The New Urgency of Supply Chain Resilience

How to Design a Resilience Strategy and Guidelines

At the outset, take time to establish and communicate a common understanding of resilience and what it means in the context of your supplier ecosystem. A clear resilience strategy will define the level of resilience to be achieved and where and how the enterprise will focus investment to prioritize mitigation and prevention. The strategy will also provide specific guidance about which risks will be tolerated, and which will not.

Translating an abstract term like resilience into concrete provisions and aspirations and breaking these down into plans, targets and metrics constitutes a major step and will require some significant analysis. Questions to consider include:

• What are your business drivers and prerequisites for your third-party ecosystem and supply chain?
• What are critical functions?
• What are your resources, including but not limited to products and materials, budgets and people?
• What infrastructure do you have – and need to protect – along the supply chain?  

Your resilience strategy will directly impact your sourcing and partner strategy. It will also impact your business continuity planning, as well as other functional strategies and plans across the organization, from compliance and sustainability to IT, to name a few. For the sourcing and procurement strategies, for instance, resilience requires a profound understanding of supplier and product criticality, risk profiles and potential alternatives. Contractual stipulations and collaborative frameworks can ensure suppliers are treated as both sources of risk as well as partners in mitigation and prevention. Developing and regularly reviewing the supply chain resilience strategy is a good opportunity to validate and integrate supply chain resilience into the overall organizational resilience strategy and framework.

It goes without saying that any resilience strategy requires recurring review and adjustment. Plan to continually evaluate the strategy according to evolving situations and challenges, new and changing business objectives, product, sourcing and supplier portfolio decisions. For this purpose, top management has to be accountable and regularly validate the supply chain resilience strategy as part of ongoing governance.

To put strategy into consistent practice, it is paramount to define clear guardrails and processes for evaluating, executing and reporting progress toward your resiliency goals. In addition to a clearly defined strategy and objectives, be sure to establish processes and governance to facilitate ongoing resilience-related decision-making. This includes the criteria and considerations to evaluate, manage and prioritize risks as well as guidelines for mitigation, prevention and investment decisions. Enterprises should strive to make guidance meaningful to the current challenges and objectives and each organizational function involved. It should provide the tone from the top and shape enterprise risk culture through regular and targeted communication and training.

Figure 2: Third-Party Risk Landscape: How and What to Manage

Understanding Your Risk Portfolio

Before any decisions or plans can be made to maximize supply chain resilience, an organization must first understand what it takes to be resilient in its specific enterprise context. An understanding of the breadth of risks – the enterprise´s own operations as well as that of its direct and indirect suppliers – results from an analysis of where potential risks can originate along the supply chain. Key criteria will include, for example, the risks that are relevant for the industry and markets, regulatory environment, the enterprise´s types of products and services, number, location and tiers of suppliers, means and routes of transportation and storage as applicable, and the overall geopolitical context.

Next, you must clarify where along the supply chain risks may have an impact, and which suppliers would be affected or be the cause of a risk. This is a time-consuming and alignment-intensive task, especially in cases in which several hundreds or even thousands of suppliers may be concerned, with n-tier suppliers in ecosystems that lack transparency. However, the work will pay off as you gain critical insights that will shape the way you select, segment, control and cultivate partner relationships.

The risk portfolio will also directly feed into the sourcing strategy to qualify considerations, in particular on supplier concentration, potential lock-in and shoring. Supplier risk profiles are frequently used and a very meaningful tool to review the existing sourcing and procurement strategies – however, they will only be one dimension of risk control and will not replace an overarching view of cross-supplier resilience considerations and plans.

To make the supply chain risk portfolio easier to understand and handle, risks should be clustered and categorized in a meaningful way. Only this will reveal the organization’s true exposure to different types of risks and establish the bigger picture, reducing governance and reporting complexity. In addition, analyses of overall trends and structural patterns will be easier to discern making it easier to prioritize direct investment decisions and strategic focus on required prevention.

Figure 3: What Makes Up Third-Party Risk Management?

Defining Who Does What: Operating Model as a Foundation for Resilience

The operating model methodology provides a clear and structured blueprint for designing an integrated framework for resilience in an organization. It defines the building blocks that should be addressed, including:

• Which parts of the organization and supply chain are in scope
• How collaboration will work between various stakeholders for end-to-end integration
• What data and technology will be leveraged
• How and by whom decisions are made
• What will be done to develop and maintain a resilience culture and awareness.

Breaking down the organizational concept behind supply chain resilience into ways of working will enable an orchestrated approach and outcome, from design to operations. This will ensure your strategy is built on clear objectives and rules, and provide clarity of roles and responsibilities, digitally drive collaboration and alignment and enable information sharing and data-based decisions.

