The New Riskonomy

Section 3: Risk openings in the supply network

Much of today’s exposure to tech risk is outside of the organisation’s direct control. Are businesses sufficiently protecting themselves, or are they underestimating and, consequently, under-preparing?

Dependencies on external partners, suppliers and vendors are a considerable source of risk, potentially impacting an organisation through service disruption, quality issues or security breaches. Although organisations have limited control over the individual links in their supply chain, there are still ways to manage associated risks effectively in order to protect stability and performance.

Riskonomy radar reading

Our Riskonomy Radar suggests that the business network is the area in which businesses are least exposed to risk. Four in five business leaders work in organisations that fall into the low risk range, indicating they can maintain and monitor their current risk management practices when it comes to internal processes.

4%

High
risk range

55%

Moderate
risk range

41%

Low
risk range

Supply chain risk formations

When considering their network, 91% of C-suite and GCs state that they assess the technology risk profile of their relevant suppliers, confirming that they recognise the potential for risk exposure.

However just 39% always assess the tech risk profile of relevant suppliers, while 53% only do sometimes.

Not pursuing proper due diligence checks means that businesses can open themselves up to potential liability – especially if they are unable to supply their customers with the services or goods that have been promised. Essentially, you are only as secure as your most vulnerable supplier.

Expert perspectives

Although, that’s not to say that business leaders trust their supply chains to be watertight. Only sixty-eight percent believe that their supply chain partners can identify and mitigate potential data management vulnerabilities, and two-thirds (66%) are confident that their supply chain partners have adequate data management regulatory and compliance practices. Fewer (63%) trust that their supply chain partners are able to identify and mitigate potential cyber security vulnerabilities, and 61% believe that their suppliers/supply chain partners have adequate cyber security regulatory and compliance practices.

Overall

Our suppliers / supply chain partners can identify and mitigate potential data management vulnerabilities.

Our suppliers / supply chain partners can identify and mitigate potential cyber security vulnerabilities.

Our suppliers / supply chain partners have adequate data management regulatory and compliance practices.

Our suppliers / supply chain partners have adequate cyber security regulatory and compliance practices.

This leaves over a third of C-suite and GCs uncertain about whether their suppliers or partners can identify and mitigate cyber security and data management vulnerabilities, or adequately manage regulatory and compliance practices.

Building and maintaining this trust takes ongoing transparency, monitoring and communication, with suppliers upholding their commitments and actively addressing emerging tech risks or vulnerabilities. From a practical perspective, these assurances can be supported through due diligence, cybersecurity and data protection evaluations, and confirming compliance with industry standards and regulations.

Expert perspectives

Many organisations are looking to develop their own technology as a key part of their strategy to get ahead in a competitive market. But larger organisations are more concerned about the scarcity of resources, and who and what they can utilise in their network, when considering their organisation’s tech aspirations.

Overall, just over half (54%) of C-suite and GCs believe that when considering their organisation’s technology aspirations, scarcity of resources (i.e. the limitation of financial, human and physical resources) is a growing concern. However, around half of smaller organisations believe this to be the case (50% and 53%) compared to 61% and 60% of larger organisations.

Expert perspectives

The frequency of assessing tech-related risk varies across different sectors, despite comparable concerns at a macro level, their internal processes, and their network. Currently, just 38% of business leaders in tech and telecoms claim to always assess the technology risk profile of their relevant suppliers, which contrasts with the sector’s above-average concerns surrounding cybersecurity – suggesting their approach to risk management may be too internally focused.

There is also significant variation in how seriously different sectors are approaching potential risks emerging from their internal teams. While 43% of respondents from tech and telecoms acknowledge that their internal processes present a risk, this compares with just 29% of financial institutions, 28% in consumer and 27% of those in life sciences.

This disparity may have to do with factors like growing compliance and regulatory expectations related to data, privacy and cybersecurity, where employees play an active role. Additionally, since many technology companies are responsible for deploying IT systems and technologies within other businesses, factors like human error and access to sensitive information have a significant impact on tech-related risk.

Sector spotlight

Tech and telecoms