growing number of regulations focused on data protection, the regulatory risk surrounding cybersecurity threats grows, too.
But when the coronavirus crisis began, the third-party risk management landscape changed dramatically.
“When the pandemic came around, there was a big shift immediately to focus on the financial resiliency of the supply chain,” explained Boehler. “Are they going to make it through this? Do we know how they’re doing financially? And when do they expect to have any impacts on their ability to deliver products and services, so we can plan appropriately as their customer?”
This didn’t mean that a focus on cyber risk went away, however. Indeed, said Boehler, as professionals began working from home, personnel were accessing sensitive data from a variety of remote locations, leading to — once again — a prioritization of cyber risk.
Organizations were “scrambling,” he said, to understand how to mitigate risk in a remote work environment while also ensuring that supply chains remained viable. It became a juggling act of cooperation between chief procurement officers managing suppliers, and chief information security officers protecting data integrity.
Diversifying The Vendor Base
Risk diversification is a key strategy in any setting, but became even more important for supply chains amid the pandemic.
Boehler offered up the example of five critical suppliers for one organization that all use the same data center. If that data center gets hit by a hurricane, “you’re going to get hit five times as hard,” he noted.
Similarly, if one critical supplier suddenly became insolvent, organizations had to act fast to find a replacement. Being proactive about resiliency planning means establishing backup suppliers and building in redundancy within the supply chain.
Coincidentally, however, this risk mitigation strategy can also add to greater complexity, as organizations must onboard new and unfamiliar suppliers.
There’s another conundrum in risk mitigation today, too: According to Boehler, while the accelerated digitization of the enterprise, catalyzed by the pandemic, can make it easier than ever for businesses to aggregate and share data, it also creates greater risk because more sensitive information is floating around.
“On one aspect, you’ve now digitized all of your assets and they’re harder to keep track of,” he said. “That may be one piece where digitization is actually adding risk.”
Two key strategies can help alleviate this pain point.
One is to use third-party databases, with ProcessUnity able to integrate into a variety of data providers (most recently, the company struck a collaboration with Dun & Bradstreet). Though it’s an added fee for businesses, the use of these third-party platforms can not only add efficiency to the data collection process, but can also keep organizations abreast of any changes in their suppliers that may impact risk exposure. While this data alone can never provide the full picture (Boehler noted that organizations must do a deep dive into their vendors to gain a truly holistic view of the risk), it ensures that businesses are able to continually monitor their partners throughout the lifecycle of a contract.
The second is to think proactively. As organizations further their modernization journeys, Boehler advised that businesses need to both continually monitor their suppliers’ risk exposure as well as predetermine that exposure at the time a contract is created. This is particularly important as organizations onboard new vendors.
“You have to put in the right level of inherent risk assessment to understand the nature of the risk you’re bringing into your business and put the right level of monitors on it,” he said. “You don’t only need to monitor them on an ongoing basis during the duration of the contract, but also how you’re going to build your contract correctly before you open the doors to them.”