Managing supply chain risks: what are the key risk assessment criteria?

Background

SUPPLY CHAIN ATTACKS

Supply chain attacks target vulnerabilities within a company’s supply chain, exploiting weaknesses in third-party vendors, service providers, or software used by the organization. Instead of directly attacking a company, cybercriminals infiltrate trusted partners or suppliers, compromising their systems to gain unauthorized access, deliver malware, or steal sensitive data. These attacks are particularly effective because they exploit the inherent trust and interconnectedness of modern supply chains, allowing attackers to bypass traditional security measures.

Supply chain attacks have become increasingly prevalent and impactful in recent years, affecting numerous organizations and causing significant disruptions. Here are some recent facts and figures illustrating their impact:

• Increase in Supply Chain Breaches: The average number of supply chain breaches per organization rose from 3.29 incidents in 2022 to 4.16 in 2023, marking a 26% increase. (Source: Supply Chain Brain)
• Entities Impacted in the U.S.: In 2023, supply chain cyber attacks in the United States affected 2,769 entities, the highest number reported since 2017 and a 58% increase from the previous year.  (Source: Statista)
• Global Customer Impact: In the first quarter of 2023, over 60,000 companies worldwide reported being impacted by supply chain attacks, highlighting the extensive reach of these incidents.  (Source: Statista)
• Financial Consequences: The SolarWinds attack, one of the most significant supply chain attacks to date, affected over 18,000 organizations. Some reports indicate that the attack cost those affected an average of 11% of their revenue. (Source: Dark Reading)
• Operational Disruptions: Supply chain cyber attacks can halt a company's entire supply chain operations. For instance, disruptions to a supplier's operations due to a cyberattack can bring a company's supply chain to a standstill.  (Source: SCMR)
• Recent High-Profile Incidents:
  • 3CX Supply Chain Attack (March 2023): The 3CX Phone System app was compromised, potentially impacting hundreds of thousands of users worldwide. (source: Wikipedia)
  • Okta Supply Chain Attack (October 2023): Threat actors accessed private customer data by obtaining credentials to Okta's customer support management system. (source:  CyberInt)
  • Sisense Supply Chain Attack (April 2024): A breach at Sisense, a business intelligence firm, led to advisories for customers to reset shared credentials and secrets. (source:  CyberInt)

These incidents underscore the growing threat posed by supply chain attacks, emphasizing the need for organizations to implement robust cybersecurity measures to protect their operations and data.

NIS2 AND DORA

NIS2 and DORA, regulations designed to ensure business continuity for companies operating in areas essential to the country, such as banking, healthcare, public transport, logistics and so on.   The legislation will come into force in January 2025 for the financial industry (DORA).  For other key sectors (NIS2), the legislation will come into force between the end of 2024 and 2026 in EU countries, depending on the timetable for transposing the EU NIS2 directive into national law.

Given the increasing number of supply chain incidents, NIS2 and DORA have made supply chain risk management a mandatory activity.     Not only must companies subject to the legislation check risks before selecting a new supplier, but supply chain risk management must become an ongoing activity.    It’s worth mentioning that DORA is stricter in terms of prescribing detailed and mandatory supply chain risk management processes, especially for ICT providers.

Implementing this third-party risk management process is considered to be one of the most difficult aspects of NIS and DORA. 53% of financial institutions subject to DORA indicated that it was the most difficult DORA requirement to implement. (Source: McKinsey).

The bigger picture :  a TPRM Policy

Which supply chain risk assessments are to be done for which vendor  should be defined in a Third-Party Risk Management (TPRM) policy. Below are the key elements that should be included in an effective TPRM policy:

1. PURPOSE AND SCOPE

• Purpose: Define the goals of the policy, such as mitigating risks, ensuring compliance, and protecting organizational assets.
• Scope: Specify which third parties are covered (e.g., suppliers, contractors, service providers) and which business functions it applies to (e.g., procurement, IT, legal).  You may already categorize your vendors by type (see below) as part of this exercise.

