Corporate Governance (Supplier Risk Management – SRM)
-
Supplier risk management (SRM) is the process of investigating suppliers to the enterprise (meaning specifically those business entities which may provide goods or services to the enterprise, as part of the collective purpose of fabricating, distributing, promoting, selling, or the like, any enterprise goods or services) for the purpose of systematically assessing, identifying, mitigating and remediating any potential risks (such as: data breaches; fraud; operational failure; theft; and the like) through their business practices or external actions, that such suppliers may cause to the enterprise and the enterprise supply chain; the inducement for an enterprise to implement SRM is to eliminate or at least minimize any possible disruptions to the enterprise supply chain that might prevent such enterprise supply chain from operating continuously, at full efficiency.
-
The foundational risk management rationale behind all the various risk-related business frameworks, philosophies and protocols that attempt to deal with risk, can be summarized in a few basic risk situation analysis rules, such as for example: assess the potential risk (perform a risk assessment of the critical aspects of the enterprise generally); attempt to remediate (eliminate) the potential risk; if the potential risk cannot be eliminated, then attempt to mitigate (reduce) the potential risk; if the potential risk cannot be eliminated or at least reduced to a manageable level, then either just accept the risk at the expense to the enterprise itself of repairing the damage caused by the occurrence of the risk (not recommended), or attempt to transfer the cost of repairing the damage caused by the occurrence of the risk to some third-party (for example, by having insurance that addresses the same type of risk as the potential risk – which has the advantage of reducing the immediate cost of repairing the damage caused by the risk to just the deductible charged for the insurance, but has the long-term disadvantage that the insurance premiums the enterprise will be forced to pay by the insurance company may be escalated by the insurance company to unacceptably-high levels, to compensate the insurance company for the added risk it will have to bear to insure the enterprise).
-
SRM is also based on the foundational risk management rationale noted above, but adds an extra step, perhaps at some point near the beginning of risk situation analysis process; SRM encourages implementing a specialized SRM software platform with numerous sophisticated capabilities, such as the capability to perform a focused risk assessment on every asset within the entire enterprise IT infrastructure – such as: applications; cloud services; embedded components; hardware; information technology (IT) systems; internet of things (IoT); intranet; middleware; software; networks; and the like – from the most-sophisticated server down to the smallest application installed on a workstation).
-
No SRM, nor any attempt at implementing any enterprise-wide risk management solution, may succeed, absent the collective effort of all enterprise personnel; the process of generating enthusiasm for risk management may generally be referred to as establishing a proactive risk-aware enterprise culture; such culture would have to shift the mindset of all enterprise personnel away from only reacting to a risk event that has already occurred, towards acute vigilance for actively-attempting to detect any potential risk event before it occurs, and then simultaneously planning how to remediate, mitigate, accept or transfer the potential risk to the enterprise of such risk event away from the enterprise; one possible process improvement that might contribute to a proactive risk-aware enterprise culture might be the use of key performance indicators (KPIs) and service-level agreements (SLAs) in connection with supplier contracts, continuously monitored by the specialized SRM software platform for any performance deficiencies of the supplier, falling below the minimum levels mandated in such KPIs and SLAs.
-
The generally-required steps for implementing an enterprise SRM supplier lifecycle process are similar to the generally-required steps recommended for implementing all the other risk management strategies that may be useful for managing, offboarding, onboarding and vetting, potential suppliers, third-parties and vendors for the enterprise, basically as follows:
-
draft and implement SRM-related corporate policies, through approval by the enterprise board of directors and senior enterprise management, and appoint a senior enterprise executive to manage all SRM issues;
-
establish a dedicated internal committee of enthusiastic risk-aware enterprise personnel that will oversee all the details of SRM;
-
select a risk assessment framework for the SRM process, such as for example: NIST CSF, SP 800-53 and SP 800-161; or, ISO 27001 and 27036-2;
-
through an onboarding process that includes bidding and vetting (RFI, RF, RFQ, and the like) approved through corporate policies, source, procure and implement a specialized SRM software platform to continuously-monitor the assets in the entire enterprise system that may be vulnerable to any such risks and impacts identified above, with automated alerts, notifications and reports to the appropriate enterprise personnel in the event that the specialized software platform detects any such risk or impact;
-
compile a detailed inventory of all potential enterprise suppliers (and as much information on each as may be available), through both an audit of the entire enterprise, to determine what existing suppliers the enterprise already uses, and for what goods and services each such supplier may already by providing to the enterprise, and then also perhaps retaining a service that may specialize in providing information about suppliers, that might use that inventory of existing enterprise suppliers to identify potential new suppliers in the same geographical areas as such existing suppliers, who might also be available provide such goods or services to the enterprise, to create a list of backup enterprise suppliers, in the event that an existing enterprise supplier fails;
-
compile a detailed inventory of every possible risk that each such existing enterprise supplier and potential enterprise supplier might pose to the enterprise, using both the collective risk experience of enterprise information technology (IT) personnel and also perhaps through retaining specialized risk subject matter experts (SMEs);
-
assess both a risk rating to each and every such risk about the likelihood that such risk might actually occur (perhaps from 1 for least-likely to 10 for most-likely), and a risk value to each and every such risk for the total aggregate costs of the impact that the actual occurrence of such risk might cause to the enterprise, to determine the total potential cost of such risk (perhaps using the tried-and-true formula: total potential risk cost to the enterprise = probability of risk occurrence x total aggregate cost of impact due to risk occurrence); such calculations may be performed manually, but such manual calculations are subjective, based on the assessments of those performing such calculations, and will also be very time-consuming, due to of potential risks and the difficulty of anticipating every possible potential cost to be included in the total aggregate impact cost calculation; thus, it may be prudent for the enterprise to either outsource such assessments and calculations to (hopefully) objective SME firms that might specialize in such assessments and calculations, or to implement specialized software that might perform such assessments and calculations based upon a documented history of similar industry-accepted experiences with such issues; also rank suppliers by Tiers, such as for example – Tier 1: highest risk; Tier 2: moderate risk; Tier 3: low risk, or whatever tiers the enterprise may assign;
-
perform a risk-matrix-assessment to prioritize each and every such risk for probability and cost, to determine the high-priority enterprise assets to which the enterprise should assign the greatest amount of funds and personnel in the event of an actual risk occurrence;
-
continuously-monitor the compliance of all suppliers with the enterprise SRM, KPIs and SLAs;
-
continuously-monitor all suppliers for any possible new supplier risks;
-
develop an offboarding protocol (such as for example, at a minimum: performing a final review of the supplier’s contract performance; performing a final risk assessment; removing all the supplier’s access to the enterprise system; reviewing the supplier’s data privacy and IT compliance; revoking all the supplier’s access to enterprise facilities and infrastructure; settling all disputes related to any outstanding supplier invoices, and then promptly pay the settlement amounts, if any; updating the SRM supplier database with all the new information gleaned from the supplier’s performance of the offboarded contract).
