- Business Risk and Resilience
What if your organisation was faced with a critical supplier incident?
Often organisations spend significant effort in sourcing and assessing whether a supplier is the right fit in terms of service delivery. The risk assessment at this point can include aspects such as information security, financial health, reputation, people management and service delivery.
Once onboarding of a supplier is completed, focus will then be mainly on performance and relationship management. However, all businesses will continue to evolve over time in response to internal and external factors. This may lead to client organisations not having a clear view of the key risks and controls (or lack thereof) within their suppliers. At worst, this may mean that an organisation’s performance and reputation could be impacted by a supplier making critical mistakes or poor, potentially unethical, decisions.
When considering responses to unexpected events that have a significant impact on a business, we can best look to techniques utilised within business continuity to evaluate whether an organisation is effectively prepared if critical issues occur within their supply chain. This article will provide an overview of two key techniques applied to supplier incident management.
The initial stage to evaluating how well your organisation could respond in a major and unexpected supplier related incident, is to undertake a desktop review of your supplier management framework.
From your review, document the items that need improvement and track the completion of the relevant uplift activities. Your business continuity policy, plans and processes are a good source for templates that can be repurposed for a supplier incident response framework (e.g. RACSI; communication protocols etc).
The next section provides five key areas to include as part of your desktop review.
Five Key Review Areas
- Is information regarding all your organisation’s suppliers, including the nature and frequency of services, easily accessible and up to date?
- Is there a central view of the criticality of the services provided by each supplier?
- Are roles and responsibilities clear for when supplier incidents are identified?
- Do you have visibility of the interested parties outside of your organisation that may need to be contacted? For regulated sectors, this may include engaging with the relevant regulator such as ASIC, APRA etc. Consider your contractual obligations to your customers as well – there are often disclosure requirements for major incidents.
- Is there a clear and documented plan for when a major supplier incident occurs? Consider items such as the criteria of a major incident, communication process plus how and when to initiate a supplier incident crisis meeting.
Following the undertaking a Desktop Review and completion of identified actions, the next step to take is to undertake Scenario Testing. The scenarios to be used are dependent on the nature of an organisation’s industry, how critical suppliers are to their operations, and how much of the operations have been outsourced and/or offshored. It is highly likely that most organisations will have a technology partner that they are heavily reliant on for their business continuity to be maintained.
Scenario Testing should involve stakeholders from the relevant business areas within your organisation. The stakeholders should be briefed on the purpose and nature of the exercise, which will require stepping through the theoretical step by step response to key incident types and providing their input as their designated role. In the following pages, we have provided suggested hypothetical scenarios that you can use to build from.
Similar to Desktop Review, learnings should be documented and actioned. Running Scenario Testing may also identify that:
- You may need to consider undertaking training and awareness activities within your organisation
- You may need further information from some (or all) of your supply chain to understand their current work practices (e.g. how quickly they report a major incident to you).
Scenario #1: Major Data Breach
With the current rates of outsourced cloud services, a major data breach at a supplier is one of the most relevant scenarios for organisations to use in a Supplier Scenario Test. Whilst information security is usually strongly vetted as part of the sourcing process, you need to be able to respond effectively should a major data breach scenario become a reality. For some organisations, this may also involve reporting to the Office of the Australian Information Commissioner as a notifiable data breach.
Suggested hypothetical scenario
Where To Start: You learn from media reports that one of your critical SaaS suppliers has been the subject of a massive data breach where confidential information has been made public. It is unclear whether this includes data from your organisation but is highly likely.
Midway Curveball: A customer of your organisation submits a formal complaint as their details have been used for fraudulent transactions and identity theft. Their personal information could have only come from data held by your organisation.
Scenario #2: Modern Slavery
The Commonwealth Modern Slavery Act 2018 has been in effect in Australia since 1 January 2019. Organisations with an annual consolidated revenue of at least $100 million are required to comply with the Reporting Requirement under the Act, which includes the NFP sector. All organisations should be aware of what to look for regarding modern slavery within their supply chains and how to act should they be made aware of a potential incident.
Unfamiliar with what to look for and how to respond in order to prevent and/or respond to modern slavery? Great resources for further reading are available at: https://www.homeaffairs.gov.au/criminal-justice/Pages/modern-slavery.aspx
Suggested hypothetical scenario
Where To Start: Your Provider Manager raises concern that they suspect that there may be case of modern slavery within a technology service provider. They have received information indicating that some of the employees are being threatened with harm if they consider resigning.
Scenario #3: Misconduct
Whilst we would like to not have situations where our trust in suppliers is broken, we need to consider the potential scenario of supplier misconduct. This may range from fraudulent, corrupt and/or unethical behaviour. The likelihood may be low with effective sourcing procedures, but should an incident of this nature occur, it could potentially have a significant impact on your organisation.
Suggested hypothetical scenario
Where To Start: Discrepancies have been identified in invoices received from a long-term supplier who provides maintenance services for fleet vehicles. Consolidation of the invoice data into a central database has identified that there are vehicles listed that do not appear in the asset registry. Further review identifies that the estimated total for the concerning charges is close to $250K, across a 5 year period.
Midway Curveball: Independently of the actions your organisation is taking in response to this information, media reports about the supplier have been published, outlining the invoicing issue across several clients. Your organisation, along with others, are listed in the media reports as using the services of the supplier.
Supplier governance shouldn’t be limited to risk assessment at the time of selection and then performance management to KPIs. As supply chains have become more complex and layered with the adoption of cloud services, outsourcing and offshoring, there is a higher likelihood that business operations can be impacted by a critical supplier incident.
From the supplier management team to the Board, an organisation needs to be aware of how they will respond in the event that a critical supplier incident is identified. Similar to business continuity, this should be evaluated on a regular basis, with the frequency and depth informed by the supplier risk profile being managed. By taking an approach of continuous improvement, you can build a holistic supplier management practice that compliments your business continuity management and corporate governance.
This regular evaluation could be the difference for your organisation being completely across the response versus failing to respond in line with community and regulator expectations.