2. ROLES AND RESPONSIBILITIES

• Ownership: Assign accountability for TPRM (e.g., risk management team, compliance team, or procurement department).
• Stakeholder roles: Define responsibilities for various stakeholders, including:
  • Vendor managers
  • Risk assessors
  • Legal and compliance teams
  • Business owners

3. RISK ASSESSMENT FRAMEWORK

• Risk tiers: Categorize vendors into risk tiers (e.g., high, medium, low) based on criticality and risk exposure.
• Vendor types : Categorize suppliers into categories based on the type of service or product they deliver (IT Software, IT SaaS, Advisory Services, Raw materials, Logistics, etc.).  This is important because not every assessment criteria is applicable to all vendors, for example, an assessment on traceability of components is not relevant to evaluate 
• Risk assessment criteria: Outline methods to identify potential risks, SEE BELOW.
• Risk assessment schedule: 
  • Pre-onboarding assessment: You’ll do a thorough assessment before the start of the relationship with a new supplier.
  • Ongoing Monitoring:  depending of the Vendor type, and the risk tier, you’ll define the risk assessment frequency.    Continuous supply chain risk monitoring is a requirement in both NIS2 and DORA.   Typically, you’ll do an annual risk assessment of your high-risk suppliers, a review of your  medium-risk suppliers every two years, and a light re-assessment of your low-criticality suppliers every three years. 
• Risk assessment map : for each of the Vendor types, and for each of the risk tiers within these Vendor Types, define the Risk assessment criteria to be used at pre-onboarding, and when monitoring. 

Key risk assessment criteria 

The key supply chain risk assessments checks can be grouped into several categories:

1. FINANCIAL AND OPERATIONAL STABILITY

• Financial Health Checks:  Assess suppliers' financial stability.  This can be done by verifying credit ratings using one of the Credit Risk Agencies or CRAs (S&P Global, Moody's and Fitch).  As fees for such credit checks may be hefty, you could also do these checks yourself starting from the most recent audited financial statements of the supplier. These are the key checks to be done : 
  • Are the cashflow and operating profit positive?   If not, what’s the trend, and how much cash does the company have  in order to sustain the drain?
  •  Are the key accounting ratio’s positive?
    • Current ratio = Current assets ÷ Current liabilities. If this ratio > 1, the company can finance its short term (12 months) obligations.
    • Debt to net worth ratio = Short + long term liabilities ÷ Supplier’s net worth (whereby the net worth is the difference between a supplier's total assets and total liabilities). By dividing the total liabilities by the net worth of a supplier, you can determine if a supplier is over-indebted.  The ratio is considered “good” if it’s below 2 (however depending on the industry).
• Dependency Risk:  Verify if your suppliers are not over-reliant on one supplier in domains that are critical to their operations.
• Capacity Assessments: Verify if your suppliers have the ability to meet the required production volumes (taking into account your specific requirements) for the coming period.
• Geopolitical Stability: Monitor risks in suppliers’ operating regions (e.g., political unrest, sanctions).  To do this, several public risk indices can be of help, such as this reputable index.
• Natural Disaster Exposure: Evaluate risks of disruptions due to weather or natural disasters.   The United States has its own, publicly available map.  At a global level, the European INFORM platform can be used for this purpose.

2. CYBERSECURITY AND DATA PRIVACY

• Attack Surface Scans:  Evaluate suppliers for possible cyber vulnerabilities using non-intrusive analysis methods.  Attack surface scanning (ASM or EASM) combines various remote (= Internet-based) scanning techniques that hackers use to determine whether there are known vulnerabilities in a company's externally detectable digital assets (network systems, applications, DNS settings).  Compared with penetration tests and active vulnerability scans, ASM checks offer two advantages: they are inexpensive and non-intrusive.
• Security controls: Verify that your suppliers have the minimal set of security controls  (= security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks) implemented.      This can be done by asking for security audit reports (e.g. SOC2) or proof of security standard certification such as ISO 27001. 
• Incident Response Readiness: Confirm suppliers have plans to handle cyber incidents.
• Data Protection Practices: Ensure adherence to data privacy regulations (e.g., GDPR, CCPA) in case the supplier processes personal data of your employees, or your customers.  To do so : 
  • Verify that strict access controls to limit data access to authorised personnel only are implemented.    This can be done by checking if the supplier has a data privacy compliance certificate such as ISO/IEC 2770. 
  • Request to see a record of third-parties involved in the product or service of your supplier are processing your personal data, and verify if data processing agreements are in place. 
  • Ascertain that Privacy Policies and Notices and Consent and Supply Opt-Out Options are in place, and that your supplier maintains clear records of consents.

3.  BUSINESS CONTINUITY

Business continuity is often referred to in the context of cybersecurity, but plans must adopt an “all-hazards” approach, i.e. they must take into account all types of risk likely to affect business continuity. 