Figure 4: The Operating Model Is a Cornerstone of Third-Party Risk Management

Governance will connect strategic, tactical and operational layers of operation. Assigning mandates and accountabilities ensures that stakeholders take ownership, from risk identification through completion of effective mitigation and preventive measures. Defining, documenting and communicating such a clear structure of operation and collaboration is a means of achieving resilience in itself.

Building an operating model geared toward resilience helps prevent overlaps, gaps and inconsistencies in cross-organizational processes and alignment and brings down organizational siloes that can increase risk. The right operating model, therefore, is key to supply chain risk management and, therefore, enterprise resilience.

Controls that Help Identify and Address Risks

Enterprises need defined controls to expose and respond to risks. Controls may be linked to triggers, such as risk indicators, incidents, trends, anomalies or any metrics that signal the organization to initiate a key risk mitigation measure. Ultimately, controls represent the ability of the supply chain resilience strategy to protect and maintain business critical functions and resources.

Examples are almost limitless and highly specific to the enterprise and its supply chain. They can range from more traditional business and performance metrics, such as cash flow ratios, inventory levels, product quality default rates, to custom supplier risk score thresholds, vulnerability test findings, adverse news, talent churn rates or business continuity test results.

Technology-Driven Supply Chain Risk Management

The technology market is evolving fast and includes a wide array of solutions for different organizational functions and purposes related to the supply chain. Often, enterprises are faced with the challenge of integrating multiple solutions and data to manage end-to-end supply chain risk and resilience.

Some enterprises opt for best-in-class tools to support individual use cases or processes, such as event monitoring, smart logistics or warehouse management; others leverage existing and often powerful platforms that continuously strive to expand their scope and functionality. The latter typically includes enterprise resource management, source2pay or cross-functional business process platforms. Some enterprises use dedicated risk management or ESG tools, which, as is the case with many of the large procurement platforms, provide some compliance and sustainability-related functionality as well. Technology-driven supply chain risk management and resilience solutions should cover enhanced collaboration, automation and data analytics at a minimum.

Across solutions and platforms, the use of AI is proliferating, driving efficiency and effectiveness of supply chain management. Typical use cases that enhance supply chain resilience include automated supplier assessments, contract maintenance, supplier intelligence and risk profiling, inventory and transport monitoring, scenario modelling and optimization, trend and pattern analyses, forecasting and workflow enhancement.

Why Data Is Critical to Supply Chain Resilience

Not surprisingly, data must be at the center of supply chain resilience. Without reliable, accurate, current, complete and consistent data, decision-making itself is a risk. Therefore, designing a data architecture that facilitates insights and informed conclusions is a critical prerequisite. A data architecture should encompass all data and metrics that are relevant to identifying the risks outlined in the current risk portfolio and evaluate any impacts of risk materialization and mitigation. Data will enable enterprises to model scenarios and implement triggers and alerts if events occur or are looming.

At the same time, data is a main effort and cost driver; it needs to be defined, captured, validated, evaluated and processed. Striking the right balance between maximum insights and data overload is one of the major and ongoing tasks of risk and resilience management. Once again, AI will likely be part of the solution, by enabling enterprises to handle large volumes of required data without the manual effort.

Organizations need both internal and external data to provide transparency into supply chain risks:

Examples of Internal Data Needed for Supply Chain Resilience

• Situations and events leading to a risk of supply chain disruptions, e.g., resource bottlenecks, incidents disrupting the technical infrastructure or transportation route of goods, threats to the health and wellbeing of staff
• Breaches of regulatory compliance or code of conduct
• Sustainability accounting data
• Supplier meta data
• Status of transactions (volumes, timelines, products, services, etc.) impacting resource levels and operations
• Financial data, including costs, sales, etc.
• Patterns and trends that may indicate the likelihood, timeline and impact of any risk
• Products and services impacted, related to both demand and sales
• Locations and sites impacted by risks and events

Examples of External Data Needed for Supply Chain Resilience

• Events disrupting the supply chain, e.g., severe weather, strikes, accidents
• Adverse news about the enterprise or a supplier, e.g., human rights breaches, environmental incidents
• Geopolitical risks, events and trends, e.g., armed conflict, sanctions, pandemics
• Market and economic data, e.g., shipping costs, inflation rates, taxes, economic growth rates
• Supplier risk profiles or data, e.g., financial stability, mergers and acquisitions, strategy
• Data provided by suppliers, e.g., information about performance, risks, events and reports
• New or changed regulations
• Risk or sustainability scores and ratings for suppliers, countries, industries or materials

Once you have the data you need to monitor and understand risks and impacts, the next step is to identify the respective internal and external sources and systems. This involves investigating how and what level of aggregation or data can be captured and shared – and what logic should be applied to turn a mass volume of data into relevant risk indicators. For some types of data, such as inventory levels, transport delays or prices of goods and services thresholds should be defined so that risk processes are triggered only when appropriate. For other data, such as newsfeeds on human rights breaches or new sanctions, the information itself is sufficient to trigger validation and escalation, all depending on the enterprise´s risk strategy and appetite.

