Improving the Efficiency of Supplier Assurance

Suppliers are now one of the most likely cause of significant business problems. Whether or not it's your web providers allowing dangerous credit card-skimming plug-ins on your e-commerce site, or your suppliers using child labour to make fashionable clothing and accessories, your supply chain is a massive source of risk. However, outside of a couple of highly Risk-averse sectors (such as Nuclear or Weapons), most organisations simply do not do as much Supplier Assurance as they would like to.

Current standard practise is very much as follows;

  • Suppliers are risk-assessed at the point of on-boarding, with only a few continuously re-assessed as circumstances change

  • Supplier impact assessment (evaluating how critical any supplier is to the customer and therefore what assurance approach they should receive) is done on the basis of spend, and not on the potential for causing data breaches, or corporate embarrassment

  • Where there is easy-to-look-up pre-verified data, as there is in terms of financial data from Creditsafe or D&B, then that is used - and often forms the only material basis of the evaluation - which is at odds with the actual areas of risk likely to cause an issue

  • Questionnaires are sent out by email, making completion hard both to complete by Suppliers, and then to Assess and review the data received

  • Questionnaire responses tend to be kept in their respective silos (the IT team look at cyber, the DPO at GDPR, etc.) with no-one pulling together a 360-view of ALL RISKS

Overall it is a very manual, ad hoc process with little automation and never quite enough standardisation.

The reason, of course, is cost. It is potentially expensive to risk-assess the entire supplier base regularly, particularly if you are doing everything manually. Even if you triage the risk and concentrate resources on the most critical suppliers, most organisations cannot tell their Risk Committees, Regulators or Shareholders a particularly convincing story when it all goes wrong.

To improve both the effectiveness and efficiency of supplier assurance requires new thinking, some automation and clarity around roles & responsibilities.

The first bit of new thinking around Supplier Assurance is about professionalising what is often an ad hoc, disjointed process - with little exposure at Board level.

  • Define what Supplier risk means to your business. What are it's dimensions? e.g. Credit risk, Modern Slavery, ABC, Cyber Security, Product Quality, Materials Delivery, etc.

  • Supplier risk can kill a business, so the Board need visibility of the current Risk status of each Supplier

  • Have Supplier Assurance objectives and KPIs that you report on

  • Have an agreed 100% implemented Supplier Impact Triage process in place - so that you know which the worst-case Suppliers are (we like 5-levels, Very Low to Very High)

  • Agree a fixed, non-negotiable Assurance approach for each level of Impact

Secondly, invest a little in automation and an online portal. Sending out long "fire-and-forget" questionnaires in Word or Excel may be the "way we do things" but it doesn't allow you to know which suppliers have started, which are ignoring you, and what the scores are in real-time. Create a Supplier Assurance portal, for example using Rizikon Assurance, that;

  • Allows complete standardisation of questions and gives you one place to update questionnaires with new standards and regulations

  • Has automated reporting, scoring and supplier chasing

  • Supports re-assessment on a regular period (the supplier just updates what's changed)

  • Allows suppliers to share questions internally (no one person ever knows everything)

  • Has 'smart' assessments that ask the minimum number of questions, not "War and Peace"

  • Pulls in data from places like Companies House and Credit-scoring platforms like Creditsafe

  • Displays all Risks in a single view for the Board to understand

Improving Supplier Assurance productivity doesn't need to cost the earth. Check out Rizikon Assurance for some new thinking and take control of Third-party Risk.

(title)

Three Third-party Cyber Security Audit Mistakes to Avoid

Most organisations have some sort of programme for assuring themselves about the cyber security defences of their Third parties - typically Suppliers, Vendors or Partners.

As a Cyber Security vendor and third-party risk management tool and services provider, we have seen a number of these programmes in action. These are some of the mistakes we see repeated and some suggestions on what to do about them.

Mistake #1 - make up your own cyber security checklist

The International Standards Organisation and the UK's National Cyber Security Centre to name just two bodies have spent a lot of time and money devising perfectly decent standards which are readily tested and assured against by a whole eco-system of third parties. So why do so many organisations make up their own checklists for cyber security?

Even if there is a special emphasis to be made on one particular control, surely it makes perfect sense to adopt some commonly available standards as your starting point. There are so many benefits;

  • The check-list will be kept up-to-date at someone else's expense

  • The checklist has several guides, books and training courses about it

  • There are many specialists to help the third parties if they need it

  • You can get other people to independently assess the third party

  • And the third party will probably pay them to be assessed

  • You can check if they already have a certificate with a single question and save a LOT of effort

  • And, last but by no means least, the third party actually receives something of value if they complete it (the standard or certificate)

Our advice is, base your third party assurance around commonly used standards and supplement with further questions if you absolutely have to. We would suggest (in the UK); Cyber Essentials, IASME Governance, & ISO27001.

