Home Resources Videos

Supply Chain Assurance and Risk Management

03 February 2021
Watch this video where Tim Pinnell, NQA's Information Security Assurance Manager and Dominic Owen from Tuned to R.I.S.K Ltd take a closer look at security, resilience and privacy in the supply chain. 

Please feel free to download the slides here.

Covid has shown how vulnerable organisations are to supply chain disruption. With an unresolved Brexit looming the risks are even greater. The fragility of extended supply chains is more than ever before a real threat to enterprise resilience. Lean, Just in Time, financial stability, and geo-political uncertainty are just some of the factors that can impact the supply base.
This video explores the issues further, with a closer look at security, resilience and privacy in the supply chain. It’s for business managers who are asking the ‘So what?’ question – what don’t I know, what should I know and how do I go about finding it? It will also introduce a method for measuring the supply chain risk in business terms.

Book your place on our Advanced: Managing Supply Chain Relationships course for a focussed and in-depth look at some of the tools and techniques to help you efficiently improve your Supply Chain and get the most out of your relationships within it.


Supply Chain Assurance and Risk Management

00:04 - Hello folks I’m Tim Pinnell from NQA, I head up the information assurance business unit and if we've spoken before hello again and to those of you I’ve yet to have the pleasure of meeting welcome to today's webinar about supply chain assurance and risk management.

Our Purpose

00:19 - But before we start a quick bit about NQA if you're not familiar with NQA we specialize in a range of management system standards for certification which are currently being conducted remotely unless a client has specific requirements and we're a global leader in certification with offices in London, Boston, Bangalore and Shanghai.

Certification and Training Services

00:42 - And for all of these standards we also offer training services with e-learning, webinars, in-house and pandemic permitting at nationwide locations.

Your Presenters

00:56 - Now if you've had the opportunity to listen to any of my webinars about operation resilience business continuity or information security then you've probably picked up on a couple of common themes one is risk and the second is suppliers and in particular knowing and managing the risks in your supply chain.
01:16 - But supply chain assurance done effectively is not something that all organizations do and there are many factors to take into account, so it can be difficult to know where to start and what to do.
01:26 - Well I’m delighted to introduce Dominic Owen from Tuned to R.I.S.K. Dom truly is an expert in all things supply chain assurance and he joins me today to share his experience.
01:37 - We've got 45 minutes which includes time for Q&A at the end so please type your questions into the chat box and as ever you'll receive a recording of the webinar and a copy of the slides.


01:50 - I’m going to start by setting the context and then looking at some of the factors that organizations might consider important to their supply chain and how they manage it. I’ll touch briefly on some of the standards and frameworks out there.
02:03 - Dom takes over and he'll take you through the how-to starting with risk and finishing with supplier assurance monitoring during which he'll flavour it with some real-life examples, and then I’ll finish with tactical and strategic options and then finally of course we'll have a Q&A.

