In 2014, Jeff Immelt, CEO of GE famously said, “if you went to bed last night as an industrial company, you’re going to wake up today as a software and analytics company.”
That has been proven to be a true statement, as the reliance on software has increased over the years. I’d like to add on to that and also say that organisations of today, regardless of size, are all supply third-party management organisations.
The complex web of third-party dependencies has become even more clear during the COVID-19 pandemic, which has caused borders to be closed, and many organisations unable to operate – all of which have knock on affects downstream.
Do You Want Fries With That?
Global giant McDonald’s is famous for its fast food. However, it’s not their burgers and fries that made the business profitable. Ray Kroc struggled to initially bring enough revenue from his franchised restaurants in order to pay for the land and the building for McDonald’s restaurants, which meant growth was limited to one restaurant at a time.
In 1956, Kroc hired Harry J Sonneborn, who saw that the real money in the business wasn’t in the burgers, but in real estate. The idea was to have McDonald’s sublease the land and building for each restaurant to the franchisee. This plan eventually developed to take out mortgages, so McDonald’s would eventually own both the buildings and the land.
While it can appear that the business was profitable through its food, it’s real business value (and associated risks) lies in real estate – of which it occupies prime locations across the world.
Coffee Shop or Bank?
McDonald’s still operated in the traditional realm of brick and mortar. However, the digital revolution has changed business models for many companies, sometimes by pure chance.
It was reported that Starbucks has more money loaded on gift cards and its mobile app than many banks have in deposits. With over $1.6 billion according to its fiscal 2018 annual report.
This represents a traditional coffee shop business, that is just as profitable, if not more so than some banks; but without the vaults, guards, and most of the financial service regulations.
It begs the question, where does Starbucks’ value lie? Is it in their shops, their coffee and syrups, or in their electronic wallets?
Your Handsome Grandfather Had One Blade AND Polio
Looking further, we see an increasing number of businesses that were ‘born in the cloud’ and subsequently attributed nearly all their success to the cloud.
A not too distant example is one of Dollar Shave Club, which was acquired by Unilever for $1 billion in 2016.
Affordable blades that were conveniently delivered to the doorstep were only part of its success. Amazon Web Services (AWS) made it affordable and easy to start an online company that could scale and compete with the likes of larger, well-funded rivals.
Similarly, YouTube made it easy to create and distribute a video, while social media like Facebook and Twitter enabled those videos to be shared with millions.
On the internet (and in the cloud), companies are not restricted by storage space, don’t need forklifts, high visibility jackets, or safety helmets. It is the great equalizer – allowing start-ups to compete with any organisation of any size.
Show Me The Risks
The famous criminal Willie Sutton was once asked why he robbed banks and he responded by saying, “because that’s where the money is.”
All businesses run with risks, but these risks change as the business changes. In today’s realm of digital business, the risks have largely shifted away from bricks, mortar, and stock to the cyber realm.
But it’s not just that risks have shifted online, it’s that businesses today now have a much larger dependency on third-party providers and suppliers than they’ve ever had in the past.
With Dollar Shave Club, it had critical business dependencies on third parties, AWS, Amazon, couriers, YouTube, Facebook, Twitter, and many others. Very little of the risk was wholly on in-house systems. If any one of the components had failed, or not delivered, the business may not have succeeded.
Similarly, whilst Starbucks may have $1.6 billion sitting in gift cards, the company relies on a number of providers and partners to offer customers a seamless experience. Many hackers have realized the value of this and there have been many cases of fraud against customers’ accounts.
But these are not hypothetical risks. Whilst suppliers can allow companies to be more innovative, create new products, and level the playing field against larger competitors, there are many dangers and risks that manifest within this ecosystem with plenty of real examples occurring frequently.
Protecting Against Supply Chain Risks
Third parties remain an essential part for any business, but the risks need to be understood and managed accordingly. Some points to consider include:
- Business impact assessment: Having a business impact assessment in place to understand what level of dependency is being placed on the third party. The more critical the role it plays in supporting the business, the greater the risk.
- Knowing your partners: It’s essential to keep an up to date and accurate view of all business partners and the role they play. Relationships change over time and it is important this is captured and reflected as it happens, not only once when initially engaged.
- Policy & legal: While good intentions largely prevail, they are not enforceable. It is important to have a security policy documented for third parties that explains what is expected, how data should be handled, and what needs to happen in the event of an incident. Legal counsel should be sought in order to ensure the terms are legally binding and enforceable.
- Communication & education: Communicating clear security needs with partners is vitally important. Some third parties have not been exposed to, or appreciate the need for security, so an element of partner education should also be considered.
- Technical assurance: Assuring technical controls is particularly important where a third party has direct access into your systems. Whilst the existence of certifications or audits go some way in providing assurance. Gaining a technical assurance via penetration testing, vulnerability scanning, or deploying monitoring controls in the partner environment can go a long way to help.
- Incident response planning: A joint incident response plan should be put in place to clearly map out roles and responsibilities in the event of an incident at a third party. These can include technical controls, such as isolating critical environments. PR and media communication plans, or looking at ways to end or replace the third-party service temporarily, or even permanently.
- Exit strategy: Perhaps most important is for organisations to have a documented way to exit a relationship that is backed by legal and technical assurances. If a third-party provider ceases to operate, or the relationship comes to an end, will you be able to take back all your data, move to alternate operations, and ensure any information held by the third party is securely destroyed and assurance provided?
In closing, it’s important to ensure that you have the proper resources available to reduce risk. If you want to look more into a questionnaire for assessing vendor risk, check out this blog post. The KCM GRC platform allows you to get your audits done in half the time, and even has a vendor management module to continually monitor your vendor’s risk requirements.