Home > Risk > The risk, audit, and infosec practitioner and supply-chain issues

The risk, audit, and infosec practitioner and supply-chain issues

December 14, 2021 Leave a comment Go to comments

I cannot recall seeing as much supply-chain disruption as organizations are experiencing today and can expect to see for some time.

Not only do we have significant challenges in obtaining the materials and products we need in our business (just consider the reports of ships waiting off the coast of Southern California for the opportunity to offload their cargo at the ports of Los Angeles and Long Beach), but there are shortages in the labor required to transport those cargos to our facilities. (The American Trucking Associations estimates that in 2021 the truck driver shortage will hit a historic high of just over 80,000 drivers. This figure is the difference between the number of drivers currently in the market and the optimal number of drivers based on freight demand.)

There are reports of labor shortages everywhere, exacerbated by concerns about whether organizations will be able to retain employees (who are resigning in droves for better opportunities) and how they will manage in a continuing work-at-home environment.

Companies are responding as best they can, although anything significant takes time.

According to an interesting McKinsey article, How CoVID-19 is reshaping supply chains, 93 percent of senior supply-chain executives intended in 2020 to “make their supply chains far more flexible, agile, and resilient…. Just over 75% planned to improve resilience through physical changes to their supply-chain footprints.”

When McKinsey followed up this year, “an overwhelming majority (92 percent)” said that they had made significant changes.

But while they had intended to find suppliers closer to their operations, they found difficulties doing that and ended up:

  • Increasing inventory, and therefore holding costs (61%)
  • Moving to at least dual sourcing of materials, which can result in higher prices (55%)

McKinsey closes with this:

The COVID-19 crisis put supply chains into the spotlight. Over the past year, supply-chain leaders have taken decisive action in response to the challenges of the pandemic: adapting effectively to new ways of working, boosting inventories, and ramping their digital and risk-management capabilities. Yet despite that progress, other recent events have shown that supply chains remain vulnerable to shocks and disruptions, with many sectors currently wrestling to overcome supply-side shortages and logistics-capacity constraints. Most worryingly, these new problems are emerging just as senior leaders are turning their attention away from supply-chain issues. In many sectors, there are signs that the rate of investment in digital supply-chain technologies is slowing down. Talent gaps are wider than ever, end-to-end transparency remains elusive, and progress toward more localized, flexible supply-chain structures has been slower than anticipated.

The coming months could turn out to be critical for supply-chain leaders. Some companies will build upon the momentum they gained during the pandemic, with decisive action to adapt their supply-chain footprint, modernize their technologies, and build their capabilities. Others may slip back, reverting to old ways of working that leave them struggling to compete with their more agile competitors on cost or service, and still vulnerable to shocks and disruptions.

Risk is greatest when there is change, and right now we are experiencing huge change – only some of which is planned!

What does this mean for risk and audit practitioners, and also for information security experts? Let me take them one at a time.

Risk practitioners

Now is not the time (if it ever was) for a list of threats.

Now is the time to see how we can help the organization not only survive but prosper.

We need to sit down with management and discuss what we can all anticipate in 2022. Let’s get through 2022 before we worry excessively about future years.

Do we have a problem and can we see opportunities in this changing environment?

How can we help management assess both the nature and extent of any problem (and opportunity) today and tomorrow?

How can we help them bring diverse parts of the organization together to fill out and see the big picture?

Can we help with facilitated discussions?

Can we help with our tools and techniques?

Can we help with multiple scenario analysis?

Can we help them re-assess and change the enterprise objectives and strategies, if needed?

How can we be a partner, a decision-support function, that not only collects and analyzes information but provides a challenge when people are set in their ways or unable to consider new ways.

How can we help the organization thrive in these times?

Internal Audit

I wouldn’t be worried about performing audits and writing audit reports to top management and the board.

I would be concerned about helping management not only get through this but, if appropriate, transform operations to thrive.

Sit down with management and listen.

Listen to how they view the current state of the business. Is there a problem, how severe is it, and what are they doing about it?

Listen to whether and how they anticipate the things that are likely to happen over the next 3-12 months. Is there a problem, how severe is it, and what are they doing about it?

Are they handling it all well? If not, what advice and insight can we offer?

How can we help?

Are there areas of the business, strategies and plans, where we can have a look as internal consultants? Do they need our assurance that things are happening as they expect? Do they need our advice and insight?

How is change affecting internal controls and their operation, including information security, cash flow management, and so on?

How can we help?

What does the audit committee of the board need to know? Are they getting the information they need from management? What do they need from us? Let’s ask them and find out!

Information Security

All this change may be elevating the level of risk to our business through information security exposures.

Are we helping management understand how the increased risk might affect the business (not just information assets)?

Do decision-makers have a realistic appreciation of that risk, so they can decide whether it makes business sense to take the risk? For example, engaging another supplier whose information security measures are less than robust may be necessary to maintain the supply chain of critical materials.

Do we have the mindset of helping the business succeed, including taking the right risks, instead of burying our heads in the cyber silo?

Are we saying “no”, or are we instead showing “how” business should proceed? In other words, can we minimize risks that must be taken?

Throughout, the overall message I am sharing is that this should be our business card (courtesy of Creative Commons):

How can I help

I welcome your thoughts.

  1. December 15, 2021 at 11:31 AM

    Norman, a very good practical article. You mention the importance of information security and information provided by management to the audit committee but I would also ask whether management are obtaining information, including forecasts, which enable them to make the best decisions. I note that you suggest this could be a job for risk management but I think such information should be built into the on-going systems.

  1. December 14, 2021 at 8:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: