Supplier assurance is a vital component of your organisation’s wider cyber security posture as it ensures that any potential risks posed by third-party suppliers are understood and mitigated. Given that most organisations today rely on at least a few suppliers for their operations – with many relying on hundreds of third-parties - supplier assurance is essential to ensuring they don’t disrupt or damage your operations.
In this blog, I’ll look at how you should approach supplier assurance as well as some of the benefits and challenges associated with it. I’ll also share how we have helped one of our client's enhance their supplier assurance process.
How Can Supplier Assurance Benefit a Business?
A robust supplier assurance process benefits your business by:
Ensuring Quality and Consistency
Proactively assuring your third-party suppliers is a vital way to detect low-quality business partners before they have a chance to embed themselves in your ecosystem.
Reducing Costs and Increasing Efficiency
By moving security “left”, you reduce technical debt and the chance of future security incidents. That means less time, resources, and money spent on preventable problems.
Mitigating Risks and Protecting Reputation
Supplier assurance ensures that any risks are identified and mitigated before they can cause financial, operational or reputational damage to your organisation.
Promoting Collaboration and Innovation
Applying innovative solutions to managing complex supplier relationships has a positive knock-on effect for your wider business.
What Are the Challenges of Implementing Supplier Assurance?
Common challenges that you may face when implementing a supplier assurance process are:
Identifying and Evaluating Suppliers
Suppliers may not want to share information with you; especially if they have something to hide.
Maintaining Supplier Compliance
Staying on top of policies, procedures, technology, etc. is an ongoing process, not a one-off checkbox.
Managing Data and Information
Modern supply chains can include hundreds of suppliers, which leaves you with vast amounts of data and information to monitor, regulate, and protect.
Balancing Supplier Relationships and Business Goals
Achieving a level of transparency that ensures effective assurance may come into conflict with the business priorities of protecting proprietary information
What are the Key Components of Successful Supplier Assurance?
The key components of supplier assurance are:
- Establishing a prioritisation process for assessing suppliers based upon their inherent risk levels.
- Building a supplier reporting template that incorporates an automated assessment platform.
- Building in a risk escalation process that properly structures post-assessment actions.
- Creating security “touchpoints” within the procurement process to ensure security by design.
Supplier Assurance Case Study
To demonstrate these components in action, let’s refer to an ongoing supplier assurance project we are working on to support one of our clients. Our team were tasked with spearheading the supplier assurance function of the entire organisation. Needless to say, this was a daunting task.
There were hundreds of new procurements happening on an annual basis coupled with a massive backlog of 600+ suppliers which had already been procured but not properly assured during the chaotic period of Covid. This was crippling the organisation’s ability to achieve its workloads.
Where should we even begin? How do we make sure that we can not only tackle the suppliers on the books but also fundamentally improve the process from a first-principles point of view? Here’s the approach we took.
Establish a Prioritisation Process
To begin with, our client wasn’t certain which suppliers to tackle first and which to either delay or straight up say no to. To make this more manageable for them, we decided to assess all incoming supplier assurance requests against four key criteria:
Data Sensitivity and Access
How much and how sensitive is the data that the supplier can access?
Criticality to Operations
How much does the supplier directly affect wider day to day operations?
Dependency
How quickly can we swap out a supplier with another if required?
Integration Level
How tangled up are the supplier’s services with already-existing services?
We established a form template which all business owners had to fill in with the appropriate details about the supplier they were responsible for. This simplified the process, avoiding complex email chains and lots of chasing.
The information provided in these forms was automatically lifted in real-time into a comprehensive supplier tracker which rated every supplier against these four criteria and allocated a risk tier to each one depending on the consequent score.
All of a sudden, the client now had a way to quickly analyse, process, and prioritise suppliers within one coherent and logical workflow. This was vital in preventing the “paralysis by analysis” that would often strike before we had this new system in place.
Build a Supplier Report Template
Now that we had improved processes at the early stages of supplier assurance, we could move on to the actual reporting process. Instead of relatively free-form analysis, we made sure to build a report template that had specific asks and focuses to ensure that every single report could be analysed and referenced from a glance. We also utilised an online platform that we could invite prospective suppliers to so that they could all answer assurance questions and store their answers in one easily accessible yet secure location.
These assurance questions were modelled on ISO 27001 and were segmented based upon the inherent risk of the supplier identified earlier; higher-risk suppliers had more stringent evidence requirements as well as more frequent re-assessments. This ensured we were using our limited time and resources effectively while keeping risks under check.
Establish a Formal Risk Escalation Process
While the initial assurance workflow itself was now in a great place, the actual means of communicating our findings and following up on any problems identified still had several legacy issues.
A risk register was a must, which we put in place ASAP. Having a clear one-stop-shop for all our identified risks aligned to a 5x5 impact-likelihood grid per supplier gave us the visibility we needed both internally and for other teams across the organisation’s risk function.
This provided a single source of truth that could be referred to when making procurement decisions, reducing the need for yet more complex email chains. Armed with the risk register in hand, we then made a conscious effort to “link in” with other teams, especially the Cyber Security Architects and the Business Risk teams. We made sure to copy them into any post-assessment correspondence with the business owners for any assessed suppliers. We also made it clear who within each team was responsible for signing off decisions and handling escalations in case of high-risk reports.
All of these moves together ensured we were all on the same page and had a clear paper trail justifying supplier assurance decisions.
Creating Security Touchpoints Within the Procurement Process
Now that our processes were in place, we had the opportunity to have a wider look at how the assurance team was placed in the overall procurement process. While we obviously had an important role, it wasn’t clear whether security consideration played a significant part in selecting the optimal suppliers in the first place.
We were determined to get this right as shifting security “left” is a clear way to implement security by design into the procurement itself. We set up regular meetings with both the commercial and privacy teams to make sure there were “touchpoints” where we could discuss the security appropriateness of any proposed supplier products or services that were mooted by specific business owners. This created a “halo effect” of both improving the supplier selection process as well as rejecting any obviously “bad eggs” early on before they got through to the more time-consuming assessment stage.
Through these combined changes, we were able to help our client fix inefficient resource allocation, scattered risk management, slower manual reporting, inconsistent and delayed escalations, security gaps in procurement and non-compliance with security standards. As a result, our client's supplier assurance function is now a slick and purposeful instrument of the wider organisation’s strategic goals and we’re proud of the part we’ve played to get there.
For support in improving your supplier assurance process, please get in touch with our team.