Welcome to a blog post series on Exiger’s fight to secure supply chains, sponsored by Exiger LLC. In this series, we will explore the ongoing efforts of Exiger to lead the discussion and enhancement of Supply Chain Risk Management. In Episode 3, I visit with Skyler Chi, Director and Deputy Head of Supply Chain and Third-Party Risk Management, and Andrew Lehmann, Associate Director, and discuss supply chain issues in the IT and telecommunications sectors.
We began with an overview of risks affecting the Information and Communications Technology (ICT) industry. This includes hardware and software manufacturers and service providers. Because of this dual nature, there are dual challenges for companies operating in the ICT space. Chi noted this is “largely due to their business involving so much storage of sensitive customer data and facilitating the transmission of that data worldwide. It also includes attack factors on the infrastructure they are setting up and supporting. This means that the industry has to contend with multiple types of third-party and supply chain risks.
Supply chain disruption in this industry is a critical risk factor. Lehmann noted a couple of ways to help prevent such attacks, stating a “starting point is getting a handle on whether or not you have an overreliance in your supply chain concentrated in one geographic area or perhaps one country in particular. And not just that, but you might have an overreliance on a single supplier, just one company, one manufacturing facility in one country that is specialized in producing equipment to your specifications.” So, you should look at “who are all of your direct suppliers, and then go a few levels deeper and learn more about their entire supply chain and find out how much of that is based in one country.” He pointed to printed circuit boards, where “90% of the manufacturing facilities are in Asia, primarily east Asia. More than half of those factories are in China, which gives you a lot of risks just in terms of that geographic concentration.”
In addition to the direct risk modeling, you should also consider geopolitical risk. Here think of Taiwan, one of the staunchest US allies in the world. However, it is under increasing pressure from China. The Russian invasion of Ukraine has awakened many peoples’ eyes to the risk of the overreliance on supply chain manufacturers from Taiwan. Can you diversify your supplier base in light of this information? It may well behoove you to do so sooner rather than later.
Chi noted this is “a seismic shift in how our clients think about globalization globally. Previously a company would order a server rack, not caring where the parts came from. Today we are now asking the questions and establishing frameworks for us to realize that we may need to diversify ourselves away from Taiwan’s semiconductor industry, for example, where 53% of global chips are manufactured.” That “mental shift in asking the right questions and training which we work with to ask those questions is creating real-world impacts.”
We then turned to the question of to whom should this message be directed? Chi said this was an interesting question, as it got down to “management philosophy at core.” Historically the answer would be “supply chains deal with purchasing, and purchasing is done by procurement. This meant that procurement would be the risk stewards and the risk owners that have the responsibility to look into the issues.” However, that type of thinking has greatly evolved and indeed, “overwhelmingly what we’ve seen over the last two years is that various stakeholders from across the business have really formed working groups and can consistently communicate with each other.”
All of this has helped to do away with siloes. Now “procurement is working with the IT security professionals to perform vendor reviews of software bills of material for the hardware vendors that any given firm may be purchasing.” There has also been an evolution of the Board’s thinking about the supply chain and procurement. Chi related that it had been a “collective group effort across some of the world’s largest enterprises working together. It can include the background subject matter expertise of IT, security of procurement, or even diversity and inclusivity with vendors that you might be purchasing from, which is typically seen as outside of risk management function.” It is bringing “all stakeholders in the business, putting their budgets on the line to make those decisions.”
We conclude with the role of the Board of Directors. Boards must start asking questions about their organization’s supply chain risk and risk management strategy. Chi believes a key role for a Board is to “set the tone at the top of any given organization, align the shareholders’ values and provide the strategic vision of any given enterprise.” But he cautioned that most boards’ “lack of risk detection” around the supply chain could be a limiting factor. He emphasizes that Boards should “prioritize the governance framework of the firms that they oversee to the real-world risks of what that means to their organizations.”
Join us tomorrow, where we will put the spotlight on the Defense Industrial Base.