Technical Risk


RISK IDENTIFIED

 

Source of Influencers

Internal
Examples of internal risk influences include poor culture surrounding security of data; inadequate internal authentication and access protocols leading to illegal access of system; insufficiently robust protection of designs and trade-marks.

External
There is often a gap between what is expected from suppliers, and what they are contractually bound to, or responsible for; a supplier may not have the expertise to properly manage data or access to your systems.


 

Organisational Consequences

Operational
If systems are breached, this can lead to supply chain disruption.

Financial
Illegal financial transactions could lead to unrecoverable losses; incurred delays may lead to increase in cost, cancellation of orders, penalty-clauses being triggered.

Reputational
Poor control of designs etc, can lead to poor quality copies becoming available; loss of consumer confidence if systems are found to be breached.


 

Sustainability Consequences

Economic
Unauthorised use of designs in poorly controlled geographies could lead to loss of revenue; loss of projected revenue can create business instability.


Risk and Resillience

 

RECOMMENDATIONS

 

  • Implement an induction programme that goes beyond initial recruitment and is initiated for any significant change of responsibility and includes a defined training programme
  • Produce a detailed analysis of all current and potential data that will be passed to third parties as part of your sourcing activities including pre tender, tender and post tender data
  • Work with your IT specialists to review each data element to ensure you have robust measures in place to eliminate any potential threats
  • Ensure all appropriate individuals have a good understanding of and know their role and responsibilities in respect of cyber security threats
  • Put in place an appropriate authorisation process to ensure appropriate data is shared with third parties in a risk free cyber security environment
  • Provide training to ensure all staff make the best use of available internet and non-internet sourced resources
  • Encourage good links with key stakeholders/specifiers that provide the opportunity for knowledge transfer to appropriate buying team members
  • Encourage engagements with suppliers including on-site visits to build up the understanding of the products/services they procure
  • Develop a common indexed repository where team members store data such as tenders, supplier visit reports, supplier contacts and performance information etc.
  • On regular occasions (monthly team meetings?) have a team member talk about the commodity they are responsible for, the challenges, supply base, etc.
  • Consider moving category/commodity responsibilities every three to four years to develop a greater spread of knowledge within the buying team
  • Consider typically one to three month placements with a range of internal departments with a clear aim of increasing the overall understanding of key buying team members
  • Include a series of brief stays in all key departments as part of a new buyer’s induction process
  • Offer reciprocal placements for members of key stakeholders/specifiers’ departments
  • Ensure there is at least one on site buyer visit for all key/critical goods/services where practicable
  • Encourage all buyers to have regular documented meetings with key suppliers that have a clear objective/agenda
  • Encourage all buyers to have a good understanding of the multiple supply chain layers that make up the key products and services they are responsible for
  • Take steps to understand how your organisation manages their intellectual property in the following areas:
    • Copyrights
    • Patents
    • Trademarks
    • Industrial designs
    • Geographic indications
  • Develop internal IP familiarisation/training documentation to be used as both an ongoing source of reference and as part of a new buyer’s induction material
  • Ensure your master contract documents have been legally reviewed in respect of IP related clauses
  • Invoke a ‘does this need legal input?’ stage into your contract/tendering process
  • Develop a clear understanding of IP ‘hot spots’ in the procurement process
  • Meet with appropriate commercial/sales colleagues to review current customer contracts that include a supplier resale element
  • Review your current procurement process/documentation related to orders for resale/under license goods or services to ensure the IP ownership and liability has been fully addressed
  • Develop relationships with your commercial colleagues to ensure purchasing is involved appropriately in future buy and resale activities
  • Arrange a team briefing session with the appropriate internal (and if appropriate external) legal advisor(s) to ensure a clear understanding and open communications channel in respect of IP related queries
  • Develop appropriate questions as part of both pre and post tender activities - involve expert advisors if in any doubt
  • Add IP management to the agenda of an appropriate supplier meeting/supplier review
  • Develop an IP checklist for you and your team to use
  • Engage with insurance specialists within and if appropriate outside your organisation to further understand the role they play in mitigating risk
  • Identify which of the following insurance categories are applicable to the goods and services that you procure:
    • Employers' liability
    • Business building/properties
    • Public liability
    • Professional indemnity
    • Financial risk
    • Directors and officers
    • Product liability
    • Pollution risk
    • Intellectual property
    • Key person
    • Business continuity
    • Trade credit
    • Plant and business equipment
    • Goods in transit insurance
    • Industry specific policies
  • Build in appropriate screening questions that require current and potential suppliers to help you take a view on how they approach data security with both customers and suppliers
  • Ensure any judgements you make are evidence based
  • Specifically seek to understand how your key suppliers manage the data that you pass to them and the data they send to you
  • Add cyber security to your on-site audit list when you visit one of your key suppliers
  • Develop a step by step procure to pay process map that covers all actions from initial requirement generation to final supplier payment
