How do we include the supply chain risk landscape in our daily risk assessments?

This research from McKinsey sums it up better than I could

https://www.mckinsey.com/business-functions/risk/our-insights/enterprise-cybersecurity-aligning-third-parties-and-supply-chains

When I first started running IT security and business continuity late 2001, Andy Grove was still running Intel. His book, Only the Paranoid Survive, and his leadership caused me to grow up thinking that way and looking for what I'd call extinction events. Things that could shut you down, things that could take you out. Sometimes when you did the risk calculation, the low risk thing would have an impact so high you shouldn't ignore it. So we'd always try and say, "What's the low risk thing that would kill me?" As much as we focused on high risk vulnerabilities and patching that stuff, I worried about the low risk things because I figured if everybody's rushing the patch, what would you go exploit? The thing that nobody's looking at because it's a low risk item. And then you try and compromise that to pivot from there.

The term black swan, it's supposedly a once in a lifetime event. How many in the last 20 years have actually happened? There's been at least a few. These types of major events that have major impacts don't seem to be that unusual anymore. And so it's a balance between trying to solve for everything. The almost impossible that could happen, and continuing to make progress reaching deeper into your supply chain and your third-party connections. We think of it as commodities and just the impact of the supply chain, the ripple effect. We actually had an incident when Texas lost all its power not too long ago. We're still dealing with the ripple effect of that. So from a third-party standpoint, we're trying to look a little bit deeper into the third and fourth parties that we're dealing with. Playing out the different scenarios more. And that's how we're approaching it, trying to figure out where we're not looking. To manage and properly secure the traceability of the supply chain, it's just this kind of broadening, increasing the size of the rings that we're working out with the different supplier, third-party networks. And there's education pieces, there's technology alignment pieces, and then ultimately the resource allocation piece. And that's how we're focused on solving it.

When I think of supply chain, I actually think about it in a few different pillars. Security is one. I also think about the reliability of the supply chain. For example, the Suez Canal issue. In our company, we think about port slowness in the LA port. That general supply-demand gap has been an issue. So reliability is another thing. And then I also think about supply chain intelligence. Especially if you're in the hardware area, it’s about having predictive analysis and intelligence to look around the corners to figure out where you might have the component shortages, where you might have dependencies on a particular country shutting down, whether due to COVID or something else. So I look at all of these three things.

You have to put it in the context of the business, and then from there you can start truncating it in.