Risk Management has been a constant in information security standards, regulations and corporate policies essentially forever. It is a staple.
Companies, organisations and governments all require risk assessments to be conducted. And more specifically, a well-functioning board needs appropriate and complete information about the risk posture around the operations of a business in order to make informed decisions about the future direction.
The scope of assessments and the depth to which reviews are conducted are what differentiates the better managed businesses from the pack. The reason for this is because narrow risk assessments, while possibly meeting the objective of undertaking such reviews, do not really help an organisation understand the full extent to which they are exposed, and this therefore limits their capacity to react, control and mitigate.
One of the areas we find most lacking in coverage, yet ironically becoming more prevalent around risk and exposure, is supply chain risk.
Understanding Supply Chain Risks adds a totally new dimension to your assessment. These are no longer first order threats. They are likely to be second and third order threats, and in highly integrated and complex environments, the existence of nested supply chains means that you may never know all the parties associated with the product or service you are acquiring. While you may not be able to identify and protect against all supply chain risks, it does not mean that you can blindly ignore this vector due to the complexity of the subject. On the contrary, ignoring supply chain risks today would be negligent, and boards should be insisting that information be presented to them around these risks for consideration.