Supply Chain Security – Why you need an effective program to be truly resilient

  • 13 Jul 2020

Is it possible to say your organisation is resilient if it has not adopted an effective Supply Chain Security (SCS) management program? If you think the answer is yes, it might be a good time to consider how your supply chain adds value to your business, and what would happen if it were to fail. More than 70% of companies have experienced at least one disruption in their supply chain, and in 41% of cases this disruption involved a core supplier.

Despite SCS helping to protect organisational value, a recent Gartner survey showed that many supply chain leaders are not  engaging their security, business continuity and risk management colleagues to  address the expanding risk frontier. According to Gartner, organizations are trying to get ahead of these risks by putting SCS capabilities in place, however the complexity of many supply chain ecosystems and the sheer breadth of data and assets to protect means the success of these efforts vary greatly.

According to the Christopher & Peck (2004) the challenge is to manage and mitigate supply chain risk by creating more resilient (flexible, agile) supply chains. They establish some basic principles that can support resilient supply chains:

  1. Resilience should be by design, with processes that are agile and able to react quickly
  2. There is a need for a high amount of collaboration
  3. Fostering a risk management culture within an organization is a prerequisite for resiliency.

An effective program which includes risk management, cyber security and resilience ‘by design’ ensures that what came from providers follows a structured approach aligned to business requirements and architecture principals and brings prerogatives of investing wisely such a way that comply with regulations and achieve additional benefits to supply chain efficiency.

Some key questions that might help us understand the effectiveness of our SCS program, along with what we might want to stop or start doing include:

  • Who are they organization’s key suppliers?
    • Which suppliers are going to impact our ability to meet our customers’ expectations if they are not able to deliver on their commitments?
  • What are the criteria for determining the level of criticality of a supplier?
    • Have supplier classification processes been established? Are these periodically reviewed?
  • What is expected of those key suppliers during an emergency? 
    • Have service level agreements (SLAs) been established? Have we tested these to make sure they can deliver on them?
  • How confident are you in the ability of these Providers to survive a crisis and be flexible in their response?
    • What experiences have you had with them during the COVID-19 crisis?
    • Have you periodically re-evaluated the supplier and their business continuity plan? Has this been done through a questionnaire, or on-site assessments?
    • Has this assessment included financial, data privacy and other related resilience aspects? Does this performance form part of your contractual negotiations and agreements?

Once you have considered these key questions and understand how your program is going, it is probably time to conduct a complete and more elaborate self-assessment to determine where you may want to concentrate your development efforts.

There are many frameworks available to evaluate your program, including the ISO 2800:2007 or NIST Cybersecurity Framework (CSF) 1.1 standards. Depending on what Supply Chain categories you have, you might face different practical measures. The following table outlines some of these categories, and example measures (for more details see Gutierrez et al. 2006):


Measures example

1. Facility management:

Guaranteeing the security of the

facilities where goods are manufactured, and cargo is stored

and handled.

1. Optimal warehouse/terminal layout design (entry/exit

controllability; clearly marked control areas; sufficient light

conditions etc.)


2. Efficient facility monitoring (24hr camera system, security

guards, filming activities of loading containers, picking etc.).

2. Information management:

Protecting critical business data and exploiting information as a tool for detecting illegal activities and preventing security breaches.

1. High protection of business information/data (management procedures and storing methods designed to protect information from unauthorized access and usage)


2. Accurate, complete, and unalterable recordkeeping of shipping information for potential security audits (improved recordkeeping methods; quality control of records, errors correction etc.).

3. Human resources management: Guaranteeing trustworthiness and security awareness of all personnel with physical or virtual access to the

supply chains

1. Professional employee hiring / exit process (background

checks, exit interviews for employees etc.)


2. Efficient information dissemination process (internal and

external publication of the company security policies).

Having an effective Supply Chain Security management program in place requires the support of functions like Risk Management, Cyber Security and Business Continuity. Done well, it can be an integral part of ensuring the resilience of your organisation’s value chain in the event of a major disruption.


Rafael Mascaro

Risk Management and Business Continuity Professional

More on