I interviewed Andrea Stroud who discussed the State of IT Risk in the Supply Chain.





Thank you for speaking with me, Dustin. I appreciate the opportunity to discuss some of APQC's recent research on IT risk and the supply chain.


Can you tell me a little bit about APQC's recent IT risk in the supply chain research study?


Absolutely, Dustin. Supply chain risk is a cause of growing concern for organizations and although high impact natural disasters often grab headlines, you know, we've often seen that in the news. Organizations are also concerned by IT risk that can impact systems supporting day to day operations within complex global supply chains. IT has actually been found to be one of the biggest unmanaged supply chain risk. Potential IT risk in supply chain has promoted CIOs and supply chain managers to work together to address the issues that are occurring today. The primary focus of the research that we conducted at APQC was to identify the IT risk supply chain that organizations were experiencing. We looked at the level of concern for the various IT risk factors. How controllable organizations were finding the disruptions they were experiencing and the practices organizations were using to ensure supply chain resiliency in light of potential IT disruption. For this study we surveyed senior executives working in supply chains in IT at 118 organizations in a variety of industries and organization sizes.


What was one of the most shocking or eye opening findings revealed from this research study?


Well Dustin, there were many interesting findings from the study but the results from our survey reveal that many organizations have been effected by IT disruption, like technology changes, unplanned IT and telecommunication outages, counter fitting and cyber-attacks. And while they have experienced those disruptions, the leaders were concerned about the risk. However, the respondents indicated that their organizations occasionally use IT risk management practices and they find them to be only somewhat effective. This is not a positive finding, when you’re having these types of disruptions and you have little faith in the practices that are occurring because they haven't been extremely effective. They've been only somewhat effective, it's a cause for concern.


What are the most used IT risk management practices that organizations are using?


Well Dustin, based on our survey research the three most frequently used IT risk management practices organizations are using include having a standardized process for pre-qualifying suppliers. That was the first one, and the most frequently used. The second was the use of an enhanced perimeter defense system to detect intrusions. And this was big for helping with cyber security issues. The second involves corporate wide capabilities and cyber security and emergency response. So how quickly organizations were going about responding to the risk and that was enterprise wide. There were also the practices rated most effective, and while these were rated most effective, I encourage organizations to continue to look for new and effective ways of managing risk and evaluating their practices to make sure they continue to be relevant. Especially when it comes to thinking about cyber-attacks and counter fitting because every day there are new methods of attack that are being created and you have to be on top of your game in order to mitigate those risks.


How often are organizations evaluating their supply chain resiliency and possible exposure to IT risk?


That's a good question, Dustin. The survey asked respondents to indicate how frequently their organizations evaluate their supply chains' resiliency and exposure to IT risk. And only 40% of organizations evaluate their supply chain resiliency and exposure to risk. At least every 12 months and that really puts 60% of organizations at great risk. You really should be evaluating your supply chain resiliency on an annual basis. That is a recommendation, that's what we've seen. The surveyed data also revealed some interesting results for organizations that conduct the evaluations more frequently. So respondents from organizations that evaluated resiliencies every month to every 12 months, indicated that their leadership is more concerned about disruption risk factors than respondents from organizations that evaluated resiliency less frequently. This higher concern that we see may be the motivation for these organizations to conduct more regular evaluations of the resiliency of their supply chains. And something else we saw, respondents also believe IT risk factors are more controllable than due respondent’s conduction less frequent evaluations. And that may be that the organizations with more frequent evaluations respond this way because they have a better idea of their risk for potential IT disruptions, as well as the ways they can best minimize the effects of any disruption. It's extremely important to have an idea of the risk potential and I'm going to talk about that more a little later but organizations really need to know the potential that exists there.


What steps can organizations take to help them better manage IT risk?


Well we get asked this question all the time, whether it's IT risk or any other type of risk. Well specifically for IT risk, our research has found that organizations often have an IT risk management plan or program, but those plans don't necessarily cover the entire spectrum of risk and are not aligned to the enterprise strategy and they have to be aligned in order for it to be effective, in order for it to work well. We have identified several steps organizations can take to help them better manage these IT risks in the supply chain.


The first is to identify the needs of your organizations. You really have to identify what it is your organization really needs. The second is identify internal and external environment to get a better sense of how information flows in and out of the supply chain and who has access to that information. Because who has access can also impact your security. And once that has been done the organization can assess its current situation and identify the potential risk that needs to be addressed by the risk management program.


And as organizations go through the process they can begin to understand the outcomes that they are hoping to achieve from the risk management program based on the needs they identified in beginning. The needs have to be aligned so they can understand how to identify the risk through the program. And organizations have to make sure they have a plan to continuously review and monitor the risk management program. If organizations don't review and monitor their program, it's going to open them up to exposure of additional risk. The goal for organizations should be to identify and monitor and contain IT risk before they have a chance to reach the supply chain and impact business operations. Risks are out there.


The better and organization can prevent it from hitting the supply chain, it's essential because it can be detrimental to a supply chain. A clear program that takes into account of the needs of business can result in the identification of potential risk and ability to manage those risks. It's important that supply chain management and IT management groups collaborate to help identify and control risk. CIOs and supply chain management professionals are coming together and our research indicated the majority of organizations, about 70% reported at least adequate collaboration between the organizations supply chain management and IT management groups.


So I think the more these two groups are communicating, I think the better you will see the control and management of the risk and the ability to identify those risks. So I would urge organizations to make sure that their needs have been identified, and they are communicating both the IT and supply chain groups. I appreciate the opportunity that you've given me today to speak with everyone about our research on IT risk in the supply chain. I look forward to more conversations in the future on other supply chain topics and I appreciate your time.


To share more with your audience, to see more of the research we're conducting on the state of IT risk management in the supply chain and some of our other supply chain topics, please visit www.apqc.org and please feel free to reach out to us and thank you.



About Andrea Stroud






Andrea Stroud

Research Program Manager APQC

Houston, Texas Research

LinkedIn Profile

Twitter Profile

APQC Website