• Contingency Plans:    Ensure suppliers have plans for disruptions like pandemics, strikes, or equipment failure.
• Communication Protocols:  Enquire about communication channels  and timelines during emergencies.

4. COMPLIANCE AND REGULATORY ADHERENCE

• Regulatory Compliance: Verify compliance with the specific regulations applicable to the industry your supplier operates in (e.g. PCI for payment service providers in Europe, FDA for food processing in USA).
• Trade and Export Restrictions: Check suppliers against government sanction lists.  This can be done using questionnaires or public sanction lists such as the one of the United States.

5. ENVIRONMENTAL, SOCIAL AND GOVERNANCE (AKA ESG) RISKS

• Environmental Compliance: Suppliers can be questioned about : 
  • The applicable local laws in the area of emissions and waste management and whether they comply with them.
  • Whether they have environment and climate-related disclosures (e.g., TCFD, CDP, GRI, Ecovadis) and/or adhere to frameworks or standards in this domain, such as ISO 14001.
  • If they are making adequate efforts to reduce their greenhouse gas emissions by investing in renewable energy and energy efficiency measures.  If they do, they should pursue a public policy in this area.
• Social and Ethical Standards:  Assess compliance with labor laws and ethical sourcing guidelines through a questionnaire-based assessment.  Ask if the supplier has social (e.g., workplace safety, forced/child labor, diversity/equity/inclusion (aka DEI)) policies and practices to address, monitor and report on material social risks and opportunities. 
• Sound Governance: Does the supplier have governance (e.g., compliance, risk management, audit) policies and practices to address, monitor and report on material governance risks and opportunities?  

For the 3 above domains: 

• Request the actual policy documents (and verify last revision dates);
• Ask about the factors that are considered material in these policies, and which KPIs are tracked.
• Enquire if the company been involved in ESG-related controversies, misconduct, penalties, incidents or accidents, or violations of the UN Global Compact and/or OECD Guidelines for Multinational Enterprises, in the last five years, and the total value of fines and/or penalties incurred.

6. REPUTATIONAL RISK

• Past Performance:  Review track records for recalls or delivery delays.      You can either ask the supplier for their records, or you can take this aspect into account when conducting news analysis.  
• News Analysis:  Use tools to monitor negative press about suppliers.      Some tools may be of help : 
  • Google News: While it doesn’t offer sentiment analysis directly, you can use keywords like “Company Name + controversy” or “Company Name + issue” or “Company Name + recall” to filter for potentially negative news.
  • Factiva and Lexis Nexis offer paid access to premium news sources with advanced filtering options for tone and sentiment. 
  • Meltwater, Prezly, Talkwalker and Cision add social media and customer reviews in the mix, along with classic news and pr. 
• Certifications, Reviews and References:   to get a better insight in the quality of the products and services provided by your potential supplier, you may :
  • Check if the supplier has quality certificates such ISO 9001. Depending on the industry the supplier is in, other certifications may be more relevant, for example ISO 7101:2023 for Health care. 
• Ask for customer references, then schedule interviews with these references. Prepare the interviews well, limit the number of questions to between 5 and 10, and concentrate on obtaining answers that are relevant to your company.
• For digital services and software, consult review platforms such as G2Crowd or Capterra.  Sometimes, TrustPilot can be useful.   Use these resources as a secondary source of information, as these platforms require payment from companies, making them less objective.