Principles of Supply Chain Assurance - Context

02:23 - Now I’m going to apologize up front but it's almost impossible to discuss any business matter without including the words Covid and Brexit, but it's those two well-worn words that are driving interest in overall operational resilience and one of the fundaments of operation resilience is the supply chain.
02:42 - That continuous flow of raw materials and services that organizations must constantly consume, in fact, it's remarkable given everything that's going on that there haven't been greater disruptions particularly to logistics. In fact, we talk about frontline health and care
02:59 - workers and the risks they face, yet it strikes me that hauliers and delivery services are also at elevated risk as they come into contact with so many different people, yet there has been disruption. It is now apparent how brittle some supply chains are business practices such as just in time, lean, and other methods have thinned out businesses to maximum efficiency.
03:21 - But with very little toleration for disruption and they're great until a diplomatic spat combined with Covid and Brexit breaks them. Now some of these issues include changes in customer demands behaviour due to perceived issues rightly or wrongly and this can further manifest itself in material allocation and customer management issues. Smaller organizations
03:45 - might not have the leverage with large suppliers and might lose out on stock allocation, in the news recently Amazon has bought up all the cardboard boxes and there is a national shortage of cardboard suppliers. Implement new channels that organizations have difficulty adopting competitors might back perform, thereby having greater access to those suppliers and high-risk
04:06 - contracts could be like a house of cards where they're underpinned by only a few critical suppliers. An industry research suggests there's a variety of other challenges, there's a shortage of subject matter experts to provide insights into supply chains
04:21 - and these supply chains can be quite contextual automotive manufacturing is quite different to the services industry with more supplier tiers. Global supply roar more material prices and geopolitical influences, some organizations depend on niche suppliers that they just weren't aware of who is supplying the raw material in all those sub-assemblies.
04:42 - Not all companies have a single view of their inventory and there's a good argument to say that your inventory is not just what's on your shelf now, it's also what is next to be put on your shelves. So how far ahead do organizations look how much is tied up in the logistics chain and how disruptions affect operations and how will they affect liquidity?
05:03 - Similarly, if you're looking ahead in time do you have the ability to look geographically, where is that stock in that logistics chain? And suppliers hiding bad news, making issue, masking issues is not unheard of. We've seen in the news where companies continue to pay dividends, then all of a sudden restate their accounts due to past accounting issues.
05:25 - In conversations with our clients we've seen that they've begun rethinking their far-flung supply chains in response to changing labor costs, advances in automation, rising protectionism and external shocks such as natural disasters, but it took the Covid-19 pandemic to more fully exposed structural flaws that have prompted organizations to fundamentally reassess their approach to global manufacturing and sourcing.
05:52 - Factory, lockdowns, transportation, disruptions and panic buying have led to shortages of everything from medical supplies and household necessities to critical automotive and electronic components. The
06:04 - crisis has also heightened geopolitical tensions, trade restrictions and nationalist policies aimed at promoting domestic industry that are likely to continue reshaping the global business landscape.
06:17 - Through my other role as an ISO auditor I get to talk to many organizations and it's been very interesting to see their different approaches to the current business environment.
06:27 - Firstly, there's been a significant increase in interest in ISO 22301, business continuity management, that requires organizations to conduct a business impact analysis which includes supply dependencies and to conduct evaluations of partners and suppliers.
06:45 - Secondly, some organizations have been stocking up just in case, not quite like panic buying toilet rails but they've identified key stock items and have built up reserves.
06:55 - One client has decided to always have 60 days worth on their shelves, what was interesting was that they didn't conduct any formal analysis they just used their experience to decide which is a perfectly good method. Some organizations have done nothing because it just works as is and they don't perceive any risks, which is fine for as long as it just works,
07:17 - then there are those customers who are looking into it. But what I found most interesting is that there are a few customers who are also worrying upwards that is into their customer chain, what are the factors that affect the continued viability of their customers, can they measure their customers
07:32 - viability and what strategies should they put in place and how far up the chain can they, should they look, which isn't always easy because many small suppliers only have a few customers.
07:44 - All this then suggests that the way organizations manage their supply chain may well be different in the brave new world, more formal, more rigorous. Changing business practices to such as just-ish in time, not lean but not fat either, and greater scrutiny on contractual compliance.
08:04 - Just what a resilient supply chain will look like in the future will vary from sector to sector but I think organizations will need to more closely align their supply chain to their strategic objectives and their business ethos and there are many factors to this but a lot will depend on the organization's drivers to change and their ability to change.

