Building resilience

In today's interconnected world, effective supplier risk management is essential for enhancing organisational resilience.

In an era where supply chains are increasingly complex and global, managing supplier risk has become a ‘must have’ component of an organisation’s overall resilience strategy. Companies face numerous challenges, from geopolitical tensions and natural disasters to cyber threats and technology disruptions. These challenges are amplified through the extended enterprise, with increased exposure to supplier incidents leading to operational disruptions, financial losses, and reputational damage.

In this article, we look more closely at operational resilience, cyber, and technology considerations, and their role in organisations’ overall outsourcing and supplier risk management approach.

Operational Resilience

Organisations’ work on operational resilience and supplier risk management are inherently connected – and should be closely aligned. Companies need to have confidence in their material providers’ ability to deliver services within impact tolerances, and that they are well prepared to maintain service through a range of severe but plausible scenarios.

Part of this comes down to due diligence and contract provisions, but there is more value to be had in testing and fostering strong relationships with suppliers that enhance their commitment to resilience efforts.

Understanding your organisation’s resilience to supplier disruption

With so many suppliers to consider, it’s not practical to apply the same level of oversight and assessment rigour to all suppliers irrespective of their impact on cost, risk and resilience. Organisations should think risk-based about the materiality, dependency, and vulnerabilities of particular services and providers to get the most value from their work. On testing in particular – the focus should be on the most material providers.

There are two key aspects to consider: 1) building confidence in your providers’ ability to continue to deliver their services under various adverse conditions, and 2) understanding your own preparedness to respond if your material providers’ continuity measures fail.

This requires regular testing and engagement with material providers to identify potential vulnerabilities and develop mitigation strategies. For instance, conducting joint testing exercises can help both parties understand their roles and responsibilities during a crisis, as well as proactively identifying and addressing risks and vulnerabilities that enhance resilience.

When should you engage your providers in testing?

A growing number of organisations are engaging their most material suppliers and outsource providers in testing exercises. This is a great way to assess the practicality of response procedures, but it makes sense to understand your organisation’s own position first, before engaging your third parties.

For example, we recently completed an executive tabletop exercise with an insurer in order to assess its preparedness to respond to a ransomware attack at a material outsource provider. This helped them to assess and strengthen their understanding of incident response procedures, evaluate communication strategies, and agree their position on key decisions and management actions, enabling them to have a more focussed and practical discussion on testing with the provider in question.

Key takeaways: 

• don’t rely on your suppliers’ continuity measures alone – understand and test your own organisation’s response in the event your suppliers continuity measures fail 
• engage your most material suppliers and outsource providers in testing – but understand your own position first. This will help to maximise the value of your engagement 
• think risk-based about the demands and vulnerabilities of particular services, while also building up the relationship that will help you culturally if there’s an issue.

Cyber Security

A chain is only as strong as its weakest link. However, according to the UK government’s Cyber Security Breaches Survey 2024, only one in ten businesses have assessed the risks posed by their immediate suppliers.

Complex supply chains can expose extensive attack surfaces. When a large organisation with robust cyber defences is the primary target, attackers might seek alternative entry points. One such path could be through a service provider with weaker defences but access to the target’s systems. By breaching the less secure defences of the service provider, attackers can bypass the strong defences of their main target, potentially causing significant damage. Opportunities derived from supply chain attacks have therefore become an attractive route for cybercriminals to inflict maximum damage through the path of least resistance.

Similarly, an attack on a key supplier can generate severe operational or legal implications on the end business, without them ever being directly ‘attacked’ by the malicious activity. The rise in popularity of ransomware attacks lends itself to identifying businesses who deliver services to other businesses/customers. Crippling their operations or creating data protection issues for their clients generates more leverage for ransom payments to be made.

What does good look like?

The basics of good supply chain management are still integral and are not unique to managing this risk e.g. identification of supplier risk profiles, strong communication channels with suppliers, setting minimum service expectations and comprehensive assessment at onboarding and at regular ongoing intervals. Nevertheless, understanding that cyber is a constantly evolving risk which requires new and intuitive ways to remain resilient, is integral if you are to continue to raise resilience and be prepared to respond and recover effectively from an incident. Organisations that are excelling in mitigating supplier cyber risk are collaborating with their suppliers and carrying out ongoing monitoring of them to identify any emerging vulnerabilities. Collaboration may be in the form of incident response exercises and ongoing monitoring may be carrying out your own light touch testing of supplier’s perimeter to find any security weaknesses, just like a cybercriminal would. Deriving a comprehensive supplier risk management program will identify where time and effort should be best focussed to raise resilience.

Key takeaways: 

• conduct appropriate and thorough assessments – categorise your suppliers due to the nature of risk associated to them and identify an appropriate methodology for assessing their cyber risk. Cyber frameworks such as the NIST Cyber Security Framework can be invaluable for assessing and benchmarking all levels of supplier 
• implement strong contracts and service level agreements (SLAs) – ensure that contracts and SLAs include specific cyber security and data protection requirements. Accountability can significantly reduce the risk 
• collaborate and continuously monitor – don’t just take their word for it, continuously evaluate the security of key suppliers. Create strong partnerships where insights can be shared promptly and responded to quickly, helping to raise resilience and close open windows.

Technology

According to Gartner, Inc., worldwide spending on public cloud services is projected to reach $723.4 billion in 2025, up from $595.7 billion in 2024. The increasing reliance on cloud computing resources is poised to be a significant contributor to supply chain risks in IT, both now and in the future. For IT leaders, cloud computing is an integral part of future IT strategies, and many are already transforming supply chain platforms using cloud technology. This shift raises important questions about effective approaches to technology resilience, given the distributed nature of cloud environments.

Resilience challenges in the cloud

Some argue that cloud environments inherently provide resilience through features such as high availability zones, load balancing, and automatic failover. While these features are designed to withstand disruptions, building resilience in the cloud presents its own set of challenges. 

• Complex architecture: Cloud Service Providers (CSPs) have replaced traditional data centres and offer scalable and efficient applications such as APIs, microservices, serverless computing, and containers. Many of these are third-party technologies, and their resilience and recovery remains the responsibility of the customers. Downtime or performance issues in any of these services can impact the entire application, resulting in outages and business disruptions. 
• Data resilience: Achieving data resilience is equally critical, as data access, loss prevention, encryption, and recovery are the customers responsibility and adds layers of complexity in the cloud environment.

Key takeaways:

Technology resilience involves a combination of capabilities necessary to safely architect and deploy technology, ensuring business processes can withstand disruptions and outages. This includes: 

• proactive assessment of applications and data: Prioritising services and systems at the point of deployment, clearly linked to important business services 
• resilience by design: Architecting resilience into the tech stack through building technology redundancy 
• automated recovery processes: Manual intervention during outages can introduce delays and errors. Automating recovery processes ensures faster, more reliable responses to failures. Use Infrastructure-as-Code (IaC) tools to script and deploy failover workflows 
• continuous monitoring: Using technology for real-time monitoring of the health and performance of infrastructure.

Resilient technology architectures, proactive risk management strategies, and continuous improvement help organisations stay prepared for the unexpected, turning resilience into a competitive advantage.

Effective supplier risk management is essential for enhancing resilience. Crowe can assist by implementing a holistic approach to improve effectiveness, build resilience, and increase efficiency in your supply chain. For more information, please contact Justin Elks, Tim Robinson, Mustafa Iqbal or your usual Crowe contact.