-
-
An important component of specialized SRM platform is compliance with the confusing, and at times contradictory, myriad of specialized industry-specific or general (depending on the industry and location of the enterprise) domestic and international acts, bulletins, certifications, frameworks, industry publications, trade association guidelines, handbooks, laws, publications, questionnaires, regulations, rules, standards, statutes, special publications, treaties, and the like (almost all of which relate in some way to to cybersecurity, data privacy, data security and IT issues), such as for example: American Institute of CPAs (AICPA) System and Organization Controls (SOC) 2; California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Transparency in Supply Chains Act (CTSCA); Canada Office of the Superintendent of Financial Services (OSFI) Guideline B-10; Canada Personal Information Protection and Electronic Documents Act (PIPEDA); Children's Online Privacy Protection Act (COPPA); Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ); Computer Fraud and Abuse Act (CFAA); Consumer Review Fairness Act (CRFA); Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM); Cybersecurity Maturity Model Certification (CMMC); Data & Marketing Association (DMA) Guidelines; Digital Operational Resilience Act (DORA); Electronic Signatures in Global and National Commerce Act (ESIGN); European Banking Authority (EBA) Outsourcing Guidelines; European Commission (EC) Corporate Sustainability Due Diligence Directive; European Union (EU) General Data Protection Regulation (GDPR) 2016/679, Directive 95-46-EC; EU Corporate Due Diligence Act; Fair and Accurate Credit Transaction Act (FACTA); Fair Credit Reporting Act (FCRA) and Regulation V (Fair Credit Reporting); False Claims Act (FCA); Federal Information Security Management Act (FISMA); Foreign Corrupt Practices Act (FCPA); Federal Financial Institutions Examination Council (FFIEC) IT Exam Handbook; Federal Reserve Regulation P (Privacy of Consumer Financial Information); Federal Risk and Authorization Management Program (FedRAMP); Federal Trade Commission (FTC) Behavioral Advertising Principles; FTC Telemarketing Sales Rule; Federal Trade Commission Act (FTCA) Section 5; French Law Act No. 2002-303, dated March 4, 2002, and accreditation procedure mandated by Decree No. 2006-6, dated January 4, 2006; Foreign Intelligence Surveillance Act (FISA); German Supply Chain Act (GSCA); Gramm-Leach-Bliley Act (GLBA); Health Information Technology for Economic and Clinical Health Act (HITECH); Health Insurance Portability and Accountability Act (HIPAA); International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) (collectively, ISO/IEC) Standards (such as for example: 27000; 27001; 27002; 27018; 27036-2; 27701; 27036-2:2022); Mobile Marketing Association Best Practices; National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), Risk Management Framework (RMF) and Special Publications (SPs) 800-53, 800-66, 800-161; Network Advertising Initiative (NAI) Guidelines; New York State (NY) Stop Hacks and Improve Electronic Data Security (SHIELD) Act; NY Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR 500; North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP); Payment Card Industry (PCI) Data Security Standard (DSS) (collectively, PCI DSS); Restore Online Shoppers’ Confidence Act (ROSCA); Standardized Information Gathering (SIG) Questionnaire; Telephone Consumer Protection Act (TCPA); United Kingdom (UK) Bribery Act 2010; UK Financial Conduct Authority (FCA) Finalised Guidance (FG) 16/8; UK Modern Slavery Act of 2015; UK Prudential Regulation Authority (PRA) Supervisory Statement (SS) 2/21; United States (US) Office of the Comptroller of the Currency (OCC) Bulletins; US Office of Management and Budget (OMB) Memoranda M-10-22 and M-10-23; US Office of the President Executive Order (EO) 14028; W3C Web Content Accessibility Guidelines (WCAG);
-
Drafting and negotiating all SRM-related documents, and legal support for all SRM-related tasks.
Progress_Draft_Last_Updated_221105_1407