Factors Affecting Continuity of Supply

08:26 - A web search for supply chain assurance will return many results with cyber security at the top of the list. Someone new to the discipline could be forgiven for thinking it's all about cyber security of the supply chain and indeed for many organizations information is their lifeblood and they exchange information over the internet.
08:46 - Data protection fines and GDPR has put cyber security at the forefront of awareness, but it's not the only factor to be considered and it isn't necessarily the most important, as any lawyer will say when you want a straight answer it depends on what's important
09:03 - to the organization. A recent survey suggested that cyber-attacks were believed to present the lowest risk to organizations, so what follows are all factors of a risk-based approach to supply chain management. These are some of the things to think about when looking at a supply chain.
09:21 - And let's start with ethics and morals, if an organization truly believes in and wants to live its values then this may apply, if it is committed to ethical sourcing but in times of difficulty will it be prepared to use available materials of dubious origin this could be incredibly difficult
09:38 - for an organization with the USP predicated on ethics. How sensitive is it to raw material cost and this could be a case of careful be careful of what you wish for. I had to look at Apple's supplier responsible standards document it's 90 pages of everything that Apple expects of its
09:55 - suppliers such as prevention of underage labour, dormitories and dining standards for employees and responsible sourcing materials Apple claims to have audited over 830 suppliers in 2019, and 82 were considered high performing and yet sometimes the press paints a different picture.
10:14 - Fortunately for Apple we consumers seem to care more about the product than who or how it was made.
10:21 - Another way of looking at this matter is if the organization has a competitor with significant market power, would the competitor be motivated at the expense of smaller competitors thereby driving competition out of the market. How would you know fluctuations in raw material,
10:38 - prices, currency fluctuations and energy price fluctuations hit supply chains at different levels and with varying degrees of impact. In my experience it's the manufacturers who import raw materials who are most at risk but they experience that daily and so are the most
10:53 - aware and affected it into their business models. The point is that other than a sudden crash these are known and to an extent controllable are any of your suppliers vulnerable to such fluctuations market changes. When what used to fly no longer does are harder to control
11:10 - although trends can be observed over time. I know of one client who suffered an issue when their main supplier stopped manufacturing an important component switching instead to a lucrative product technology change can impact suppliers and customers.
11:25 - When UIT doesn't work with legacy kit what are the impacts of changes you're introducing or having imposed on you? Is there a new form of electronic invoicing perhaps.
11:35 - Then there's unplanned tech and telecommunications outages which tend to be short-term, but depending on where they occur in the supply chain they can have an upward snowball effect.
11:44 - Delaying supply clearly then organizations need assurance that their supplies have appropriate business continuity plans in place that they work and they're resourced, but if they rely on a new unique technology do you then have a single point of failure and how would you know stakeholders can play an important role. For example, has a supplier
12:06 - just been bought by an asset stripping venture capital company geopolitical instability has a role to play especially if government is a stakeholder, Huawei being a case in point organizations are also sensitive to skill shortage. At a recent Westminster forum, the national cyber security centre pointed out that there are thousands of long-term unfilled cyber
12:28 - security vacancies on LinkedIn which in turn drives up salaries making smaller organizations less attractive in the labor market, more likely to lose the very skills they need to operate reliance on a small supply base or a regional concentration of suppliers is akin to putting eggs in
12:45 - a basket. Fortunately, there aren't too many examples that I can think of when a regional environmental disaster has affected a bunch of suppliers in the same market but you can envisage it on a geopolitical basis. Now before handing over to Dom I want to quickly run through some supply chain assurance standards which you may find relevant.

Supply Chain Assurance Standards

13:08 - There are various standards out there for supply chain insurance some public and some mandated by authorities this is just a sample, ISO 28000 the specification for security management systems in the supply chain and ISO 28001 best practices for implementing supply chain security.
13:26 - These are management system standards like 9001 for quality and 27001 for information security. So, they implement a management system but they are security specific and they're quite old although the principles still stand. I’m not aware of any certification bodies offering certification against them so there may be. The national
13:50 - cyber security centre offer supply chain security guidance with 12 principles under their headings, understand the risks, establish, control, check your arrangements and continuous improvements.
14:02 - Then the information security forum or the ISF I have a supply chain assurance framework although, I’m not a member so I haven't seen it what I do know is that all ISF products are based on member experiences so I probably would place faith in it the chartered institute of procurement and supply offer a number of very useful resources including supply performance management
14:24 - and the UK government has recently produced due diligence principles for assuring labor in supply chains, which include general principles for risk-based supply chain assurance.
14:35 - There's also information available on government support for strengthening supply chain resilience. And of course with the right google search terms there are plenty of checklists for download often backed up with a consultant if you need them. And now over to Dom.

