“Plan all you want,” writes Cyrus Hadavi, CEO of Adexa, “but disruptions are the supply chain’s real problem.” Why? Because global supply chains are constantly facing crises. According to the World Economic Forum (WEF), these crises are seldom distinctive events. In the latest WEF Global Risks Report, the authors note, “Present and future risks can interact with each other to form a ‘polycrisis’ — a cluster of related global risks with compounding effects, such that the overall impact exceeds the sum of each part.” The Mint staff adds, “Supply chain risk is a modern day reality and can emanate from a variety of sources, ranging from natural disasters to government policies and a host of other unforeseen events.” It’s no surprise that companies best able to deal with continuing disruptions are best positioned to come out on top. In other words, good risk management can provide a significant competitive advantage for businesses. In the first part of this article, I want to discuss some of the risks facing supply chains. In Part Two of the article, I will discuss some recommendations for making your enterprise more resilient.
What are the Risks?
There are myriad risk variables at play for any organization; however, those risks are unique for every business. How big is the organization? Where is it located? Who are its suppliers? How extensive is its supply chain? How vulnerable is the organization to cyber-attacks, climate change, etc.? Any attempt to list all possible risks faced by an enterprise would be a fool’s errand. Some risks are localized, such as natural disasters; however, we know that other risks are global, such as cybersecurity risks, climate change risks, supplier risks, and fraud. It is those risks on which I will focus.
As enterprises and their supply chains become more digital, their cyber-attack surfaces increase. Gary Stevens, an IT specialist, notes that data theft is one of the best-known types of cyber-attacks, but it is not the only type. He insists there are four principal types of supply cybersecurity risks. They are:
1. Digital Transformation Risks. Stevens writes, “As more supply chain networks incorporate digital solutions and undergo dramatic digital transformation, more digital vulnerabilities appear. These digital risks can be caused by flaws in the software, configuration errors that made it through security checkpoints, or human error. Digital risks can quickly evolve to become potent supply chain dangers such as malware and ransomware attacks, breaches in data security, and regulatory compliance violations. These attacks can lead to further consequences, including disrupted supply chain processes, theft of intellectual property, and exposed data.”
2. Third Party Vendors. Although there are numerous benefits associated with digital supply chains, companies often take a leap of faith when connecting to third-party vendors. As Stevens notes, “While you may trust the third-party vendors you work with, their cybersecurity measures must align with yours, or it may present a risk to your company, especially regarding data security.”
3. Data Theft/Data Vulnerability. Stevens notes, “Data is located throughout the various stages of each supply chain, making this a potential goldmine for cybercriminals.” Data theft can result in reputational damage and ransomware attacks can bring an entire operation to a halt. The better defended companies are against such breaches the greater their competitive advantage.
4. Third-Party Fraud. Elderly folks aren’t the only people who fall victim to online fraud. It can happen to businesses as well. Stevens reports, “This type of cyberattack, known as vendor or supplier fraud, occurs when a bad actor impersonates a well-known retailer, someone you will be familiar with. The cybercriminal then requests you to change the usual payment process, introducing a new bank account or other details.” Don’t fool yourself into thinking you couldn’t fall victim to this type of scheme. As Stevens notes, “New advancements in digital technology, including phishing attacks utilizing ChatGPT, deep fake video clips, and digitally created audio recordings, can make for convincing attempts at fraud that are difficult to disprove.”
Supply chain journalist Sean Ashcroft writes, “For those who manage risk in supply chains, climate change is becoming a weightier problem by the minute. … A Harvard Business Review study suggests just 11% of suppliers are fully prepared for weather-related disruption. The study also found half (49%) of the surveyed US companies had experienced an increase in climate volatility, with this figure jumping in China and Taiwan to a massive 93%. The reality is that as climate change worsens, we will face more-frequent and severe extreme weather events, including hurricanes, tsunamis, forest fires, and floods. Inevitably, these will interrupt production, increase sourcing costs, and cut into corporate revenue.”
Freelance writer Stefan Hammond observes, “Geopolitics are never stagnant, and recent disruptions have caused the topography of all supply chains to twist like a rollercoaster.” Most people are quite aware of the on-going tensions between the U.S. and China and Russia’s continuing invasion of Ukraine. McKinsey & Company analysts, Ziad Haider, Andrew Grant, and Anke Raufuss, add, “In between navigating the fallout from Europe and unfolding strategic competition in Asia, multinational corporations must also manage a host of long-tail political risks and conflicts across other geographies, including Africa and South Asia.”
Supplier/Third Party Risks
In today’s connected world, cybersecurity isn’t the only risk associated with third parties. With so much data available, ignorance is no longer an acceptable excuse when abuses are found in a supply chain. As a result, Andrew Black, a Principal at consultancy Efficio, insists, “Businesses will increasingly need to pay attention to four major risks within their third-party supply base.” One of those risks — cybersecurity — was discussed above. The other risks are:
1. Reputational Risks. “For example, sourcing components or products from countries under sanctions can quickly damage your reputation.”
2. Financial Risks. “Suppliers with poor financials also pose a risk to your organization, as their insolvency can impact your ability to conduct business if they cannot be rapidly replaced.”
3. Health, Safety, and Environment Risks. “Poor supplier performance in these areas could threaten the safety and well-being of your employees or endanger your reputation.”
Black concludes, “In today’s outsourced environment, focusing on third-party risk management initiatives to protect the reputation and revenue of the organization is crucial.”
Not all of the risks discussed above result in disruptions; however, as Hadavi noted, disruptions are a growing challenge. He reports, “An Interos study recently found that supply chain disruptions resulted in an average of $182 million in lost revenue in 2022.” When you consider reputational losses and customer dissatisfaction, the cost of disruptions can go well beyond monetary losses. If your company isn’t sure where vulnerabilities exist, I suggest you undertake a vulnerability assessment using something like the Enterprise Resilience Management Methodology®. In Part Two of this article, I will discuss some of the ways experts suggest enterprises can meet the challenges posed by today’s risk environment.
 Cyrus Hadavi, “Plan All You Want, But Disruptions Are The Supply Chain’s Real Problem,” Forbes, 28 April 2023.
 Staff, “Manage supply chain risks well for a competitive advantage,” Mint, 19 June 2023.
 Gary Stevens, “How to Protect Against the Four Largest Cybersecurity Threats to Your Supply Chain,” Tripwire Blog, 19 June 2023.
 Sean Ashcroft, “Climate change an ill wind for supply chain risk management,” Supply Chain Digital, 6 February 2023.
 Stefan Hammond, “When Geopolitics Pull Supply Chains Apart,” CDO Trends, 5 December 2022.
 Andrew Grant, Ziad Haider, and Anke Raufuss, “Black swans, gray rhinos, and silver linings: Anticipating geopolitical risks (and openings),” McKinsey & Company, 24 February 2023.
 Andrew Black, “Why third-party risk management is now a business essential,” Consultancy.uk, 1 November 2022.