Supply Chain Risk Management: Best Practices

Supply Chain Risk Management: Best Practices

Supply chain risk management (SCRM) involves assessing and problem-solving for all types of risks surrounding supply sources and their potential risk areas — including suppliers, third-party dependencies, physical locations, and more. Handled properly, supply chain risk management integrates with a company’s overall risk management strategy and provides another layer of oversight, ideally reducing the likelihood and/or severity of risk exposures. 

Today, effective SCRM has a major impact on an organization’s risk and security posture as the supply chain becomes increasingly digitized and supply chain attacks become more common. At least 89% of companies have experienced some kind of supplier risk event in the last five years. On the flip side, building supply chain resilience can give organizations a competitive advantage in the market, enabling them to prevent the realization of supplier risks and respond to events quickly and decisively. In this article, we will outline today’s top risks to the supply chain and review how to strengthen your company’s supply chain risk management response plans. 

What Is Supply Chain Risk Management?

Supply chain risk management is the process by which an enterprise takes strategic steps to identify, assess, and mitigate all risks in its business’s end-to-end supply chain. Since a supply chain consists of all the raw materials and processes by which a product is made and distributed, a disruption in the supply chain can inevitably affect the bottom line. A supply chain risk management plan implements processes after evaluating both every day and edge case risks along the supply chain, with the ultimate goal of reducing company vulnerabilities and ensuring the continuity of business.

Due to the proliferation of cyber attacks on business’ supply chains, with real-time attacks most likely occurring as you read this, the importance of supply chain security has driven greater emphasis on cyber supply chain risk management. NIST, the U.S.’s National Institute of Standards and Technology, released updated guidance in May 2022 focusing on building cyber supply chain resilience (NIST Special Publication 800-161 Revision 1). This, plus organizations’ growing reliance on suppliers and third-party providers for information and communications technology (ICT), including critical infrastructure, means that a successful attack on a company’s cyber supply chain can be devastating, for revenue and reputation. Thus, cyber supply chain risk management forms a key piece of the overall SCRM picture, and should be incorporated into an organization’s supplier risk management strategy. Incorporating cyber supply chain risk into an SCRM program involves taking into account the suppliers and providers in the cyber supply chain, whether that’s a Cloud Service Provider or a SaaS vendor, and addressing risks associated with those third parties.

Why Is Supply Chain Risk Management Important? 

Proper supply chain management is good for business. After all, what is risk management in supply chain optimization about, if not finding efficiencies, cutting costs, and mitigating vulnerabilities? Done well, supply chain management works to implement the most streamlined and least expensive supply chain process for your business within your risk tolerance levels. Doing a thorough risk assessment is mission critical, as the just-in-time nature of today’s business flows means if any link in the supply chain breaks, the costs can be high in terms of both time and money.

Remember, the risk management discipline is all about anticipating “What could go wrong?” and applying the right level of risk mitigation to those potential scenarios. Prevention is the best medicine, and SCRM incorporates that philosophy, aiming to stop supply chain disruptions before they can happen. In the event that supply chains do get disrupted, organizations equipped with strong SCRM programs will ideally already have mitigation strategies in place to expedite decision-making.

Add to that the globalization of supply chains, which introduces national security considerations (the Department of Homeland Security plays a major role in the US supply chain) as well as regulatory and sustainability considerations, and SCRM goes from a nice-to-have to a must-have.

Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk

Supply Chain Risks and Challenges in 2023 

The extreme interconnectedness of today’s global marketplace means supply chain troubles can quickly snowball from one industry into the next. Supply chain risk management issues include weather, resource shortages, and technology dependencies — like the chip shortage that has impacted industries ranging from video games to car sales. Shipping container chaos and cybersecurity threats are also on the list of supply chain risk management risk factors to consider. The development of new and emerging technologies, like generative artificial intelligence (AI), poses another challenge and source of risk for organizations looking to leverage new information systems and technology in their supply chain.

1. Extreme Weather 

The physical logistics of the supply chain mean storms, icy roads, mudslides, and other extreme weather events can cause significant problems. Unexpected snows in Texas in caused food supply chain gaps that impacted warehousing, storage, and food delivery to retailers. Another dramatic example is the unforgettable image of the Ever Given container ship stuck sideways in the Suez Canal in March 2021. High winds were blamed for knocking the ship askew and causing the jam. Despite tugboats and diggers working tirelessly to free the ship, it wasn’t pulled free until the seventh day — after a full moon caused a high tide. Once it was out, nearly 400 ships carrying a billion dollars worth of international commerce could finally continue their journey.