Supplier Risk Management – Identifying a Supplier in Distress

14:54 - Thanks Tim, hello everybody so before we get into the functions of supply and supply risk management I just wanted to spend a few minutes with you looking at the types of distress signals that can eventually lead to a company's liquidity failure. So I think there are five stages of
15:15 - crises typically, let's cover them in turn. So the strategic crisis I guess is things like a changing ownership, conflict in a group of companies, high turnover staff, loss of lots of key people, perhaps outliers in a company strategy that could indicate that risk tolerance is out of step with the company's financial position.
15:40 - So what I’ve done here is I’ve kind of picked on five cases. The first one being Tesco, in that case on the outer step situation, Tesco used to operate five private jets under his former CEO a guy called Phil Clark and to me that symbolized the excess
16:02 - and detachment of the top management and indeed it was a precursor to operational issues such as an overstatement of profits and the closure of loss making stores, and when he took over in 2014 Dave Lewis one almost one of the first things he did was scrap all the jets and the team of in-house
16:25 - pilots would you believe, but it took him over a year to do it. Okay stakeholder crisis for me is about declining sentiment and that could be by investors, customers, employees, analysts, and potentially due to changes in the market or concentration risks but also due to reputational
16:52 - or adverse media risks. I’ve used Volkswagen here because of the initial emissions crisis known as diesel gate and its stock value filled by a third as a result of that scandal let's say, but clearly with there was a huge loss of trust in that particular scenario that did lead to significant operational issues and a loss of customer revenue I guess and compensation claims are still being made over five years later.
17:29 - It's obviously damaging Volkswagen’s top line. For operational crisis I’m thinking of things like quality issues, failed delivery times, falling demand, poor sales, that reflect problems at an operational level.
17:51 - An example here would be Uber lost its license to operate in London a couple of years ago after repeated safety failures had put passengers at risk, for example suspended drivers being able to create Uber accounts and carry passengers, clearly there was a lack of control and oversight that contributed to the mayor of London's decision to withhold that license and you know that has since been corrected but it's a good example of an operational crisis.
18:27 - Now the thing is as you, on the right-hand side, I guess there are two axis here you know one is crisis level going vertically but the passage of time is going horizontally and things like strategic stakeholder operational issues can take months to develop.
18:46 - Think about the financial crises though they happen very quickly, so for example revenue crisis you know we're talking about adverse trends in top line and bottom line financials where external factors beyond the company's control have increasing significance so Marks and Spencer is a good example it's a grocer and a fashion retailer, it's in the process of closing
19:11 - 100 stores by 2022. Its current financial problems can be traced back to a failed strategy of primarily in-store operations when all its customers were moving to online purchases. So again it's the consequence of strategic decision and not being in tune with stakeholders.
19:34 - And finally you've got the liquidity, I guess the crisis which is obviously the most significant where you've got financial problems spiralling urgent measures required to preserve cash.
19:47 - Debenhams are another large group department stores here in the UK, it's currently in the process of being split up and sold off another victim of the economic downturn, but also a victim of a confused sales strategy and the failure to establish a clear brand proposition for its customers and again failing to compete with young more affordable and probably digitally savvy brands.
20:18 - So I've seen similar versions of this chart out there on the internet with stakeholders strategic crisis the other way around I think and it's a chicken and egg argument but the point I want to make here is that the root causes of these early warnings are largely strategic in nature and just to confirm what Tim said earlier risk management should ultimately be targeted at
20:41 - an organization's strategic objectives, firstly at board level and then you know as it’s kind of filtered down through the organization into operational objectives, ignoring the signs of financial distress cannot be remedied because a company's obligations just become too high
20:58 - and cannot be paid back and there's never enough revenue to offset the debt. So let's just look at this from a buy side viewpoint, studies over the years have indicated that four out of five businesses approximately have suffered some form of supply of failure over recent years.
21:17 - Damaging customer trust, damaging a reputation, damaging regulatory compliance, and so on.
21:25 - So confidence in the supply chain impacts every single one of these crisis levels, but we can't keep an eye on all of the suppliers all of the time you'll be expensive and impractical. So, what should we do, Tim can you take me to the next slide please.