7. SUPPLY CHAIN VISIBILITY AND TRANSPARENCY

• Fourth party risks:   Map the supply chains of your key suppliers to identify any problems encountered by second-tier suppliers who are essential to your supplier.   To do this, you can ask your (potential) supplier for its supply chain risk management policy, as well as a list of its main suppliers and the services they provide.
• Traceability:  Traceability is essential in industries like food and pharmaceuticals to manage recalls.   Ensure the ability to trace materials and components back to their origins.      This can be done by 
  • Request Documentation of Traceability Processes such as Process Flow Diagrams, Traceability Policies and Data Management Practices (a confirmation how they record and store data).
  • Check if the supplier adheres to industry-recognized traceability standards, such as ISO 9001 (Quality Management System, which often includes traceability requirements, ISO 22005 (food traceability), AS9100 (aerospace traceability),  GS1 Standards (supply chain data sharing and serialization).
  • Conduct Sample Traceability Tests by selecting a random component or product and ask the supplier to trace its origin back to raw materials or previous tiers of suppliers.       Hereto a supplier needs to show proof of its production, testing, and shipping history.
  • Ask the supplier to demonstrate how they track and trace components in real-time, or for critical vendors, perform an onsite or virtual audit of their facilities and traceability systems.
• Inventory Management:   Understand how suppliers maintain sufficient stock levels and avoid disruptions. This can be done using the following methods : 
  • Ask for details about their inventory management policies and standard operating procedures (SOPs).
  • Request recent results from physical inventory audits or cycle counts. Look for consistency between physical stock and recorded data.  Ask about how they identify, report, and resolve discrepancies.
  • Ensure they maintain an adequate safety stock for critical components.
  • Review their key performance indicators (e.g., inventory accuracy, order cycle time, stock levels, and fill rate) and ask for reports.
  • Ask for Forecasting Methods and the input used (historical data, market trends, or customer input)to predict demand, and request to see a report on historical accuracy. 
• On-time Delivery History:  analyse historical data on delivery timelines.

8. CONTRACTUAL AND LEGAL RISKS

Conducting a legal and contractual risk assessment of a supplier helps identify potential liabilities, compliance issues, and weaknesses in agreements. Here’s a structured approach:

• Verify the supplier’s legal status through government or industry registries and, if applicable, ensure they have the necessary licenses to operate in their industry or region.

• Assess contractual terms, hereby focussing on     
  • Service levels: Ensure that service levels are part of your contracts, with clearly defined performance expectations, penalties for non-compliance and escalation processes.
  • Verify the scope and applicability of provisions for unforeseen events aka “Force Majeure”.
  • Ensure the terms for contract termination are balanced and account for possible disputes.
• Intellectual Property Protections:   Confirm who owns the IP rights for deliverables or products created under the agreement, and ensure NDAs are in place to protect proprietary information.  If needed, assess the supplier’s policies and track record regarding IP infringement claims.
• Insurance Coverage:  confirm suppliers have insurance to cover disruptions, liability, or damages.

Start small, keep it simple and use SaaS

Defining and implementing a  supply chain risk assessment policy is an important step in safeguarding your organization against disruptions, inefficiencies, and NIS2/DORA compliance issues. However, it's important to remember that perfection is not the starting point. The most effective approach begins with simplicity, pragmatism, and an honest evaluation of your organization's resources available for such assessments.

Start by identifying the most immediate risks and prioritize addressing these with straightforward, actionable criteria. Avoid the temptation to overcomplicate processes with excessive documentation or an unrealistic number of risk metrics. Focus on what truly matters—whether it’s ensuring supplier compliance, mitigating cybersecurity threats, or improving visibility across your supply chain.

Being pragmatic also means tailoring your policies to fit your organization’s current capacity. Resources—whether they are financial, technological, or human—will always have limits. Allocate them wisely by leveraging scalable tools and processes that provide the maximum return on investment.

This is where SaaS (Software-as-a-Service) solutions become invaluable. Modern SaaS platforms can automate labour-intensive tasks, streamline data collection, and provide actionable insights with minimal manual intervention. By adopting these SaaS tools, you can drastically reduce the administrative burden on your team while enhancing the accuracy and reliability of your assessments. SaaS products also offer the advantage of scalability, allowing your risk management capabilities to grow alongside your business.

In conclusion, the path to effective supply chain risk management doesn’t require a perfect system from the outset. Start simple, build pragmatically, and leverage technology to maximize efficiency. By taking these steps, you can create a resilient and adaptable risk management framework that protects your organization today and prepares it for the challenges of tomorrow.

How Ceeyu can help

Ceeyu's SaaS platform makes supply chain risk management easy as pie for companies subject to NIS2 or DORA.

The platform periodically performs automated scans and risk analysis of the digital footprint of suppliers or partners (aka attack surface scans). 

Because not all risks can be identified in an automated manner, Ceeyu also offers the possibility to collect certificates and audit reports, and to carry out digital questionnaire-based audits.  The latter can be done by creating questionnaires tailored to the supplier, from a white sheet or starting from templates that Ceeyu makes available. The completion of the questionnaire by the supplier and the follow-up of the process by the customer is done in a secure environment on the same SaaS platform. 

The platform enables a simple, central follow-up of supply chain risks, entirely online and without the intervention of third parties. The closed platform guarantees the confidentiality of the assessments and data, since only authorized persons have access to the application.

Find out more on: https://www.ceeyu.io