The Importance of Managing Supply Chain Risk

29 June 2021

As the Digital Revolution accelerates, companies are waking up to the fact that the new services and suppliers they are reliant upon are intrinsic and ubiquitous to the service provided to their customers. Therefore, the risks in their supply chain need to be evaluated and mapped to understand where interconnections may impact their services in the event of failure. This evaluation should include the mitigations in their own Supply Chain Risk and Incident Triage plans.

Fastly, a global CDN provider that services 800+ major customers in media, payments, and many firms reliant on cloud services, hit the headlines recently for all the wrong reasons.  They were at the centre of an event that severely impacted their own and, in turn, their customers’ ability to deliver their business services.  The disruption had a far-reaching domino effect throughout the supply chain.

Speculation of a cyber-attack circulated.  In this case, fortunately, it was a configuration error/issue that was the root cause of the event, which was efficiently dealt with by Fastly in 59 minutes.

Nonetheless, it was a big wakeup-call for those businesses impacted.  All organisations, affected or not by this specific event, should pay attention to the event and immediately focus on managing Supply Chain Risk.

KA2’s domain practitioners help organisations build and deliver a Supply Chain Resilience framework to meet the tolerance levels required to remain operational during a disruptive event using policies, procedures and accurate data management, which underpin each business service.

We analyse critical areas of the supply chain and how data is collated, integrated and reported, ensuring decisions and actions can be taken quickly to minimise risk and impact.

The KA2 domain practitioners translate the specific security, risk and service management requirements to design and build an integrated operational resilience framework and use the ServiceNow workflows to automate and operate it.  A complete end-to-end project lifecycle.

With the right technology and processes in place, organisations will have improved oversight and ability to react to future events and, importantly, take proactive action to ensure they minimise exposure to disruptive events.

KA2’s Supply Chain Resilience Review focuses on;

  • Analysing the integrity of supplier data: a list with minimal information covering T&Cs, commercials and legal isn’t enough. How can resilience be measured from a Cyber Security or Software Supply Chain perspective?
  • Reviewing the number of third-party services which rely on a single SaaS provider.
  • Leading a Technology Risk Management review of Service providers and suppliers’ current assessment criteria and issue any addendums to existing vendor questionnaires.
  • Conducting an assessment of in-house resource capability detailing the strengths and gaps in skills and knowledge to ensure they have or are moving to the level of expertise required to advise stakeholders of supply chain risks and take the necessary actions to reduce such risks.
  • Reviewing supplier security standards, like ISO 27001 accreditation, and identify good Information Security practice.
  • Identifying the minimum level of security accreditation across the supply chain to perform the service.

The KA2 Smarter ServiceNow solution will support the business to:

  • Build the matrix of interconnected service providers across your ecosystem and enable the visualisation of service mapping such as supplier dependencies and hierarchies for online presence, websites and payment services.
  • Provide status pages with management dashboards and real-time information to identify emerging risks that support decision making, visualise outages, and automatically alert teams and raise tickets.
  • Build a Software Supply Chain Threat Model.
  • Automate the delivery pipeline, whether for software or physical delivery and understand the impact if a “link” in the software supply chain breaks.
  • Record and present all the components used in a CI/CD pipeline.
  • Understand all the subscription-based services to allow quick evaluation of Supply Chain dependencies.
  • Integrate into ServiceNow GRC, Contract Management and Vendor Manager Workspace to enable a holistic view of risk, reduce siloed team activities and improve collaboration.
  • Integrate into broader internal business services, such as incident, change and release management and leverage a single data source to support a resilient supply chain service.

If we take another look at Fastly, they are a service provider to Shopify and Stripe, therefore accessing services from these and many other organisations affected by the disruptive event, large and small, would have been severely impacted.   Apart from the apparent short-term direct costs of the outage, there is also the cost of the longer-term reputational damage caused by the disruption to services throughout the supply chain, which is more difficult to quantify and to fix.  So it’s essential to learn from the Fastly event and ensure that your organisation has a robust Supply Chain Resilience framework that provides a risk overview in real-time.

To discuss how KA2 can help your organisation implement robust Supply Chain Management and improve your risk profile using the ServiceNow platform, contact us to arrange a chat.