Supply chain risk management, sometimes referred to as Third Party Risk Management (TPRM), is an essential part of any business. The vast majority of businesses will have some form of reliance on a supplier to provide a service.  

Not all suppliers are created equally, especially when it comes down to the information they hold regarding your business. Suppliers can be responsible for anything, from providing tea and coffee supplies to looking after your network infrastructure. Each represents a different supply chain risk to your business.

Businesses are facing additional challenges during 2020 with COVID-19. Where possible, operations have switched to remote working to enable businesses to continue operating. However, this change in the ways of working introduces new risk – particularly within the supply chain. 


Conducting a Risk Assessment

Have you carried out risk assessments against your supply chain since March 2020? Especially against those suppliers who have access to your business data or infrastructure.  Have you checked what controls they have in place to ensure that your data remains safe and secure with the changes in their ways of working?

Here are the key tasks that need to be carried out: 

  • Identifying suppliers – it is key to understand how many suppliers interact with your business and whether they are still actively providing services to you
  • Understanding the extent of the services they provide
  • Identifying if the supplier provides a critical service to your business and whether you need a backup vendor to provide continuity?

You need to decide what standard or set of controls suppliers should be assessed against.  For example, should they hold and maintain Cyber Essentials?  Should a supplier be accredited to the ISO 27001 standard?  Once you have decided the criteria, how will you get this information from your suppliers?  

  • Will you use a supplier assurance questionnaire?  
  • How do you determine what questions you need to ask?

You may want to incorporate your supplier assessments into your existing risk management process if you have one – there is no point in re-creating the wheel if you have a proven process in place.

If you don’t have risk management in place already, then you should look to introduce this. Nexor can help you to create a strategy for your business. Contact our team for more information.


Supplier Service Delivery Management

Once a supplier has been onboarded within your supply chain, another key task is supplier service delivery management.  This step is often missed out from supply chain management.  As a business, it is imperative that you regularly monitor, review and audit supplier service delivery.  This also forms part of the controls within ISO 27001.

You should measure how effective your supplier risk management is by aligning it with your own business security objectives. The key is to have a bespoke approach which is unique to your business. You should focus your supplier risk management strategy on driving risk reduction, and improvement, otherwise you are in danger of simply adding more “noise” to the alerts you already receive.

Every business has a different requirement when it comes to managing supply chain risk.  As part of the CRaaMS offering or the standalone supplier management service, Nexor will work with your business to determine the best way to manage this process. Find out more at our Cyber Resilience webinar, Thursday 24th September 2020 at 10am. Sign up now! 




Author Bio – Sarah Knowles

Sarah Knowles is Nexor’s Senior Security Consultant. She is a NCSC certified Security and information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Cyber Essentials and IASME Governance Assessor. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.


Be the first to know about developments in secure information exchange