MENU

Security eMagazines

advertiser spotlight MENU

june 2023

Share This

Special Report

Managing Third-Party Risks in the Supply Chain

Secure supply chains depend on visibility and strong internal and vendor partnerships.

By Madeline Lauver, Editor in Chief

primeimages / via Getty Images

In an environment as dynamic as an enterprise supply chain, communication plays a key role in maintaining safety and security across a wide range of third parties. As the world becomes more interconnected and organizations rely on each other to produce goods, operate efficiently and serve their industries, risks present in one link of the supply chain can magnify and have global effects.

“One mistake or safety incident that comes up can result in disruptions in the supply chain,” says Rosalina Gadsden Acosta, experienced leader in supply chain security and compliance that has held multiple roles across Meta Platforms Inc., The Boeing Company and manufacturing sites in Mexico. Acosta started in supply chain on the logistics side, gaining hands-on experience in supply chain operations. She says that practical experience helped her realize the importance of visibility and awareness of each aspect of the enterprise supply chain.

Her introduction to supply chains through logistics operations helped Acosta in “noticing the importance of developing and maintaining policies, processes, operating manuals and trainings from a security perspective. If they’re not existent, that really could easily impact their production line processes and business objectives.”

Aligning vendors with business objectives is a critical supply chain security priority, according to Steven Palumbo, a seasoned corporate security executive who has held leadership roles including Senior Director, Security Operations at Bed Bath & Beyond and Tiffany & Co. Palumbo has worked to secure intricate supply chains across both retail organizations.

Palumbo learned to communicate the importance of vendor compliance at Tiffany & Co. when the organization transitioned from full ownership of their supply chain to a third-party logistics (3PL) model. At Tiffany & Co., “Those warehouses were full of valuable merchandise, so we had to have a very hard target mentality. We were able to control it, and then when we did go to the 3PL model overseas, we had to make sure that they understood the value of what they’re protecting for us.”

Assess Vendor Risk

Communicating with third-party vendors to develop a culture of security and compliance helps prevent incidents in the long term, according to Palumbo. Security executives who combine security culture, compliance and risk assessments can reduce the impact of supply chain security threats.

“With a 3PL, you are giving up some level of control. That’s your biggest risk. What I think you need to do to combat that is relate to them the importance of what they’re protecting,” Palumbo says.

Working in tandem with third parties can increase communication and give the enterprise security leader a better understanding of region-based risk. “Risks are going to vary by location. There are certain areas with higher security awareness than others,” says Palumbo.

To assess third-party risk in the supply chain, security leaders should first consider the priorities of their organization.

“You need to identify what is critical for the business and what is really a vulnerability in relation to that,” says Acosta. The assessment process involves “the strategic work of identifying the different categories of threats, understanding their regional threats and establishing intelligence practices as well,” she adds.

When identifying geographic threats, security leaders should identify potential security risks associated with operating in certain regions, including cargo theft, counterfeiting, smuggling, tampering and more. “That type of analysis brings awareness to the third parties that are going to greatly impact the company’s supply chain if something were to happen,” Acosta says.

Supply chain security professionals can look at a number of factors to determine the risk profile of their vendors in relation to business priorities. Once the location and business criticality has been determined, security leaders can use their risk assessments as a roadmap to aligning supply chain security with business priorities. Building a robust third-party risk management program requires strong relationships between security and each link in the supply chain.

“If we don’t have internal processes in place to protect organizational supply chains, incidents will impact the global supply chain at a larger scale.”

— Rosalina Gadsden Acosta

Develop Consistent Security Policies

For Acosta, a critical aspect of supply chain security is ensuring smooth and comprehensive processes at each stage of the chain, from individual vendors to the global scale. A breakdown in process at one facility can have wider ramifications, she says. “If we don’t have internal processes in place to protect organizational supply chains, incidents will impact the global supply chain at a larger scale.”

Supply chain security leaders should prioritize “working across global sites to align the different supply chain security processes based on local requirements and certifications that they have in every single region,” says Acosta.

Working across multiple regions and regulatory landscapes can be a challenge for supply chain security professionals. In developing global policies to protect supply chains, Palumbo advises an approach based in consistency. “Be consistent in how you’re explaining things, consistent in how you’re auditing, and consistent in how you’re holding third parties accountable,” says Palumbo.

A consistent approach to security helps set the groundwork of compliance across the supply chain, “but you’ve got to have a little bit of flexibility because you may run into those one-off situations where something could be a little different — the inability to fence in the yard for whatever reason, etc.,” Palumbo adds.

Collaborate for Supply Chain Visibility

In addition to the emphasis on vendor communication, security leaders need to foster a culture of communication and teamwork within their own organizations to holistically support supply chains. “Understanding our supply chain helps security provide intelligence to our business partners so they can make decisions on selecting the best suppliers,” says Acosta.

“You’ve got to get buy-in from the other departments,” adds Palumbo. “When you’re working supply chain, you’re dealing with transportation, logistics, operations — you’ve got to make sure that they are in tune with what you’re doing because they’re the ones signing on the new 3PL company to get your merchandise. Often, you won’t find out about a new 3PL until it’s signed. Hopefully you’re being included, but it doesn’t always work that way, so the fact that your partners are on the same page as you and understand what you’re trying to accomplish — that’ll go a long way.”

Having each arm of the business unified under the same goals helps not only security, but the entire supply chain operate more efficiently to fulfill those operational priorities. As important as it is for security teams to be aligned with business objectives, it is also critical for other departments in the business to buy into security.

“We need to develop that security culture that demonstrates the shared responsibility across the supply chain,” Acosta says. “The way to establish a robust security foundation is to partner with diverse organizations in the company to understand what matters to each of them, what their scope is, and how all that connects with security practices to find that common ground and support each other.”

Without a reciprocal understanding of security and business priorities, supply chains are left open to risk. Even with a set of effective security policies, organizations and their third parties need to be on the same page about the importance of security to remain compliant.

Share This
SEC Logo