Taming the supply chain: Addressing vendor risks to the nth tier

Vendor risk ranks alongside cybersecurity, compliance, reputational, and financial risks as one of the top risks to any organization.

With any risk, you need to identify, monitor, and mitigate that risk, especially when it comes to your supply chain. The question for someone in my role as a senior manager of compliance management is: What level of risk is being posed and why? Stated another way: Do I really know what my supply chain is doing?

When looking at our vendor contracts at ServiceNow, I can easily find information about our first-line supply chain vendors. But digging deeper has proven to be challenging. How do I get objective visibility into the risks of the second-line vendors’ business relationships—and third, fourth, and fifth-line vendors? How do I know when those risks change?

Being able to answer these questions has a direct impact on the business’s bottom line. A 2021 study by the Ponemon Institute found the global average cost of a data breach is $4.24 million. If the risk is related to vulnerabilities at third parties, it’s even higher. Compliance best practices include understanding our supply chain landscape at all times.
 

Identifying vendor risks

As with any large organization, vendors play a critical role in the success of ServiceNow. That’s why we use Vendor Risk Management (VRM) to manage our third-party risk. We identify emerging vendor risks and continually monitor these risks across our enterprise. But the data is limited to our first-tier vendors.

You need objective data to assess the risks posed by third parties and make good decisions. But it’s not easy to gather details on vendor supply chains manually. Typically, it takes hundreds of hours scouring the web. Even then, not all the data is available.

That’s why we integrated Interos, a risk intelligence software solution, into the latest release of the Now Platform®. It uses algorithmically generated risk scores to rate company performance against six different risk factors:

• Financial

• Operational

• ESG

• Geopolitical

• Company and country restrictions

• Cyber risk

The data comes from thousands of different sources on the web.

Interos had exactly the data we needed to detect areas of concern and vulnerabilities across physical and digital supply chains worldwide. I can view ServiceNow’s business relationships across entire ecosystems and continuously assess second and third to nth-tier vendors against multiple risk types. I can pull a report in seconds rather than having to question every vendor in our supply chain about the vendors they use.

Gaining visibility

The combination of Vendor Risk Management and risk intelligence software such as Interos is worth its weight in gold because of the visibility and transparency it gives me into the supply chain. The risk scores save a tremendous amount of time and help me understand my unforeseen risk exposure.

For example, if a vendor tells me its cybersecurity program or financial stability is good and its risk score is low, I can ask for verification. Or, I can conduct additional screenings to determine if the data is accurate and fits within my risk threshold. Equipped with data, I can skip blanket risk questions and instead start with targeted questions, saving time and effort.

A great example of how risk intelligence software can impact vendor risk is the hacking of SolarWinds in 2020. I can see if SolarWinds was in my supply chain and which areas are at risk. I can then query those vendors about potential data loss within specific time frames. More importantly, I can move quickly to assess the risk and mitigate any impact.

Mapping vendors to the nth degree

According to the Ponemon research, the average total cost of a data breach grew nearly 10% between 2020 and 2021, representing the largest annual cost increase in the last seven years. Supply chain vulnerabilities are only one of many risks that can contribute to these breaches.

Using Interos, I’m more confident in analyzing data and quickly recommending decisions about our suppliers because I can see our exposure through the entire ecosystem. Best of all, I can sleep at night knowing I’ve done what I can to help avoid the business disruptions, data loss, and operational or financial impact of our supply chain.

See an Interos/Vendor Risk Management demo and find out more about Vendor Risk Management.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.