Supplier Segmentation

21:43 - Thank you, sir. So, the answer lies in establishing the operational and or strategic criticality and value of a supplier at the outset. So, if you're a category manager in a procurement function you'll be doing this already your approved suppliers are contracted to do business with your organization,
22:01 - your preferred suppliers are doing something extra for you, it could be a niche or legacy service that's hard to substitute, it could be working on a high value program or service possibly outsourced or some really strategic transformational long-term business partnering to take the organization forward.
22:22 - By establishing the value and criticality factors with stakeholders you can position a new or existing supplier on this matrix. Again, it's based on a crelach model, each sector should correspond with a level of in-life management and assurance or oversight of a supplier due diligence pre-contract will establish a level of risk according to the supply's capability, its reputation, its location, its ownership, its financial strength, etc.
22:55 - You specify which risk factors are important to you but it's always recommended to reflect these requirements in the total cost of a procurement.
23:05 - So, a higher risk supplier offering lower cost services may not end up in the long term being cheaper than a low risk supplier that wants to sell it services to you for slightly more and if you're a buyer looking to sign off a deal you've made recognizing that level of residual
23:24 - risk to the organization on day one is absolutely crucial so just a reminder that residual risk is is the inherent supply and category risk that you've been able to manage down by a mix of due diligence contractual checks commercial controls and a commitment from your in-life operations to run supplier checks on a regular basis. It's really 
23:48 - really important and I’ll mention this a few times over the next few minutes to establish operational ownership on things like slas.
23:56 - Prior to the supplier contract handover and also not to overlook tier 2 and beyond of the supply chain. So, if you're in a category for example clothing where it's been prone over the years to modern slavery abuses perhaps power where you've got battery
24:14 - supplies where you know there's been adverse media around quality control around dumping categories with really complex supply chains operational owners may not be confident of setting all of that risk onto the first tier to manage.

Risk Assessment

24:31 - Okay so let's get into the actual risk management cycle, what do we need to think about once a supplier has been onboarded, can Tim, can you take me to the next slide please, so there's various approaches here to assessing risk at a very basic level. You may go for just a high medium 
24:47 - low or a traffic light red, amber, green, approach just based on gut feel. An intermediate level maybe a more qualitative approach maybe using a matrix considering the scale of impact and the likelihood of something happening. As people get more skilled
25:05 - at evaluating risk the next step is turning those qualifications into real financial values and as you get to really mature organizations they're using statistical analysis and big data to run scenario planning so things like monte carlo analysis but what should we all be thinking about and I've listed some things here so you've identified a risk, for example a failure of a quality control check could lead to material scrappage rates high material scrappage rates.
25:37 - So here's a set of questions you may want to ask yourself what's the potential impact of that risk scenario materializing, what's the likelihood of that risk materializing, how quickly could that risk materialize, what checks do we have in place to predict the risk, detect the risk or correct the risk, are those checks effective or do we have a gap. So here
26:04 - I’m referring to the evaluate step where we're thinking about the difference between our current controls which is our net risk so this is the residual risk I was referring to earlier.
26:17 - Our desired controls which is the target risk or what our stakeholders have told us the risk they can tolerate and the gaps which is our gross risk or the inherent risk.
26:30 - So again to carry on asking the questions you know have the key risk indicators or the early warning systems being exceeded do we need to escalate again going back to the tolerance, what is my operational loan, is tolerance for the current level of risk exposure against their planned objectives, could they cope with some temporary disruption.
26:54 - I know it's an awful lot to think about but ultimately risk is about recommending a course of action that can be agreed, planned, implemented and monitored.

