Supply Chain Risk Management: A Company’s Weak Link?

Stephen DeAngelis

March 17, 2014

The data breach involving the giant retailer Target has been all over the news for weeks. There was lots of speculation about how the massive breach occurred, but it was eventually confirmed that “the hackers first entered its network through a vendor, though [Target] hasn’t said which one.” [“Target Warned of Vulnerabilities Before Data Breach,” by Danny Yadron, Paul Ziobro, and Devlin Barrett, Wall Street Journal, 14 February 2014] The Journal reporters indicate that the offending vendor was a Pennsylvania refrigeration contractor named Fazio Mechanical Services. Fazio confirmed that it was breached. The reporters continue:

“Fazio said it had a data connection with Target for electronic billing, contract submission and project management, and that Target was its only customer for which it handled those matters on a remote basis. After entering through that connection, the hackers then moved laterally through Target’s system, eventually accessing the system that handled payments at the company’s cash registers.”

Many companies are finding that business risks are increasingly coming from cyber-attacks against vendors rather than direct attacks on the company itself. But cyber-attacks aren’t the only risks that make the supply chain a source of vulnerability. Allianz, a global insurer, reports, “Insurers are starting to pay much more attention to supply chain when underwriting industrial risks.” [“Supply Chain Heads List of Increasingly Connected Corporate Risks,” SupplyChainBrain, 14 February 2014] The article continues:

“Business interruption and supply chain risks remain atop a list of the major hazards drawing companies’ attention this year, according to the recently released Allianz Risk Barometer, a survey of some 400 of the firm’s corporate insurance experts from more than 30 countries. … Natural disasters like floods and earthquakes are next on the peril list, followed by fire or explosion and regulatory changes, all of which hold the same rankings they did in 2013, according to the January report. Allianz, however, sees a rise in ‘interconnected risks’ and calls on companies to bolster internal processes and take a holistic approach to fight potentially systemic effects from an ‘evolving risk landscape.’ Market stagnation or decline rose to fifth and loss of reputation or brand value climbed to sixth on the risk list, outpacing notable but declining concerns over intensified competition. Two new risks appear on the list — technology failures and cybercrimes and espionage at Number 8, and theft, fraud and corruption at Number 9 — while worries over product defects declined to 10th highest concern. This will be a critical year for companies in dealing with emerging risks, ‘with businesses around the world increasingly challenged by a combination of new technological, economic and regulatory related risks. These perils are also often interlinked, potentially creating a systemic threat for risk managers,’ the report says.”

Steve Durbin notes, “Supply chains are the backbone of today’s global economy. Their complexity and vital role have businesses increasingly concerned about managing major disruptions.” [“Risk management: is your supply chain a weak link?Financial Times, 20 February 2014] James R. Hagerty adds, “Here’s the latest advice for supply-chain managers: Sweat the small stuff.” [“Factories Look for Supply-Chain Risks in All the Wrong Places,” Wall Street Journal, 18 December 2013] What Hagerty means is that it is not always your biggest supplier or most important vendor that can create the biggest problems. He reports that when MIT Professor David Simchi-Levi, an academic who is well-known by supply chain professionals, analyzed Ford Motor Company’s supply chain, he found “that some of the lowest-cost items, from minor suppliers, can cause the biggest and costliest disruptions.” Surely Target didn’t think that a refrigeration contractor would be the source of major consumer and legal troubles. Hagerty continues:

“Once companies find the tiny suppliers that pose outsize risks, Dr. Simchi-Levi says, they may need to line up alternative suppliers, keep more inventory or redesign products to reduce the risk of disruption. In some cases, he says, the manufacturer may need to give a supplier more business so it can afford to build a second plant in another region, providing a backup plan in case of disaster.”

Or, as in the case of Target, they need to find a way to make connected activities more secure. Yadron, Ziobro, and Barrett, report that Target “has since moved to isolate its different platforms and networks to make it harder for a hacker to move between them, a Target executive said.” When searching for potential supply chain risks, the net needs to be thrown wide. A report sponsored by the Zurich Insurance Group (Zurich) and conducted by the Business Continuity Institute (BCI) concluded that disruptions caused by outsourcers are on the rise. The report “highlights the lack of visibility businesses have of their supply chain and the potential disruption that could occur as a result.” [“Outsourcers as top three cause of supply chain disruption,” Zurich News Release, 6 November 2013] In the news release, Lyndon Bird, Technical Director at the BCI, commented: “This lack of visibility demonstrates just why it is important for businesses to start managing their supply chain more effectively. The supply chain can be complex and is only as strong as its weakest link so with more than four tenths of disruptions occurring below the tier one supplier, businesses must ensure that all those down the chain have systems in place to deal with disruptions. Business continuity plans should be used as an incentive for winning/awarding contracts.”

Durbin notes that some aspects of risk will always be outside of a company’s control. This is especially true when it comes to risks associated with the global supply chain. He writes, “It is one of the most collaborative environments in your organisation, thus it inherently poses greater risks to the confidentiality, integrity and availability of corporate information. Mapping the flow of information and keeping an eye on key access points in order to continuously manage information security risks is an essential part of building a more resilient business.” Concerning the kind of breach that affected Target, Durbin concludes:

“Do you know if your suppliers are protecting your company’s sensitive information as diligently as you would protect it yourself? This is one duty you can’t simply outsource – it’s your liability. By considering the nature of your supply chains, determining what information is shared, and assessing the probability and impact of potential breaches, you can balance information risk management efforts across your enterprise. Organisations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Information shared in the supply chain can include intellectual property, customer or employee data, commercial plans or negotiations, and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers (e.g., lawyers and accountants) all of whom share access, often to your most valuable data assets. To address information risk in the supply chain, organisations should adopt robust, scalable and repeatable processes – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations.”

An old adage states, “When the rain starts falling, it’s too late to build an ark.” Target learned that lesson the hard way. “Even the smallest supplier, or the slightest supply chain hiccup,” writes Durbin, “can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake.”