Of course, capturing the data is only part of what needs to be done to provide insights and enable fact-based decisions. You need the ability to aggregate and disaggregate, tag, filter, select and present the data in a way that helps clarify issues, identify required action and priorities and enable decision-making.

While data is the basis of any decision, supply chain management-related platforms and solutions are what connect stakeholders, apply procedures, automate transactions, drive collaborative workflows, log and track actions, build reports and store and disseminate documents and data. When choosing the right platform, whether it be leveraging an existing one or acquiring a new one, it is important to ensure that target processes and required functionalities and use cases are supported to the extent needed and beyond. Flexibility, the ability to leverage best practices, the use of AI and the ease of integration within the technology ecosystem should be key technology decision criteria.

How To Drive Resilience in the Face of Changing Regulations

It is no coincidence that the proliferation of laws and regulations across the globe is directly and/or indirectly addressing supply chain vulnerability. Despite the common misperception that compliance is merely an administrative burden, most regulations in one way or another aim to strengthen enterprise resilience and often focus on supply chain due diligence. Some such regulations include:

• the Modern Slavery Act in Australia, which requires certain businesses to report on their efforts to prevent and address modern slavery in their operations and supply chains

• The Corporate Due Diligence Directive (CS3D), which looks at the impact of EU enterprises on climate change
• The Corporate Sustainability Reporting Directive (CSRD) in Europe, which requires companies to report on their environmental and social impact
• The proposed Federal Supplier Climate Risks and Resilience Rule and SEC’s Climate-Related Disclosure Rules in the U.S., which requires major federal contractors to publicly disclose their greenhouse gas emissions and climate-related financial risks as well as set science-based emissions reduction targets
• The Digital Operational Resilience Act (DORA), which sets forth a regulatory framework whereby all firms in the EU need to make sure they can withstand, respond to and recover from ICT-related disruptions and threats.

The increasing number of regulations is making it increasingly challenging for enterprises to stay on top of understanding the various requirements and making the necessary provisions to be compliant. Many of the regulations have considerable overlap in what they expect enterprises to develop and maintain – often including risk frameworks, risk assessments and evidence of risk monitoring, mitigation and prevention, as well as reporting.

The financial sector, in particular, has a long history of regulatory requirements meant to strengthen resilience and channel investments into sustainable businesses and practices. The effectiveness of measures taken are regularly subjected to regulatory stress tests, reporting requirements and audits. Most recent regulation in the EU requires financial institutions from January 2025 to comply with DORA’s requirements to protect important and critical systems and infrastructure.

Another area that is keeping enterprise risk, compliance and sustainability departments busy is the sustainability of supply chain and enterprise operations, typically under the auspices of environmental, social and governance (ESG) regulations. According to the EU’s CS3D and the Modern Slavery Act, suppliers are subject to regular ESG supply chain due diligence. This means enterprises must implement and manage supply chain risk frameworks with evidence of active mitigation of any incidents identified.

By understanding overlapping requirements of the various regulations with regard to risk frameworks, processes, tools and templates, enterprises can identify and address the pieces of the puzzle that are still blind spots when it comes to supply chain resilience.

Managing Supplier Risk As a Matter of Survival

Supply chain resilience is based on an enterprise´s preparedness to identify, understand and respond to multi-faceted and continuously evolving operational and strategic risks. But resilience is also about understanding the emerging opportunities to adapt to changing environments to secure long-term business success. This requires transparency of both risks and opportunities along the entire supply chain.

Organizations need a clear and consistent approach to evaluate and mitigate risks in the short term, as they emerge, and prevent them in the long term. They need a clear plan that deploys appropriate resources that have been budgeted and are available as a result of careful and forward-looking preparedness. Resilience for most organizations will be only as good as the data available to facilitate decision-making and as the involvement of the right stakeholders with clear accountability. This is by far not as trivial as it may seem. Stakeholders have their own day-to-day responsibilities and workloads, with risks that may run counter to the larger risk-mitigation framework.

Many enterprises lack the messaging, culture, transparency, governance structure and incentives to effectively break down silos and foster collaboration across functions. Undefined or overlapping risk ownership and decision mandates can pose even greater risk. While technology can play a critical role in alleviating the problem – providing collaborative platforms, data analytics, automation and a single source of truth – it can also be a source of its own complexity. Selecting and contracting the right technology is an important step.

Working toward supply chain resilience is a challenging, ongoing, multi-disciplinary and ever-evolving endeavour that requires structure, orchestration and a common goal. In a time when the repercussions of global conflict, political upheaval and environmental policy can be so keenly felt, and when so many other challenges need to be addressed at the same time, embarking on the resilience journey is an urgent matter.