Posted on: March 1, 2022
The Bank of England, as part of their operational resilience policy statement, continually outlined the need for institutions to ensure that they can continue to deliver their important business services during severe (or extreme) but plausible scenarios. In just the past 12 months alone, organizations and their supply chains have had to scramble to adjust their operations as they contended with a swelling global pandemic, a complete blockage of the Suez Canal, catastrophic shortages in semiconductor manufacturing, unprecedented shifts in consumer behavior, continued port congestions, and now Europe’s largest conventional military assault since World War II. As is apparent through the current state of our global economy, it should be clear that we need to be ensuring our institution’s resilience through severe (or extreme) but plausible realities.
So, what is the current reality related to the conflict in Ukraine? Here are some major supply chain issues that organizations will face and that risk leaders should be monitoring intensely:
- Key Service Provider Outages: Organizations with key IT suppliers in Ukraine, Russia, or Belarus need to prepare for those suppliers to be completely out of commission because of sanctions, cybersecurity infiltrations, employee safety protocols, or even direct physical damage to key facilities.
- Key Material Shortages: Firms need to expect shortages and supply disruptions which are further compounded by an already crippled infrastructure which is still trying to recover from COVID-19. As an example, Ukraine produces nearly 75% of the world’s Xenon and Neon gas which are critical components in the manufacturing of semiconductor chips – meaning an already brutal manufacturing shortage will become somewhat cataclysmic for at least the next few years.
- Material Cost Increases: As a result of material shortages and dependent supply chain sectors, the cost of disruption will impact every single link of the end-to-end chain. The most obvious example is Europe’s dependence on Russia for nearly 70% of their natural gas supply. Higher fuel prices, energy for production facilities, and other massive infrastructure dependencies will face major stresses to their business models and the sustainability of their operations.
- Logistics Route and Capacity Constraints: Supply chain transportation and freight is already being impacted across the globe. Apart from humanitarian flights, the EU has closed much of its airspace to Russian planes in response to Russia’s invasion. In addition, global transporters UPS and FedEx have discontinued all shipments to both Russia and Ukraine and will consider further restrictions if the conflict expands to other countries directly. These decisions will have a direct and immediate impact on the cost of logistics and freight-based travel.
- Cybersecurity Vulnerabilities: The extent to which cybersecurity vulnerabilities and cyberattacks impact the global technology infrastructure is nearly immeasurable. There have already been many cyberattacks which have targeted Ukrainian service providers, whether financial, government, or military in stature. The downstream ecosystem of technology will continue to be exposed to catastrophic vulnerabilities, and hackers will dig as deep as they can to extract valuable information or data. Risk leaders should be prepared to experience a spike in the number of attempted cyberattacks as unavoidable data security breaches spill over globally and impact your third parties directly.
Now that we understand the major supply chain issues related to the continuing conflict, here are some risk management perspectives and approaches which organizations can begin adopting today to better prepare:
- Determine and solidify how much visibility you really have into your existing third-party relationships. As exemplified in the broad-reaching impact of cyberattacks, it is paramount that you understand every third-party relationship that your organization is engaged in. At an absolute minimum, you need to detail the nature of that relationship, the product or service they are providing you, the extent and nature of data being communicated, and how critical that third party is to your core operations. From there, you have at least the baseline information necessary to narrow your population of third parties down into tiers of criticality, with Tier 1 being the most critical and Tier N being the least critical. Your population of Tier 1 third-party service providers and suppliers should answer the question of: “Which of my third parties would have the most detrimental impact to my organization if they were to be completely disrupted or compromised from an information/data perspective?”
- Begin mapping your most critical third parties to your core operations. To understand and prioritize where your operations are the most exposed to supply chain disruptions, you need to understand the operational assets that your third parties are directly related to. This includes dependent processes, IT assets, sites, data, people, and even other dependent third parties. By mapping your Tier 1 supply chain to the core assets that enable your organization to deliver critical products and services (i.e., your operations), you can then reliably build plans to maintain resilience and rehearse your ability to withstand severe (or extreme) but plausible realities.
- Evaluate your most critical third parties and ensure you have a resilient risk response plan. With an elevated understanding of third-party criticality and the relationship to your core operations, risk programs need to begin evaluating potential risk exposure and determine potential or existing vulnerabilities. What would happen if your primary cloud-based database or security service provider could no longer support the business units which operate in or near the conflict zone? How would you react if your primary manufacturer could no longer provide you processed materials which are required for you to deliver your technology products to commercial customers who are already waiting for bulk orders? If these risk events haven’t already impacted your operations, then consider yourself lucky. In the meantime, organizations must ensure that there are contingencies and risk response plans in place to respond to these types of events, should they occur. This includes identifying secondary or tertiary suppliers, expanding supplier partnerships to geographies which reduce concentration risk, motivating operational changes to consider inventory on hand, or implementing elevated internal controls to protect your data from being exposed by a third party.
- Continuously monitor critical third parties and conduct scenario tests. In a recent global cross-industry study conducted by McKinsey, 77% of organizations surveyed communicated that they plan to prioritize investment in digital technology to support their supply chain visibility. By enabling your supply chain and third-party risk management approach with technology, you can generate insight and intelligence which can be the deciding factor as to whether your organization is able to navigate a global disruption successfully or experience the full impact and downside of systemic risk events. By utilizing digital tools to continuously monitor the health and posture of your critical third parties, you can make proactive decisions about how to better prepare for disruption and maintain an effective operational resilience program. In the same vein, leveraging a digital scenario can allow you to evaluate the resilience of your supply chain continuously and understand where disruptions evolve from inconvenient to catastrophic. What if I could select all Tier 1 critical vendors that have applicability to the current conflict areas and understand how my current state operations would be impacted amidst complete disruption? What if that same scenario lasted a month? Two months? The next year? By using scenario tests and rehearsing actual disruptions, the answers to these questions become business as usual.