The effect of extreme weather on supply chains is amplified for companies that have global supply chains, with localized weather events potentially disrupting deliveries of raw materials and goods.

2. Technology Dependencies

A microchip shortage started at the beginning of 2020, as consumers created a surge in demand for home electronics — likely due to requirements for remote school and the need to have work-from-home capabilities. The ripple effect caused GM, Ford, Honda, Chrysler, and others to blame 2021’s slowed vehicle production on the chip shortage. Similarly, Sony said the lack of chip availability was the reason why it’s still hard to buy a PlayStation 5 more than a year after the console’s November 2020 launch. It’s only now, in 2023 that car makers and electronics companies are recovering from the chip shortage, and ramping up production once more.

Microchip shortages are just one example of how supply chains can be disrupted by technology dependencies. Other examples include dependencies on Cloud Service Providers or SaaS providers. An outage on the supplier’s side can take out an entire business by shutting down their websites, e-commerce sites, and even potentially their intranet. Outages and technological disruptions often lead to outcry on social media outlets, affecting the reputational standing of a company.

3. Shipping Container Upheavals

With supply chains disrupted and trade routes altered, the flow of shipping containers was drastically changed. Shipping companies found it was more profitable to send empty containers back across the ocean for refilling instead of returning full containers that had been refilled in the United States before being sent back overseas. This disruption to the usual back-and-forth impacted trade and caused massive delivery issues and price increases. A recent study reported that due to changes in the typical container cycle — plus the added issues of congested ports and delayed unloading — a typical container will now spend 20% longer in transit than before the pandemic. In addition, shipping prices on major East-West trade routes jumped by 80% year-over-year — and that is still holding true in January 2022. 

Geopolitical issues have contributed to major disruptions in the global supply chain, from the microchip shortage mentioned earlier to exports of grain from Ukraine.

4. Cybersecurity Threats

Data leaks, operational disruptions, and malware attacks are the most common cyber risks associated with supply chain issues. Attacks can come from anywhere, and it’s mission-critical that every organization stay current on its information security protocols

With many organizations now leveraging powerful cloud services or SaaS solutions, cybersecurity attacks via third parties and suppliers are an attractive option for hackers and threat actors. Sometimes, these third parties are in the private sector and not subject to the same regulatory and security requirements as the purchaser, or they may simply be smaller companies that do not have the personnel for a fully-fledged information security program. These matters should be accounted for during due diligence and prior to procurement.

What Are Best Practices for Managing Supply Chain Risk?

The best way to prepare for the many risks and challenges to the supply chain is to have a solid supply chain risk management framework. Using multiple suppliers, finding closer sources, knowing your risk tolerance, and modeling dire scenarios are all tactics and methodologies for building a solid risk management plan.

1. Source Multiple Suppliers

The fallout of the pandemic exposed significant gaps in global retail and manufacturing supply chains. When output delays first started, some retailers shifted to multi-source modeling, which creates a system of backup suppliers if a single supplier loses access to a product. Keeping a supply chain risk management plan top of mind, an important consideration when sourcing suppliers is to look for one that produces out of multiple locations — that way, they aren’t subject to a single point of failure in the case of an environmental event. Both small businesses and large enterprises benefit from sourcing from multiple suppliers, and I’ve seen key activities like new employee onboarding or even system implementations stalled by a single supplier failing to provide the right equipment or the right amount of equipment.

Maintaining a good relationship with suppliers and establishing a baseline of supply chain metrics can help organizations forecast future needs and ensure that they have the right suppliers in place to meet demand.

2. Establish for Nearshore Sources

How does an organization manage risks when those risks are out of their control, like force majeures or natural disasters? Unfortunately, none of us have superhuman control over the weather — which is a major factor in supply chain logistics. Instead, businesses can problem-solve and benefit from finding suppliers and distributors close to their center of operations. This reduces the possibility of delay due to weather issues since they will have decreased distances of travel for products and components. Many businesses are making this shift, and in 2021 it was reported Stanley Black & Decker was accelerating plans for two new factories in Mexico and one in Texas. After ports closed and freight costs grew seven-fold, having closer points of supply became important to the toolmaker’s business. Regional suppliers may be more expensive, but reduced travel time and lowered exposure to risk offset those costs.

No one says you have to only source from onshore or domestic providers. Keeping a good mix of providers and performing appropriate due diligence each year protects an organization from one-supplier dependencies. 

3. Maintain Inventory Buffers

The just-in-time (JIT) supply chain creates cost savings by reducing warehousing costs. However, some industry analysts hypothesize businesses have cut too deep into this space and now need to build back stock. The added expense of adopting a “just in case” approach may be worthwhile, as companies are better positioned to maintain product flow and business continuity during unexpected weather events or other rare occurrences thanks to the backup stockpiles. 

