A New Model for Monitoring Supply Chain Risk

The pandemic is far from the only reason companies need to reevaluate their approach to supply chain risk.

Sikov Adobe Stock Internet
Sikov - Adobe Stock

2020 will go down in history as a year of business uncertainty, especially as it relates to the global supply chain. Between COVID-19-related closures, increasing regulatory friction with China and continued cyberattacks on the supply chain, the interconnectedness that has fostered free trade and global prosperity has become a double-edged sword for many of the world’s largest companies and organizations. A new model for monitoring supply chain risk is needed.

But, how did we get here?

Ever since the Japanese model of just-in-time production (also known as lean distribution) proliferated across the globe in the 1980s, companies have become laser-focused on optimizing the speed and cost-effectiveness of their supply chains, driving outsourcing and third-party dependence to previously unseen levels. Despite the massive increase in interconnectivity, supply chain risk management has largely adhered to the same conventions. Suppliers are asked to fill out surveys on an annual basis and the results are manually logged in a spreadsheet.

While this method is fine for box-ticking, it fails to give organizations an accurate picture of risk in their supply chains. As a recent Gartner report noted, “traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.”

The Coronavirus disease (COVID-19) has hammered this lesson home. When the outbreak emerged in Wuhan, automakers around the world were forced to halt production due to a parts scarcity. Next, when the virus migrated to the United States, as many as 25% of beef processing plants closed, leading to shortages in grocery stores.

Increasing regulatory scrutiny

The pandemic is far from the only reason companies need to reevaluate their approach to supply chain risk. Growing international friction with China has propagated a tidal wave of regulatory changes that will also force businesses to maintain greater supply chain visibility. Two of the largest changes are the implementations of the National Defense Authorization Act (NDAA) Section 889 and the Cybersecurity Maturity Model Certification (CMMC). Section 889 is a provision in the U.S.’s budget for the Department of Defense that will prohibit the use of telecom and security technology from five China-based companies in any business that also performs work for the U.S. government. CMMC is an impending certification that will be required of most contractors, and the suppliers they do business with. Tracking the certification status of their partners will require a massive change in supply chain monitoring for most businesses. Both regulations will introduce new approaches to engaging with partners across global supply chains, increasing organizational exposure to risk as new companies enter the fold.

What should the new model look like?

A new model for supply chain risk management will require:

●    Continuous monitoring. Businesses change ownership, leadership and financial solvency every day, as do the many other factors governing their risk profile. A new model for supply chain risk should place an emphasis on continuous supplier monitoring.

●     Sub-tier supplier awareness. Traditional supply chain risk management starts and stops at the third party, the companies directly contracted with. As countless events this year have proven, that level of awareness is no longer enough. Supply chain risk management must extend to fourth, fifth and sixth parties to provide accurate assessments of risk.

●     Multi-factor risk assessment. A new model for supply chain risk should incorporate a holistic, multifactor approach to risk assessment that looks beyond simple financial stability or legal status. To keep pace with the manifold kinds of risk facing modern businesses, companies will need to start incorporating geopolitical concerns, cybersecurity risk, operational practices and other risk elements to achieve true visibility.

Adopting these principles will require many organizations to radically revise their current culture and thinking, first and foremost. From there, the programs and increased adoption of technology solutions that can keep pace with such a rapid rate of change become easier to implement. Each business’ ability to scale to meet today’s resiliency requirements depends on it.