Enhancing resilience and efficiency through effective supplier risk management

With so many third parties to consider, it’s not practical to apply the same level of oversight and assessment rigour to all suppliers, irrespective of their impact on cost, risk and resilience and their strategic importance. Resource constraints, information overload and supplier responsiveness can worsen challenges.

Firms with effective supplier risk management frameworks adopt a proportionate and risk-based approach. They maintain a clear view of all their suppliers, key opportunities, risk and resilience drivers, and their relative criticality to the organisation. These definitions of criticality support an assessment of the downside risks and upside potential of any given relationship, which correspond to clear requirements in respect of due diligence, wider pre-onboarding activity, and ongoing monitoring. 

When this works well, there is a joined-up approach across procurement, technology, risk, and operations teams, and clear ownership and responsibilities to support embedding. Good management information (MI) helps maintain focus on the performance of the most material suppliers, risks, and actions, and in turn monitors the delivery of meaningful business outcomes. However, without a robust framework, firms may lack the necessary oversight and control, leading to increased risks and inefficiencies. 

For increasing numbers of organisations, leveraging Governance, Risk, and Compliance (GRC) or supplier management systems helps reduce some of administrative and operational burden of supplier management.

Over the last three years, organisations have been using the regulatory transition period to build resilience in line with regulatory objectives on operational resilience. This has required firms to set impact tolerances for their most important business services (IBS) – those that if disrupted could cause intolerable harm to customers, financial stability of the organisation, or threaten the integrity of the market. Organisations have been required to take steps to ensure they are able to continue to deliver their IBS within impact tolerances, including in the event of severe but plausible operational disruption.

Firms doing this well have built on strong foundations in resource mapping and testing, with a clear line of sight through mapping, vulnerability assessment, scenario development, testing of technical recovery capabilities and operational preparedness, and remediation as required. However, without a robust framework, firms may struggle to maintain resilience, leading to increased risks and potential disruptions.

Organisations are increasingly focusing on increasing their understanding of the third parties that enable delivery of organisations’ IBSs, and how through testing, business continuity and exit strategies, they can continue to operate within impact tolerances in the event of disruption. The most effective approaches are those that are joined-up across business functions and related areas of testing and engage suppliers through the process. This helps them to enhance dialogue and understanding, enabling them to build trust and confidence in their partners, and an alignment in culture as well as process.

Cyber supplier risk management is crucial in today’s interconnected digital world. This has been evidenced by numerous high-profile supply chain cyber-attacks and related incidents that have crippled organisations, causing significant financial and reputational damage. These events highlight the critical need for a robust and resilient supply chain capable of responding effectively to incidents. No organisation is immune to a cyber attack, but they can be more resilient and better prepared to respond.

It’s essential that suppliers adhere to minimum standards to protect data, maintain business continuity and that organisations can assess whether suppliers are maintaining those minimum standards. This is not a simple task and organisations that do this well are able to identify the cyber risk profiles of each supplier in its eco-system. These organisations are classifying suppliers beyond the normal tier one-three, with some extending this to four-five and sub-contractors. Once the risk is quantified, appropriate and comprehensive work can be delivered to maintain baseline standards for a range suppliers with different risk profiles. An important and often overlooked aspect of supplier management is also the internal ‘supplier’, or group relationships, which also exist but should be treated similarly. 

Nevertheless, a challenge for many procurement teams is interpreting, at times what can be, highly complex technical policies, controls and processes deployed by suppliers. Expert analysis is critical in delivering a robust and comprehensive analysis. The use of well-defined and tested cyber frameworks, such as the UK’s National Cyber Security Centre’s Cyber Assessment Framework or the US’s National Institute of Standards and Technology’s Cybersecurity Framework, can help establish key domains to assess and set minimum standards. These frameworks focus on technical controls and security, but also emphasise key governance arrangements, employee awareness and, importantly, how prepared the business is to respond and recover from attacks. This comprehensive approach ensures that organisations are better equipped to handle cyber threats and maintain operational continuity.

Moving from a mere box-ticking exercise to expert analysis of key technical controls is essential, especially for high-risk suppliers. A superficial compliance check may overlook critical vulnerabilities, whereas a thorough analysis can identify and mitigate potential emerging threats. Well-developed organisations have shifted to deliver this alongside proactive ongoing external testing of key suppliers to evaluate how effectively some of these controls and process are being deployed. They then analyse this information, complemented by active threat intelligence of wider data sources, such as the dark web. This could be the difference between identifying a significant risk and mitigating it or falling victim to another significant business interruption with potentially catastrophic implications.