  • Using your P2P process map work with your IT specialists to identify cyber security ‘hot spots’ and ensure you have robust measures in place to eliminate any potential threat
  • Identify any areas of external contact outside your P2P map that may also create a cyber security risk and review with your IT specialists as above
  • Benchmark your cyber security approach with other peer organisations to identify any other measures that you should consider undertaking
  • Work with your IT department to identify the number and length of time your P2P system was unavailable during the last year - arrive at a percentage downtime for the period surveyed.  If downtime is less that the accepted norm (i.e. less than 0.5% of working hours or outages exceed one hour in time) work with your IT department to identify ways to increase system robustness
  • Develop an acceptable emergency process to be instigated in times of known or unscheduled outages as appropriate
  • Create a matrix that shows which of the listed insurances categories (above) are applicable for the commodity groups that you procure
  • Develop a series of questions you can use for your key suppliers to establish if they have adequate insurance cover for the appropriate categories designated in your matrix
  • Ensure you incorporate insurance coverage questions in your tender and pre tender sets of supplier questions
  • Ensure you obtain documentary evidence to support any response that sets out period of cover and policy value
  • Use your IT specialists to develop your approach/checklist to be used as part of your supplier evaluation process
  • Contact your key suppliers to ensure they have appropriate IT risk and resilience plans in place
  • Ensure you incorporate IT risk and resilience plans in your tender and pre tender sets of supplier questions
    • Ensure you obtain documentary evidence to support any response
  • Work with your IT specialists to understand your organisations IT risk and resilience plans/strategy
  • Source best in class IT risk and resilience plans from other peer organisations and compare with your published plans
  • Use as appropriate external published IT risk and resilience plans/strategies as a template for your organisation as appropriate
  • Specifically investigate how any internal plans provide appropriate resilience to your purchasing related systems
  • Undertake the CIPS Cyber Security for Purchasing Professionals E-Learning
  • Use the NCSC (National Cyber Security Centre) 10 Steps to Cyber Security advice to broaden your understanding in this area
  • Add cyber security to the list of required training/knowledge for all your buying team
  • Organise formal training in association with your IT specialists
  • Take steps to understand your organisations IT replacement/ upgrade plans and how it affects the Procure to Pay (P2P) function
  • Ensure Procurement is adequately represented in any IT replacement implementation team
  • Be sure to take time to have you and your team adequately trained in any new major system change that affects the procurement activity
  • Use other external purchasing organisations experience when undertaking similar IT upgrades/replacement programs
  • Using the list of insurance types listed above as a base develop a process to understand what steps your key suppliers take to ensure their key suppliers have appropriate insurances in place
  • Follow through selected purchases with selected suppliers to gain an understanding of the best approach to establish insurance coverage within their tiered supply chain
  • Encourage your team to use all available sources to understand any potential supplier events that may have a consequential effect on their trading relationships
  • Consider subscribing to a specialist information organisation that can provide appropriate alerts/updates on selected organisations (sole-sourced goods suppliers?)
  • Encourage your team to use all available sources to understand any potential sole sourced supplier events that may have a consequential effect on their trading relationships
  • Expand you and your teams understanding of the potential supply risks presented by a suppliers change of ownership, working with your legal specialists to understand the appropriate wording to be added to any relevant supply contracts
  • Review all key supply contracts to ensure supply protection clauses are in place or take steps to add them
  • Put plans in place to have a specific discussion with all your key/critical suppliers to establish their approach to ensure supply continuity in event of one of their key suppliers changing ownership
    • Ensure you obtain documentary evidence to support any response
  • Be prepared to educate your supplier(s) on the need to manage this risk appropriately
  • Use your legal resources to support your key suppliers as appropriate.

 

FURTHER RESOURCES

 

CIPS Supply Chain Risk and Resillience Report

Supply Chain Risk and Resilience

Whilst there are numerous BSI and ISO standards developed for business continuity, risk management and organisational resilience there is no global benchmark that can be used to test and develop an organisation’s end-to-end supply chain resilience. The objective of this CIPS introduction along with the forthcoming good practice guidance and online tool is set to fill this gap. This will help procurement and supply management professionals support the survival of their organisations by identifying supply chain risks whilst protecting shareholders and the general public against the effects of disruption and malpractice.

Read the full report

Related concepts

Supply Chain Risk Resilience

Whilst there are a number of BSI and ISO standards developed for business continuity, risk management and organisational resilience there is no global benchmark that can be used to test...

Find out more

Supply Chain Risk Resilience

Whilst there are a number of BSI and ISO standards developed for business continuity, risk management and organisational resilience there is no global benchmark that can be used to test...

Find out more

Supply Chain Vulnerability

Examining the vulnerability of an organisation’s supply chain network can be used to identify such risks and weaknesses and produce mitigation strategies and corrective action plans...

Find out more