IT risk in the supply chain has become a growing concern for supply chain professionals in recent years. A majority of organizations have faced technology changes, unplanned IT and telecommunications outages, counterfeiting, cyber attacks and other disruptions. The risk presented by IT disruptions is of great significance given the technology necessary to support complex global supply chains. The only way organizations will be able to effectively manage IT risk is for leadership to ensure that the right risk management practices are in place, that risks are evaluated regularly, and that mitigation strategies are documented and shared enterprise-wide.

APQC’s study, The State of IT Risk Management in the Supply Chain, was conducted to learn more about how organizations are putting IT security measures into practice. A survey administered as part of the project indicated that many organizations have been affected by IT disruptions and that leaders are concerned about IT risk. However, survey respondents reported that their organizations only occasionally use IT risk management practices and that they do not find these practices to be completely effective.

A standardized process for prequalifying suppliers is the most frequently used practice to help manage IT risk. The practice least frequently used is the adoption of a C-suite board to help govern risk. These results suggest that organizations are addressing IT risks at the tactical, instead of strategic, level. Organizations use supplier evaluations as the primary way of managing IT risk, rather than relying on leadership to help govern risk. Organizations also rely on other practices, such as adopting an enhanced perimeter defense system to identify IT intrusions, rather than the loftier goal of creating a formal registry of IT risk data that can then be shared within the enterprise.

Organizations have limited the sharing of IT risk information within the enterprise and externally with suppliers due to fear of creating additional risks; however, knowledge management (KM) must be part of an organization’s risk management program. APQC defines KM as a systematic process designed to connect people to one another and to the knowledge and information they need to achieve results. Executives can lend credibility to knowledge-sharing approaches and convey their importance to the organization, which in turn promotes workforce buy-in.

If leaders actively promote and reward the sharing of IT risk knowledge, then employees are more likely to talk about risks in cross-functional communities and forums, capture them in lessons-learned repositories, and take additional steps to communicate so that others can avoid repeating the same mistakes. Without such encouragement, teams may let fears of revealing past errors or concerns that the information will be misused prevent them from sharing critical risk information and mitigation solutions.

The Outlook

Organizations should create a repository of IT risk management solutions from past IT disruptions that allow employees across the enterprise to adapt pre-existing solutions to meet current needs. By pulling relevant information from the repository, employees can decrease the amount of time required to respond to an IT disruption.