Supplier Assurance Monitoring

27:07 - Okay so the subject of this session was supply chain assurance so this next slide is all about that can you take me there please Tim, thank you. So, the question is how do you know if the risk controls you've put in place to monitor and manage supplier risk are being carried out and are effective?
27:28 - So, this diagram, I use it all the time it's a really good example of an assurance approach it's called three lines and the idea is that you separate responsibilities for controlling and assuring the risk across three lines of defense. 
27:44 - So, the first line is always operational management, they're responsible for carrying out the risk checks and the line management is responsible for making sure those checks are being carried out.
27:59 - The second line is typically made up of specialists that support the first line through guidance and support but they also want to do some oversight themselves.
28:09 - So people I'm thinking people like risk managers, security managers, data privacy offices, the ethics officer and so on those type of people own policies for the organization and they want to know that people in their organization are following those policies and that the checks and balances that they've specified in those policies are being undertaken
28:35 - and are effective. And then third line you've got internal audit and what internal audit is doing is looking across both first and second lines to check that they're joined up they're talking to each other and they are operating efficiently.
28:51 - Audit will typically report to the board shown here as the governing body on the effectiveness of risk management practices. So depending on the nature of the business effect evidence may need to be submitted to an external assurance provider to maintain a certificate certification and Tim took you through some examples of those earlier
29:16 - or perhaps an external regulator to ensure compliance with the law. Now there are some important elements to assurance and I've listed some here, I’m not going to go through them line by line but if I could just pick on one to emphasize it's the last one without accountability for risk.
29:34 - No matter whether it's a risk, a project level, a program level, a business unit level or a company-wide level, your risk strategy, your risk framework, your risk program will not succeed.
29:50 - Okay so at this point I’m going to hand you back to Tim to wrap the presentation section up of this webinar. Tim's going to discuss some tactical and medium-term solutions to the challenges that I've listed on these last few slides, over to you Tim.

Summary – Risk Mitigation Strategies

30:05 - Thanks Dom but these are the things that can be done tactically as part of the governance framework described by Dom and then longer-term strategic plans which is where I'll start.
30:17 - I'm drawing heavily on a PwC report here but the big four have all produced similar analysis as have others and their findings are borne out by my conversations with many of NQA's clients and interestingly they were mostly during ISO 9001 quality audits, and the first one that is standing out is to create and implement a business continuity plan which as I mentioned earlier draws
30:39 - out suppliers. Of course we'd then likely to have NQA to come in and certify you to ISO 22301 then there's reviewing the sourcing strategy with a view to diversification. I often audit clients with a single supplier. I understand why it just works so if it isn’t broke don't fix it and trust is an important thing but really is it preparing to fail at least to conduct a review of that supplier.
31:06 - Really importantly increase supplier conversations first and second tier and encourage those suppliers to collaborate as well discussing business continuity, for example and consider component substitution and increasing stock levels and forward buying.
31:21 - As I've already mentioned then there's near shoring and onshoring manufacturing or services, if it's affordable though and ideally with regional spread and as previously discussed potentially you could stockpile. Some organizations are postponing or delaying plans until business conditions improve which I think is quite prevalent during the pandemic but tactically when placing a lens over suppliers there are quite a few things you can do.
31:47 - Dom's already mentioned it but first principles mean a contract must be in place to which the supplier can be held to account. Does the contract contain performance criteria or standards which you want them to meet and against which you can measure them or they can periodically report.
32:03 - In particular only procuring with suppliers who are certified to ISO standards is highly recommended, this isn't sales pitch it's just a massive peace of mind that organizations certified to relevant standards are in a really good place. Note that terminology is important here. Some contracts state that an organization must be compliant with a standard not
32:25 - certified to it and that's a massive difference, any organization can claim to be compliant but a certified organization proves it year after year without you having to do anything.
32:36 - The important thing to do is to check the supply certification is relevant to whatever you procure, if say a 9001 quality certificate is in place for a particular site but you buy products manufactured at a different site not covered by the certificate then it's not relevant. Supplier questionnaires 
32:53 - are very popular but frequently used, ineffectively how many of you have received a boilerplate questionnaire containing many lines of irrelevant questions which you've then completed probably thinking that no one is really going to look at what you've written. Dom discussed supply segmentation which will help you decide where to
33:10 - focus your efforts, so when you do ensure that if you employ questionnaires they will give answers to the really important questions this could mean tailoring each questionnaire to each supplier and whatever they provide now, whilst that might sound like an admin burden, if you're taking a risk-based approach then you're targeting supplies where they really matter and
33:32 - asking sensible questions then following them up helps improve the relationship with your suppliers.
33:37 - Conducting your own audits is the gold-plated solution you'll need to have it specified in the contract in advance, though it also requires a certain expertise on your part or alternatively you can engage a third party expert in that field and that's important, a medical devices expert will not be as effective at conducting an audit of a motor manufacturer.
33:56 - Audits are also disruptive and can be sensitive, some suppliers just won't entertain customer audits particularly if the supplier is say one of the big tech companies like Amazon or Microsoft.
34:08 - Audits must be carefully planned in order to obtain information only about the things that matter but bear in mind the audit findings are only as current at the point at which they were observed, they can quickly go out of date. Market watch or research is a useful method of gathering information about a supplier without even going near them this may well be a tendering activity.
34:28 - Anyway but it's good practice to periodically carry this out knowing the public track record of suppliers including things like their published accounts can provide a degree of assurance.
34:38 - It's worth talking about overall governance the framework within which supply chain management takes place even if you're not certified to an ISO standard. I highly recommend the plan, do, check, act cycle, it's a tried and tested method of continuous improvement. I’m also a big fan of heat maps you
34:57 - may well have heard me say in previous webinars how in my experience top management don't like the colour red so if you've performed a bunch of checks on some suppliers rate their performance in a heat map and you'll soon get the CEO's attention. I've also produced a quick method for measuring operation resilience which will soon be available for download from the NQA website.
35:16 - It's very easily adapted for doing the same to the supply chain okay now before we go on to Q&A, just a couple of reminders if you weren't already aware.

