How Third-Party Risk Management Can Ensure Supply Chain Resiliency in Times of Crisis

As you watch events unfold around the world as governments seek to diagnose and contain the coronavirus, you probably are also considering how prepared you are in case it becomes a true pandemic. As the virus appears to have originated in China, and with many global organizations sourcing a portion of their supply chains from there, it’s natural to also begin considering how concentration risk plays into your broader risk management and incident response plan. In this blog I will define concentration risk and discuss a proactive incident response awareness process meant to ensure stability and resiliency during periods of interruption.

What is concentration risk in the context of third parties?

Originating in the banking industry and adapted for use across multiple sectors, concentration risk describes the level of risk in an organization’s supply chain due to concentration in a single industry, geography or partner. The risk comes from a lack of diversification in the vendor portfolio.

What is an incident response plan?

An incident response plan consists of a pre-made list of actions to take, tasks to be completed and individuals to contact in sequence when there is a potentially business-impacting incident or event (for example a natural disaster that impacts a data center, or a DDoS attack cripples a website). There are myriad examples of incident response plans available via a simple Google search; I recommend you examine your existing incident response plan and compare it to other industry examples and best practices and conduct third-party related incident response scenario tests.

What is resiliency?

Resiliency is defined as “the capacity to recover quickly from difficulties.” Emphasis on quickly. With regard to your supply chain, resiliency is the ability for your organization to rapidly adjust to circumstances with limited negative, downstream effects (for example, shifting production to back-up or secondary data centers or facilities). Resiliency should be a driver behind your incident response plan.

What a proactive and mature incident response plan looks like

Specific to risks from third-parties, a proactive incident response plan includes five (5) steps:

1. Vulnerability notification – identifying a vulnerability or incident and notifying a pre-programmed list of interested parties
2. Incident response – developing a standard set of tasks and timeliness to assess the impact of an incident and develop a timeline for response and remediation
3. Identify third party impact – investigating the source of the incident among suppliers, partners, vendors or other third parties
4. Periodic executive reporting – standardized reporting showing before-and-after values and progress toward the desired end state with measurable metrics
5. Risk managed to closure – returning to an acceptable state (or new normal)

Incident response plan maturity can be categorized in one of the following three levels:

Level 1 – Manual

In a level 1 mature incident response plan:

• Emails are sent to third parties when incidents are discovered
• The third party responds via email reflecting the risk impact and mitigation timeline
• Information is manually tracked using spreadsheets
• Reports are manually generated for executive visibility

With so much manual work you can quickly see the gaps in such a process; we know that with manual work comes errors, and with errors come risks – risks of missing important elements that can help diagnose and resolve an incident.

Level 2 – Automation with human interaction

In a level 2 mature incident response plan:

• Risk-based classification is embedded in a third-party repository
• Portal-based incident notification and risk response request is delivered to appropriate third parties
• Portal-based risk responses are directly updated by third parties
• Portal-based tracking and reporting is used for updating executives

A level 2 mature incident response plan begins to address the manual work inherent in a level 1 plan through centralization into a specific system bounded by some processes.

Level 3 – Data-driven model

A level 3 mature incident response plan contains the following characteristics:

• At time of incident a monitoring tool proactively generates a risk awareness notification to the enterprise containing both impact and scoring
• Third parties have access to the system so there is universal visibility on awareness and risk mitigation tracking with real-time updates
• All parties are automatically notified via a defined workflow process every time a change in status occurs (even on their mobile devices)
• Reporting for executives is automated

How a third-party risk management solution can help

Prevalent can help organizations measure their third parties’ incident response program effectiveness through assessments geared toward revealing their maturity level, as well as reviewing the internal compensating controls in place – through standard assessments – to prevent incidents from quickly getting out of control. This level of visibility is universally shared between you and your third parties for complete transparency. Augmenting these assessments is a cyber and business monitoring service that combines technology, data analytics, and analyst insights to evaluate business risk such as news events and the public relations response to incidents.

As well, the Prevalent platform features an industry-unique relationship mapping capability that identifies relationships between your organization and third parties to discover dependencies and visualize information paths so you can audit the failover and resilience plans of your organization, thereby limiting the effects of concentration risk.

Taken together, these solutions provide a solid foundation for understanding the scope of your concentration risk, and you and your vendors’ incident response plans so that you can ensure resilience and agility.

Ready to take the next step?

Contact Prevalent today for a free, one-hour maturity assessment where we will determine areas where your current practices could improve to reduce risk.