Building a supplier assurance framework helps companies take control of their third-party risks, allowing them to control, manage and measure their exposure
Jake Holloway, chief product officer at Crossword Cybersecurity PLC believes supplier assurance frameworks are key for the nuclear sector
Supplier assurance frameworks are essential for the nuclear supply chain, which is renowned for its complexity.
The nuclear sector has created hundreds of companies that are centres of expertise in their disciplines. But this has also led to challenges in managing risk throughout supply chains.
In 2019, the UK Nuclear Decommissioning Authority (NDA) released a supply chain strategy and SME (small and medium enterprise) action plan.
The aim of this plan was to “..help maintain and, where necessary, create and develop a healthy, vibrant, effective and competitive supply chain.”
“Such a supply chain will be successful, deliver value for money, be affordable, and manage risk and opportunities appropriately,” NDA said.
To manage risks and build healthy supply chains, the right supplier assurance processes need to be in place.
This could be seen as a challenge for procurement teams, but it reaches much further, with risk assessments needed across areas. These can be as diverse as materials handling and supply, quality control, the Modern Slavery Act, health and safety, data protection and cyber security.
Each of these areas affects departments in different ways, and may require specialist expertise to assess the risks.
In cyber security, for example, a weakness such as an un-patched VoIP phone or IoT sensor may be exploited in one supplier and reach other parts of the supply chain.
The same could be said of the need to ensure tier two or three suppliers are not using — knowingly or otherwise — inferior materials that could pose a risk to a nuclear facility in the future.
Normally, supplier assurance and procurement teams would stay well away from these technical and complex areas.
For instance, with cyber security, where supplier due diligence requires a cyber security assessment, it is handed over to internal or external specialists.
Reports, risk acceptance or remediation activities are left with the specialists.
Supplier assurance teams focus on the financial risk, insurance cover, standards, supply continuity and so on.
How to build a supplier assurance framework
Organisations need a different approach to reduce risks associated with suppliers, vendors and other third parties.
This has to combine the supplier assurance and procurement team’s approach, based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of other teams.
Supplier assurance and procurement teams have a far greater role to play in this than they may imagine.
A good framework starts with supplier assurance and other departments gaining an improved understanding about each other’s domains, objectives and responsibilities.
A starting point is for them to jointly develop supplier impact criteria that systematically assess how much inherent risk every supplier or third party may have in that department’s sphere.
Each supplier can then be measured against these criteria, and their supplier impact level established.
A different approach for each level of impact should be agreed and completely standardised across the organisation.
Suppliers with a very high impact should be expected to demonstrate a high level of internal controls.
For cyber security, for example, this should be obtaining or working to achieve high standards such as ISO27001, IASME governance or NIST.
This means it is the supplier’s responsibility to show a serious level of control — rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work. It also has the benefit of being easy for a non-cyber specialist to determine whether the standard is present.
Where a technical assessment is needed, such as a penetration test or at least a report from a credible third party, the supplier assurance team can be responsible for ensuring that this takes place — handing over the responsibility to the cyber teams or external testers where needed. However, the ‘management of risk’ role cannot be handed over.
Each level of supplier impact should also include the levels of compliance required in order to maintain good risk management.
Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third party risk — cyber, materials, continuity, financial or regulatory.
Shared supplier risk information
It helps if the different teams involved in supplier risk use shared information systems to record and visualise supplier risks.
We have seen users creating really impressive supplier scorecards, showing a combined view of financial, cyber, GDPR, slavery and other risks all on one simple chart for each supplier.
This gives them a shared understanding of the totality of risk from each supplier. It also helps specialist teams, such as IT and supplier assurance, understand how their worlds fit together.
The nuclear industry is working to improve the effectiveness of supply chains and their management.
Building a supplier assurance framework helps companies take control of their third-party risks, allowing them to control, manage and measure their exposure.
Jake Holloway is chief product officer at Crossword Cybersecurity PLC