The cloud supply chain is a complex network of numerous organisations and processes involved in delivering agile technology solutions. It’s not just the major cloud service providers (CSPs) like AWS, Azure, and Google Cloud that supply compute resources and capabilities; it’s an entire ecosystem of technology providers working to optimise technology architecture through coding.

Cloud technology leverages software capabilities for agility, which differs from traditional data centre resource provisioning. Cloud services, particularly Software as a Service (SaaS) applications, consist of loosely coupled services often developed by a diverse group of global developers.

1. Software-based supply chain risk
   Cloud environments often include various forms of third-party software, such as agents running on virtual machines, container images, and provisioning of infrastructure through coding. The diversity of these software forms makes it challenging to monitor and track all deployed components within the cloud estate.
2. Identity-based supply chain risk
   The identity risk arises not from granting permissions per se but from granting excessive permissions. Organisations often lack awareness in managing group access structures, leading to excessive access granted to third parties.

To mitigate cloud supply chain risks, organisations should implement processes for detecting third-party risks, including asset inventory and visibility into effective permissions. Compliance and assurance mechanisms should ensure that third-party technology vendors adhere to the same internal security standards as the organisation. Cloud security compliance requirements should be embedded within the supplier onboarding process (e.g., procurement), periodic vulnerability scans, secure configuration of SaaS solutions, and regular supplier audits to identify vulnerabilities.

By addressing these risks proactively, organisations can better secure their cloud environments and maintain the integrity of their supply chains.

SS2/21 is more than a compliance or tick-box exercise, it requires changes both to how organisations manage outsourcing and to their broader operating models. Organisations need to make changes in five key areas of their operating model to embed resilience into their operating models.

1. Governance
   Many organisations will find their existing structures are not equipped to handle the level of oversight SS2/21 demands. This is not just about creating new policies; it is about embedding supplier risk management and operational resilience into the organisation’s DNA. Boards and senior leadership must actively engage in the governance of outsourcing, ensuring accountability is clear and decisions are made with full awareness of the risks involved. This may require redesigning committee structures or assigning specific responsibility for resilience oversight to senior managers, creating a culture where resilience is prioritised at every level.
2. Pre-outsourcing analysis and ongoing monitoring
   Outsourcing must become a fully integrated element of the operating model, with formalised decision-making processes, consistent due diligence, and risk assessments. For many organisations, this will involve redesigning procurement processes, creating standardised frameworks, and investing in tools to automate resilience testing and monitoring. These changes will support compliance and increase transparency and control over outsourced arrangements.
3. Operational resilience
   Organisations need to embed the capability to withstand disruption into every aspect of the operating model, including holistic thinking, mapping critical services, testing disruption scenarios, and ensuring effective exit planning.
4. Supplier relationships
   SS2/21 pushes firms towards a more collaborative model, where vendors are seen as strategic partners rather than simple service providers. This means investing time and resources in building stronger partnerships, aligning on resilience goals, and ensuring mutual accountability. Such a shift may require cultural change within organisations, particularly in how procurement and vendor management teams operate.
5. Capability gaps
   SS2/21 demands new skills in operational resilience, cloud adoption, and supplier risk management. Organisations will need to invest in targeted training, equipping their teams with the knowledge to manage these new challenges effectively. This in turn will future proof the workforce and build internal expertise that will drive long-term resilience.

Today, suppliers not only support the delivery of organisations’ services, but are key to achieving their sustainability-related goals. While many organisations we speak with have made good progress implementing responsible procurement processes, it’s not always clear whether they’re asking the right questions, or how the information is being used. Part of the challenge is that sustainability is often being looked at discretely, outside of the procurement process.

Organisations with more effective approaches avoid standalone responsible procurement processes. They define how sustainability is being considered at each stage of the procurement process, including risk assessment and due diligence, ongoing monitoring and performance, and set minimum expectations at each stage. This makes it clear how sustainability informs supplier selection and decision making.

The principle of proportionality, as set out above, also applies here. The level of questioning should be proportionate to the risk, and it should be understood how sustainability is considered alongside other risk factors when making decisions. Equally, information on suppliers’ greenhouse gas (GHG) emissions is increasingly required for emissions reporting, but it should be clear how all information collected is being used.

When it comes to engagement, efforts should be targeted at those partners that are identified as having the most significant impact on the overall sustainability profile of the organisation; the principal reason for engaging suppliers on sustainability is to ensure there is an alignment of interests, particularly over sustainability objectives and climate transition plans.