Again, establishing a baseline of supply chain metrics from prior years can help here, providing stakeholders with historical data that can be used to make predictions and estimates about future inventory needs.

4. Improve Vendor Visibility

Understanding all parts of your supply chain can help identify potential problems before they happen. It’s important to make sure you have good visibility into all of your third-party vendors, including their financial standing, and their potential outside dependencies. Review major credit rating agency reports on potential suppliers. Look for technology that provides product and shipment visibility to keep yourself and your customers current on expected delivery times. Lastly, you should always make sure to undertake a thorough supply chain risk assessment before signing any contracts. 

Consider developing a due diligence and procurement lifecycle for your SCRM programs. This involves setting up policies and procedures for how to perform initial due diligence, requirements for procurement, and a set frequency, like annually, for evaluating vendors and third parties based on their criticality to business operations. Periodic audits of suppliers can provide further transparency and insight into a provider’s operations, security, and governance.

5. Model Worst-Case Scenarios

A supply chain risk management framework must take into account what a company’s response will be when the worst happens. Thanks to big data, predictive analytics, and data modeling, companies should have enough information to simulate high-risk events and their impact. Using modeling to forecast nightmare scenarios allows businesses to develop contingency plans, fallbacks, and communication workflows for how to proceed in the event a disaster strikes. 

Performing tabletop exercises (TTX) for likely events or scenarios where personnel simulate an incident and response in real-time prepares the organization for future response activities. These are especially effective for scenarios that require extensive coordination and immediate action.

6. Find Software Solutions

Supply chain risk management software enables companies to get ahead in risk management by improving visibility into a company’s entire supply chain ecosystem. With a better understanding of your supply chain, you’ll be able to quickly determine weak areas and also receive data-driven insights on potential improvements. Using streamlined software and technology for different areas of the business also creates improved flexibility in the event of supply chain disruptions. 

Implementing cloud-based software throughout your company’s entire network reduces inefficiencies and better positions your business for potential outages due to redundancies and shared data, though diversification of providers is also important. Another benefit of supply chain risk management software is it provides complete visibility into a company’s supply chain, allowing business owners and managers to easily spot unusual activity. The upside is obvious in the case of a catastrophic event, but it’s also helpful in the day-to-day when business leads are looking for areas of opportunity for improved efficiencies, cost savings, and increased profitability. 

7. Perform Regular Supply Chain Risk Assessments

Regularly performed risk assessments serve as an important anchor in an SCRM program. By conducting a risk assessment of your SCRM strategy and activities, your organization can facilitate the risk identification, risk analysis, risk mitigation, and risk monitoring steps of the risk cycle; develop or update your risk register; and come up with action plans and mitigation strategies that work for your organization. Risk assessments can be performed by internal audit teams or by external auditors. Either approach is valid and productive, though organizations may want to consider seeking out third-party auditors every two to three years in order to garner opinions and recommendations from an independent party.

Organizations should also establish a cadence for reviewing existing suppliers and providers, at least annually. During this review, the business can adjust a vendor’s criticality rating, decide whether to continue retaining that supplier and/or increase or decrease procurement volumes from that vendor.

With these seven steps, your organization can optimize its SCRM program and build a more efficient, effective supply chain.

Ready to Elevate Your Supply Chain Risk Management Program? 

Supply chain risk management is a hefty discipline and effort on its own. Managing due diligence, supplier assessments, vendor criticality ratings, SCRM risk assessments, vendor relationships, and periodic supplier reviews is daunting and difficult. Collaborating with company stakeholders and ensuring that assigned risk mitigation activities are taking place is the icing on the cake. All of this can be taken on with the help of a risk management software solution, centralizing your SCRM program, stakeholder communications, and key information. Don’t go it alone — leverage technology to optimize your supply chain risk management strategy.

Frequently Asked Questions About Supply Chain Risk Management

What is supply chain risk management?

Supply chain risk management is the process by which an enterprise takes strategic steps to identify, assess, and mitigate all risks in its business’s end-to-end supply chain, including the procurement of raw materials and the cyber supply chain.

Why is supply chain risk management important?

Supply chain risk management is important because it gives companies greater insight into their supply chains, enables the prevention of supply chain disruption, and provides mitigation and recovery strategies in the event of a supply chain disruption.

What are best practices for managing supply chain risk?

Using multiple suppliers, finding closer sources, knowing your risk tolerance, and modeling dire scenarios are all tactics and methodologies for building a solid risk management plan.


Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.