Driving resilience programs in times of heighten volatility
Penny Cagan, Former Managing Director, Americas Head of Operational Risk, UBS
Below is an insight into what can be expected from Penny’s session at Vendor & Third Party Risk USA.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
-
Interconnected nature of third parties’ impact on supply chain
First, let me comment that most operational risks are interconnected, and more so than ever before. For example, third party, geopolitical, climate change, business continuity, pandemic, cyber and supply chain risks are all interconnected.
The reliance on third parties has become significantly more concentrated than when I first entered the operational risk discipline. In addition to concentration risk, there is a dependency risk on third parties. If they are an important supplier of goods and services, every operational risk manager worries about their control environment, and especially the controls associated with what they are managing on their behalf.
In addition, interconnected risks associated with activities that carry reputational risk for a third party can blow back on their customer.
-
Formulation of principles around supply chain at the global and jurisdictional
A basic principle to consider is diversification and sustainability.
Climate-change can lead to extreme weather events, which impact the supply chain. At a global and jurisdictional level, if we want to continue moving goods and services through transportation networks that rely heavily on shipping and freight, we need to continue getting serious about reducing carbon emissions.
At a business unit level, it is important to diversify suppliers and consider the impact of concentrated reliance on just a few or even one critical source.
At a global level, and at the risk of sounding naïve, world peace is critical for so many reasons, but it is imperative for managing a stable supply chain.
-
Understanding the impact geopolitical risk has on supply chains
Geopolitical and supply chain risks, along with climate (see below), have converged over the last few years. This includes risks related to China-US relations and the movement of goods through countries that are affected by geopolitical issues, including neighboring trade partners, as exemplified by the impact to the movement of grain from Ukraine to Africa and the restriction of sending certain technologies to China.
The Middle East conflict has intensified concerns for the supply chain, as evidenced by the Houthi attacks on shipping vessels and their disruption to traffic through the Suez Canal.
Social unrest and instability can also be a critical factor in supply chain risk, as operations can be disrupted, and risks created to employee safety. It should also be noted that if suppliers have bad business practices, such as the use of child labor or poor working conditions, reputational issues can carry through to their customers, as has been experienced when certain clothing brands were found to have engaged in poor labor practices.
-
Effectively managing cybersecurity risk across the supply chain
One of the greatest risks today in the supply chain is concentration risk. If a firm turns its entire cloud strategy over to one firm (and there are only a few to select from), it needs to ensure that the vendor has strong cyber controls in place. This would include critical controls related to access administration, data privacy, comprehensive inventories of hardware and software assets, patching, vulnerability management, and strong recovery capabilities. Another strong practice is to include cyber control language in service contracts.
-
Mitigating strategies to ensure operational resilience in your supply chain
First and foremost, it comes down to good risk management hygiene, such as knowing your supplier, knowing their risks, assessing their control environment, understanding internal (your own) and external (systemic) concentration risks, ensuring contracts are sufficient to provide insight into the supplier’s risk and control environment, monitoring performance and tracking metrics, and understanding your organization’s level of risk for each critical vendor.
Increasingly, firms have mitigated internal concentration risks that impact their supply chain by splitting off a portion of a critical contract to a competing vendor, so that there is a vendor in the wings who understands the organization and processes.
It is critical to have a strong collaborative relationship with your supplier. It often does not end well if an organization is at war with its critical vendors or squeezes them on profits so they cut corners in delivery. This was one of the lessons learned from Boeing’s relationship with Spirit Aerosystems, which was the vendor that supplied its fuselages. It has been reported that they were at odds with each other for years, and Boeing squeezed Aerospace hard on cost.
It should also be mentioned that going for a low-cost solution with an unproven vendor, or a vendor without specific relevant experience, often does not end well.
-
Importance of nearshoring to avoid supply chain risks
Reconsidering near-shoring is an interesting proposition. The first I started hearing about it re-emerging as a supply chain solution was during the dark days of COVID, when certain parts of the world were hit quite hard with illness, such as India, and there were challenges posed related to working from home conditions. At the time large corporations started considering pulling some services back onshore.
Today we have a host of challenges, including the possibility of another pandemic, in addition to geopolitical, and climate risks. I have been researching risks associated with movement of goods and services through shipping channels, which is an estimated 80% worldwide. Think about what that means at a time when we have geopolitical challenges at the Suez Canal resulting from Houthi attacks. The Panama Canal has also recently reduced traffic due to drought conditions. Besides this being a good example of how geopolitical, climate and supply chain issues converge, we are faced with extreme challenges when, together, the Panama and Suez canals are responsible for about 20% of total shipping activity. And while geopolitical and climate change are impacting two separate geographies, it does not take a leap of faith to consider a scenario where they converge on a single transport point. And it is not just shipping that is vulnerable to geopolitical and climate challenges. If you consider where our low-cost locations have traditionally resided, they are vulnerable to climate issues, such as typhoons and extreme storms, and geopolitical unrest.
When you consider the plethora of challenges in the world, and particularly in some lower cost locations that the industry has relied on, onshoring becomes an interesting option for managing risk. But having said that, all locations, no matter where they are in the world, are vulnerable to climate, geopolitical and pandemic risks – it is just a matter of how severe the inherent risk can be.