Supply Chain IT Risk Mitigation Still Work in Progress

Risk within the supply chain has become a growing concern for organizations in recent years.

Although high-impact disasters such as tsunamis and inclement weather often grab the headlines, organizations are also concerned with risks that can impact the systems that support day-to-day operations.

For instance, the risk presented by Information Technology (IT) disruptions is of great significance given the technology necessary to support complex global supply chains.

APQC recently conducted a survey to get a snapshot of the current state of IT risk in the supply chain. The survey focused on four research questions:

• What IT risks are supply chain organizations experiencing?
• What is the level of concern for various IT risk factors?
• How controllable are organizations finding the disruptions they are experiencing?
• What practices are organizations using to ensure supply chain resiliency in light of potential IT disruptions?

There were 118 respondents to the survey, representing organizations of various sizes and from a variety of regions. A majority of the survey respondents were from the United States/Canada (47 percent) or the Asia-Pacific region (25 percent). Respondents represented organizations from more than 40 industries.

The survey results reveal that many organizations have been affected by IT disruptions and that their leaders are concerned about IT risk. However, survey respondents indicated that their organizations occasionally use IT risk management practices and that they find these practices to be only somewhat effective. Organizations that conduct regular evaluations of their supply chain’s resiliency use risk management practices more often and consider these practices to be more effective.

Concern and Controllability
APQC’s survey asked respondents to indicate the degree to which their organizations have been affected by unexpected IT disruptions in the supply chain in the last two years.

As Exhibit 1 shows, a majority of respondents’ organizations have been affected to some degree by nearly all of the disruptions listed on the survey. Changes in technology and unplanned IT outages affected the largest percentage of the survey respondents.

The survey also asked respondents to indicate the degree to which their organizations’ leaders are concerned about certain IT risk factors. Responses were provided a scale from not at all concerned (1) to extremely concerned (5).

As shown in Exhibit 2, organization leaders are, on average, somewhat concerned about all the IT risk factors included in the survey. Cyber attacks and unplanned IT outages were rated highest, while counterfeiting raised the least amount of concern.

In what may be a reflection of the level of concern shown by organization leaders, survey respondents indicated that they felt the risk factors listed on APQC’s survey were all moderately controllable. There were only small differences in the average ratings assigned to the factors, but changes in technology (3.38) and counterfeiting (3.34) received the highest average ratings, indicating that respondents considered these to be the most controllable factors among the list. Unplanned telecommunications outages were rated least controllable (3.23).

Effects of Frequently Assessing Risk
We also asked respondents to indicate how frequently their organizations evaluate their supply chain’s resiliency and exposure to IT risk. The survey data reveals some interesting results for those organizations that conduct such evaluations more frequently.

Respondents from organizations that evaluate resiliency every month to every 12 months indicated that their leadership is more concerned about disruption risk factors than respondents from organizations that evaluate resiliency less frequently. This higher concern may be the motivation for these organizations to conduct more regular evaluations of the resiliency of their supply chains and their exposure to risk.

Respondents from these organizations also believe that IT risk factors are more controllable than do respondents from organizations conducting less frequent evaluations. It may be that the organizations with more frequent evaluations respond this way because they have a better idea of their risk for potential IT disruptions as well as the ways that they can best minimize the effects of any disruptions.

Risk Management Practices
Survey respondents indicated how often their organizations use certain practices to manage the IT risk in their supply chains. The scale ranged from never (1) to always (5).

As shown in Exhibit 3, on average respondents rated all the practices on the survey near the middle of the scale, indicating that none of the practices are used extensively. However, respondents indicated that a standardized process for pre-qualifying suppliers is the most frequently used of the practices. The practice receiving the lowest rating was the adoption of a C-suite board to help govern risk.

The survey asked respondents to rate the effectiveness of each of the risk management practices from ineffective (1) to highly effective (5). On average, respondents rated all of the practices near the middle of the scale, indicating that they regard the practices as somewhat effective. The three most frequently used practices (an enhanced perimeter defense system to detect intrusions, corporate-wide capabilities in cybersecurity and emergency response, and a standardized process for prequalifying suppliers) were also the practices rated most effective.

The results indicate that organizations seem to be relying on practices that tackle IT risk at the more tactical level of the supply chain. Organizations use supplier evaluations as the primary way of managing risk rather than relying on leadership to help govern IT risk. Organizations also rely on more practical tactics such as adopting an enhanced perimeter defense system to identify IT intrusions rather than the loftier goal of creating a formal registry of IT risks that can then be shared within the enterprise.

It is worth noting that although all the practices on APQC’s survey were rated only in the middle of the scale with regard to effectiveness, these practices are not used regularly by the responding organizations. It may be that organizations are not seeing excellent results from the practices they adopt for managing IT risk in the supply chain because these practices are not used consistently. More wide-scale adoption of risk management practices may improve their effectiveness for these organizations.

Effects of Frequently Assessing Risk
APQC’s survey results indicate that organizations evaluating their supply chain resiliency every month to every 12 months use risk management practices more frequently than organizations that evaluate their resiliency less frequently. As with others, these organizations rated a standardized process for pre-qualifying suppliers the most frequently used on average.

However, the average rating assigned to this activity was nearly one point higher (4.35) than that assigned by organizations evaluating their resiliency less frequently (3.36). This indicates that some organizations are adopting comprehensive strategies to address IT risk in the supply chain that include frequently engaging in risk management activities as well as regularly gauging the resiliency of their supply chains to identify potential weaknesses.

Focus on Development and Visibility
Our research indicates that organization leaders are concerned about IT risk in the supply chain and that most organizations surveyed have been recently affected by IT disruptions. Although many of these organizations have adopted practices aimed at managing risk, on average these practices are used infrequently. Accordingly, organizations indicate that these practices are only somewhat effective.

Other results from the survey also support the idea that organizations could go further in ensuring that IT risk in the supply chain is adequately addressed. When asked how often their organizations evaluate supply chain resiliency and exposure to IT disruption risk, 21 percent of respondents were unsure of the frequency. These organizations may conduct such evaluations on an irregular basis, which could put them at an increased risk for disruption. It may also be that these organizations do not adequately communicate their risk mitigation activities to the supply chain and IT groups.

APQC found similar results with regard to whether the respondents’ organizations had added rigor to their assessments of supply chain resiliency within the last 24 months. Thirty-two percent of respondents were unsure whether their organizations had or had not taken this step. The fact that 52 percent of respondents could definitively say that their organizations have taken steps to improve the rigor of their assessments indicates that some organizations are indeed adopting a comprehensive program to reduce IT risk.

However, those who have not taken these steps or who have little visibility of the IT risk strategy within the organization could leave themselves more vulnerable to an IT disruption.

To strengthen their ability to address unanticipated IT events within the supply chain, organizations should work to regularly use risk management activities and make these efforts more visible to the supply chain and IT groups. Depending on the organization and the needs of its supply chain, it may not be necessary to fully adopt all the risk management activities mentioned in APQC’s survey. By selecting the most strategic practices and developing their capabilities in these areas, organizations can improve the effectiveness of these practices and improve their ability to identify and respond to disruptions.

Related: Study Highlights Pressing Need To Evolve Manufacturing Risk Management