Cybersecurity tops the list of risks that keep c-suite leaders and procurement practitioners up at night. Organizations face repeated and unprecedented threats to their data, operations, and brand reputation, and procurement plays a vital role in defending the company against cyber risk in the supply chain.
“Everybody is asking about cyber risk: how do we monitor it and what does it mean to them?” asked Matthew Montgomery, Solution Management Director, Supplier Lifecycle & Third Party Risk Management at SAP in a recent AOP Live session.
Matt was joined in the conversation by his colleague Gordon Donovan, Global Market Research Director, Procurement and External Workforce at SAP. Both agree that, “the number one risk that CEOs think about is cyber.”
Unfortunately, determining the potential for cyber risk with suppliers is not an exact science.
“We know what an earthquake is. It’s a horrible thing. We know what flooding is. It’s a horrible thing,” said Gordon. “But cybersecurity? What does that even mean? How do I protect myself? I think a lot of people are very fearful of it, so it is in every conversation.”
To better assess procurement’s exposure to cyber threats, Matt recommends asking suppliers questions like:
- Does the supplier have access to company systems, and if so, which ones?
- What does the supplier’s physical security consist of?
- What background checks do they do on their employees?
- What controls are in place to manage access to data and systems on their side, and how can procurement gate that access?
Procurement should also look beyond first tier suppliers for risk, cyber or otherwise. As Gordon said, “Getting visibility into the nth tier of the supply chain is the silver bullet that makes procurement the hero because everything happens in the supply chain.” Procurement professionals need to understand what questions to ask suppliers at each stage in the lifecycle to ensure they are minimizing and mitigating risk.
Whether you’re looking for cost optimization opportunities, logistics risk, geopolitical risk, cyber threats, revenue impact, customer outages, or other threats to the business, proactive risk management requires procurement to monitor every tier of the supply chain and form close relationships with suppliers. Those relationships can be the linchpin when risk turns into a tangible threat to the operation.
“A contract is not going to save you when it all goes horribly wrong,” said Gordon. “It’s the relationship that’s going to save you.”