Supply chain resilience is a top challenge for procurement leaders worldwide. After years of disruption from the Covid pandemic, geopolitical conflicts like the Russia-Ukraine war, and U.S.-China trade policy, the need for better risk management and resilience has never been greater.
Yet in a new survey, IHS Markit found that less than one-third of respondents reported “high” capability for their organizations’ supply management platforms, technology, or intelligence. While most organizations have the strategies and processes in place for resilient operations, they lack the technology, data, and insight to effectively implement their initiatives.
And that’s where supplier monitoring comes in.
Supplier monitoring helps organizations bridge the gap between strategy and execution and strengthen resiliency along the entire supply chain.
But as supply chains continue to grow in complexity—with many organizations working with multiple tiers of suppliers—it’s essential to monitor the right suppliers to uncover key vulnerabilities, manage risks, and identify opportunities.
So how do you identify which suppliers to monitor within your supplier intelligence platform?
There are several factors that a procurement leader should consider when prioritizing which suppliers to monitor:
Who are the suppliers with the largest contracts and where do you spend the most? These can have an outsized impact on your budget and bottom line—particularly if something goes wrong.
They might be a large, public firm that has lots of publicly available data. But even if they’re a smaller, private firm, if you’re spending a lot of money on them, you should still track them. Private companies are often harder to collect data on because their financials aren’t always readily available, but you can still track other related factors, such as cybersecurity scores, funding data, credit viability ratings, and more.
Just because you have a large contract in place with a supplier doesn’t mean they should automatically rise to the top of your priority list. If that supplier provides a good or service that is widely available, then there is less risk associated if something goes awry, such as an economic downturn, regional natural disaster, labor shortages at a manufacturing facility, etc.
However, if the supplier is single-source or there are few alternative suppliers, you should monitor them through your supplier intelligence software.
Single-source suppliers provide the benefit of cost optimization, efficiency, and quality assurance. But relying on a single supplier for a good or service means you’ve put all your eggs in one basket—and if anything goes wrong with that supplier (or its supply chain), that can impact your business.
Supplier intelligence software can help you monitor these suppliers and analyze your risk exposure through n-tier analysis. N-tier analysis reviews your suppliers as well your suppliers’ suppliers, and so on, through the value chain. By understanding your risk exposure beyond your direct suppliers for mission-critical products, you can proactively manage supplier relationships and mitigate risk.
Today, data sharing and digital transformation have increased collaboration and efficiencies between vendors and their suppliers—but it has also increased the risk exposure within their supply chain.
One of the key risk factors to look at when prioritizing suppliers to monitor is your identity management practices like single sign-on (SSO). Single sign-on authenticates users with multiple applications and services through one set of credentials. While this saves time and reduces administrative burden, it also poses significant risk to the organization if those credentials are compromised. In other words, if you're linked to your supplier via single sign-on, that poses a potential cyber risk.
For example, in the 2013 Target breach, hackers stole credit card and personal data for over 70 million Target customers by exploiting a vulnerability in a small third-party vendor—Fazio Mechanical, an HVAC company. Through a simple phishing scam, the hackers gained access to Fazio’s log-in credentials for Target’s system. And from there, the breach went undetected for two weeks.
Organizations need end-to-end visibility across their supply chain ecosystems to understand their cyber vulnerabilities within their supplier relationships. This is especially important as cyber attacks like ransomware increasingly target vendors’ supply chains instead of attacking them directly.
“As technology is a big part of our service delivery, and our customers trust us with a lot of sensitive data, we are keenly interested in our suppliers' IT security practices and data privacy safeguards,” said a procurement manager at a global professional services company.
“Any supplier known to be delivering technology solutions or having access to any amount of personal data needs to undergo a more robust due diligence. In this context, shadow IT and rogue buying are a real concern - raising the TPRM awareness across the company is a key pillar of our supply chain resilience strategy.”
Similar to SSO and identity management, technical dependencies between the vendor and supplier can increase cyber vulnerability within your supply chain. For instance, if there is a high degree of integration (i.e., two or more applications), this expands your risk exposure. If your supplier experiences a data breach because your systems are interconnected, your organization may be threatened too.
So it is important to identify suppliers that are deeply connected to your own systems and monitor them to manage risks and ensure you can act quickly at the first sign of trouble.
Just because a supplier is not mission critical for the organization doesn’t mean it isn’t high impact.
For example, environmental, social, and corporate governance (ESG) is not necessarily critical for the operations of a firm, but it does have a high impact from both ethical and compliance-level perspectives.
This is especially true as upcoming legislation like the German Supply Chain Act sets strict compliance standards and risk management requirements for companies and their suppliers. Suppliers based in Germany (and other countries where ESG standards are set) may have a higher impact on your supply chain risk as they have additional compliance standards to meet.
Your supplier intelligence platform should be able to help you track all suppliers, but you don't need to have the deepest data on all of them. Configure your platform to provide basic data and tracking for your less significant suppliers while focusing on advanced monitoring for your most important suppliers.
Focusing supplier monitoring on your top 1,500 suppliers is going to be easier to manage for your procurement teams and more economical than tracking 10,000 suppliers. By prioritizing your suppliers using the criteria above, you can focus your resources on high-impact suppliers—saving you time, money, and headaches.