Mistake #2 - make everyone complete the same assessment

Even more surprising than mistake #1, is the determination of some cyber security assessors to enforce adherence to a draconian high-level cyber security checklist on every single third party or supply regardless of context.

We have seen one-person businesses who have zero chance of inducing a meaningful breach sent 150+ question ISO27001-based checklists with not a word in the way of explanation or help. ISO 27001 is for large organisations not for people who’s IT infrastructure consists of a laptop and a mobile phone.

Naturally enough, when the small supplier simply refuses to comply out of frustration, they're typically nodded through with no assessment at all - leaving the buying side in ignorance as well!

Our advice is, undertake a short but systematic third-party impact assessment before deciding which approach to take for each third-party. Establish what the potential or inherent risk is and then assess accordingly. You can also undertake an assessment for the potential for data privacy issues and GDPR by carrying out a simple data privacy assessment at the same time. Develop a simple table along these lines;

Impact > Assessment approach

  • Very Low (e.g. paper clip provider) > None

  • Low > Cyber Essentials

  • Medium > Cyber Essentials Plus

  • High > IASME Governance

  • Very High (e.g. vendor of HR system) > ISO 27001

But you can of course develop a table of your own. The main thing is to have one.

Mistake #3 - leave it to your in-house cyber security team

In-house Cyber Security teams are busy protecting your organisation. They have a set of responsibilities that never end - there is always more you can do to protect the organisation. So when you drop the name of a third party on them for an assessment it will rarely be the most important thing on their plate. For this reason the cyber checks often take a long time to complete. What's more, the cyber security team don't have the time or necessarily understand how best to communicate the findings (which are never binary) to either the internal stakeholders or to the third-parties themselves.

Our advice is to get help, and also to take a risk-assessed approach. For example;

Impact > Assessment approach

  • Very Low > None

  • Low > Cyber Essentials - self-assessed approach, share the question set with the third party

  • Medium > Cyber Essentials Plus - insist on seeing the certificate number, direct them to a IASME/CE+ assessment house if none forthcoming

  • High > IASME Governance - insist on seeing the certificate number, direct them to a IASME/CE+ assessment house if none forthcoming

  • Very High > ISO 27001 - outsource assessment to a specialist Third party cyber assessment provider

The overall approach should of course be agreed in advance with your cyber team, but set it up in such a way as to keep their involvement to the minimum except here they absolutely have to be involved.

Crossword can help in many ways with Third party assurance and especially in the area of Cyber Security. Our Rizikon Assurance tool is an excellent platform for all types of third party risk assurance.

(title)

Getting started with Modern Slavery Risk Management

All UK companies with a turnover above £65M need to explain how they assure against the risk of having modern slavery in their supply chain. However it is no secret that many companies are falling a long way behind with respect to their legal obligations in this regard.

Some feel that it is too big a problem to make any start with. Others assume that they are immune. Many do not invest enough. It all adds up to a fairly unimpressive 2% of UK companies who have been deemed to completely and fully meeting their obligations.

Modern Slavery risk assessment is a process not a project. It should be a part of business as usual. So start by doing something and build on that. Here’s a simple set of recommendations about making a start.

MAP YOUR MATERIALS AND SOURCE COUNTRIES

Mapping every supplier in an entire supply chain is daunting, so start with the core materials and components that make up your products and services, and start to document which countries they come from.

Where you procure assembled components, ready-made goods or out-source services, document what you understand about their potential provenance.

USE OPEN SOURCES TO MAKE A FIRST PASS

Then you can start to flag up potential risks. For example if you buy a food product that contains palm oil, or machinery that contains manganese, then by looking up these materials in openly available databases you can start to understand if there are high-risk source countries providing those products.

For example, the ILAB Agency (part of the US Department of Labor) maintains a list of high-risk goods from specific countries. See the latest here.

ASK MAIN SUPPLIERS ABOUT WORKING PRACTISES & CODES OF CONDUCT

There are a number of excellent International standards and codes of conduct regarding Modern Slavery practises. Adopt one and ask your key Suppliers whether or not they comply. Most of them should have a modern slavery checklist of sorts.

Better still, investigate practices that directly relate to the goods you procure and ask if these are specifically checked for and how.

However and wherever you start, it’s important to make a start. Modern Slavery covers a host of practices that would be abhorrent to your customers, shareholders and staff and have no place in a modern business.

Rizikon Assurance is a platform for sending out Modern Slavery assessments, GDPR data processor assessments, Cyber Security assessments and in fact assessments of any type, including those specific to your organisation. You might be interested in having a demo of our Modern Slavery assessment.

(title)