Procurement teams have a lot on their plate. On top of acting as a key component of their enterprises’ broader payments and workflow digitization strategies, procurement departments are also central to optimizing spend and strengthening supplier relationships. Today, they’re managing this workload in a remote setting on top of a slew of other pressures facing organizations.
So it’s not exactly surprising that supply chain risk mitigation efforts can fall by the wayside. A traditionally manual process involving PDF questionnaires, supplier due diligence is rarely at the top of the list when organizations are considering where to place their resources to invest in new, automated technology.
Yet when a company falls victim to a cyberattack, increasingly, the weak point didn’t come from within the enterprise. Rather, it can be traced back to somewhere within that firm’s supply chain, and the consequences can be dire — especially now, and especially for smaller businesses.
“The pandemic and the economic impact of it are a double-whammy for SMEs when it comes to risk via the supply chain,” explained Jake Holloway, chief product officer at Crossword Cybersecurity.
For many small firms, suppliers may be suddenly unable to meet service level requirements, with their larger corporate customers taking priority. Further, Holloway told PYMNTS, small- to medium-sized businesses (SMBs) are struggling to manage that restricted capacity on top of their own financial pressures and threats to revenue streams.
“Suddenly having to rethink their whole supply chain strategy is a huge additional pressure,” he said.
Lackluster Risk Strategies
Small businesses aren’t the only ones falling short on their supply chain, supplier and third-party risk management strategies. According to Holloway, it’s a challenge for companies of all sizes and industries, and many continue to struggle to prioritize enhanced due diligence processes.
“The fundamental problem is that almost every modern business depends massively upon their supply chains,” he said, adding that anything from a cyberattack to non-compliance with child labor laws within a supplier is likely to ultimately cause financial or reputational losses for a company itself. “However, when you look at how businesses do Supplier Assurance — or due diligence — it so often is out-of-date PDF questionnaires being emailed to a handful of the suppliers, with not many bothering to complete questionnaires.”
Yet SMBs face even greater headwinds in their efforts to mitigate these risks.
Not only are smaller firms more likely to be heavily dependent on their vendors than larger organizations, they’re also less likely to have a sophisticated due diligence strategy.
“And,” added Holloway, “they’re less likely to survive a big hit if a supplier causes a data breach or a fine, or damages their reputation by being publicly embarrassed by the supplier’s poor working conditions.”
Combating Risk Through Technology
Smaller companies’ reliance on outsourced solution providers and third-party platforms has been crucial to their ability to launch, expand, and now survive market volatility. Yet this use of external products and services further expands the so-called “attack surface” that exposes a company to an array of risks.
Crossword Cybersecurity recently launched a new solution designed to address this pain point for small firms. Dubbed Rizikon Pro, the solution arms smaller businesses with the technologies that are traditionally reserved for large organizations to mitigate third-party risk. The SaaS tool is customizable with streamlined vendor on-boarding and features that enable SMBs to access standard questionnaires or develop their own.
It’s key for businesses to not only streamline and digitize their supplier risk assessments but for those firms to manage that risk through a holistic pane.
But what’s perhaps even more important is for smaller companies to understand how important it is to establish a third-party risk mitigation strategy in the first place.
“Supplier Assurance is often an under-resourced part of the business,” said Holloway, “but when the problems come in from suppliers — as they always do, and usually out-of-the-blue — it’s plain-old Supplier Assurance that has failed.”