The Edge of Risk Menu Search
In Practice

How To Avoid a Third-Party Break in Your Supply Chain

Senior Director of Security Threat Services at Citrix

Your business is only as secure as the weakest link in your supply chain. A single lapse by a third-party can lead to an operational disruption, cyberattack, or compliance violation. How can you be certain that your vendors and partners are keeping up with the latest regulatory mandates, industry best practices, cybersecurity measures, and your own corporate standards?

Vendor Risk Management Should Be a Top Priority

In these days of high-profile data breaches and intensifying regulatory requirements, supply chain risk management has become a critical priority for every organization. Such programs typically encompass policies, standards, governance, and risk assessment. Vendor risk management falls under the last of these—and it’s the cornerstone of effective supply chain risk management.

As with every aspect of supply chain risk management, effective vendor risk management depends on both executive buy-in and the leadership of a team with the skills needed for continuous assessment and evaluation. It must also be tied into the organization’s broader enterprise risk management and procurement programs and receive the support needed to ensure that stakeholders at all levels recognize its critical importance.

Here’s how you can ensure that a third-party break in your supply chain won’t bring your business to a screeching halt.

Develop a Vendor Risk Policy with Teeth

Nothing gets the attention of a vendor like a withheld payment. To set the expectation that risk policy compliance is a requirement, not an option, let vendors know that no money will be released until the right boxes have been checked.

These checkboxes should reflect your core minimum standards for each category of procurement in areas such as hardware, labor, software engineering, HR, and so on—and the more specific, the better. This information will help you develop a risk assessment matrix to rate the risk posed by each vendor.

Document and Track

A supply chain risk register is essential to keep track of your vendors and their risk. Your database should provide a single source of information on which vendors have been approved and when, as well as their current risk assessment rating.

This rating should be based on a list of their risks by type and level. Risk should be assessed annually for each vendor; track the date of each assessment to make sure this requirement is met.

Even the most secure organizations can encounter challenges, and the best-run programs can break down—assume nothing, check everything.

Stay Engaged During Procurement

Don’t wait until the final review of a master services agreement (MSA) to get involved. Build a strong collaborative relationship with the procurement team so you can be notified promptly when a business function submits a procurement request, and stay engaged during vendor sourcing. By getting in front of the process, you can avoid being labeled as a roadblock or deal-breaker.

Make sure all security requirements are fully baked into MSAs and statements of work, and be prepared to visit the vendor’s facility and inspect their production floors to show that you’re serious. Don’t forget about subcontractors—vendors should spell out exactly what work they’ll further outsource and how they’ll ensure that their subs adhere to your requirements as well.

Maintain, Scale, and Repeat Your Program

Running an effective vendor risk management program and managing supply chain risk in general is all about scaling and repeating. To uphold your policy and standards, be diligent and strict about annual security assessment and verification, and perform site inspections as needed depending on the severity of risks posed by a given vendor.

Keep your risk/audit committee in the loop, and show them that you understand the nature and scope of the greatest risks to the business. This will help validate the strategic importance of the program to ensure ongoing buy-in and support.

‘Trust But Verify’

From the earliest stages of the procurement process through onboarding, service provision, and offboarding, expectation-setting and verification should be woven through each vendor relationship. Even the most secure organizations can encounter challenges, and the best-run programs can break down—assume nothing, check everything.

At the same time, not every vendor needs to be Fort Knox. To manage the expense of your program, use a industry standard risk assessment methodology to evaluate your own risk and determine the appropriate level of precaution to take across your supply chain.

With a comprehensive and well-documented approach to vendor risk management, you can protect your business against weak third-party links in your supply chain—and keep your logistical activities running smoothly.

Mike Orosz

Senior Director of Security Threat Services at Citrix

Mike Orosz, is the senior director of security threat services at Citrix. Prior to Citrix, Orosz was a vice president within Citi Group’s Global Investigations Unit. Before Citi, he served for more than eighteen years as an intelligence officer with the Defense Intelligence Agency and the U.S. Army. He routinely participated in the U.S. Joint Chiefs of Staff daily briefings and regularly contributed to the U.S. Presidential Daily Intelligence Brief.

For optimal delivery, please select your region:
Please enter a valid email address.
Success! Thank you for signing up.