Additional Support

35:27 - First of all, NQA has some very good covert tools and resources please go to our website for some more information there and there are excellent free implementation guides for the management system standards again, on NQA's website so thank you very much indeed.


35:46 - I’m now going to open this up to questions let me just bring up the chat box here and we'll have a look and see another questions there we go so look okay.
36:05 - Okay no questions so far don't forget you've got Dom and I here to answer any questions you may have will be very pleased to answer them.
36:28 - Tim while we're waiting for questions you might want to wet my appetite and I don't know by the audience about the operational resilience guide that you were you're going to be publishing soon yes something that's quite close to my heart actually because I think risk and resilience are very closely connected.
36:49 - Indeed yeah I ran a webinar on operational resilience and one of the issues there is how do you measure your organization's operation resilience because it comprises a number of factors and there are various ways of doing this and one of the easiest ways you're doing this is for one of the better phrase, a committee of wise men where you sit down and use your opinion
37:09 - on how well you think something is performing. So you split your organization out into a set of functions and then using what knowledge you have so that your committee of wise men are drawn from those different parts of your organization and you rate them you give them a score and the idea is that these functions are all given away to because clearly some functions are more important
37:30 - to others depending on the organization. Your risk appetite and that eventually flows up to give yourself an overall score for the organization but it draws out those parts of the organization which are better performing or lower performing and you can plot that in a nice coloured heat map as well.
37:48 - But the point is it's simply a method whereby you apply a weighting to something and then do various things and then give them scores and you can easily adapt that method for pretty much anything you want to do. I had quite a bit of feedback when I gave the operation resilience webinar for people asking for that because I presented it on screen
38:10 - and yeah it will be made available. It's completely unscientific, it's simple but the point is if it's done by the same people it becomes repeatable and so you can monitor your performance if you like, operation resilience performance over time or whatever you choose to measure using the tool.
38:30 - Thank you I definitely look forward to seeing that. Well it's a little bit quiet on the the question, we have a question don't worry excellent thank you from Harris I'll read it out, you spoke briefly about single sourcing and trusting and investing in suppliers
38:44 - which used to be a well thought of Japanese strategy is it still used and how is it doing with current crises pressure on supply chain risk? Tell me to take that one yeah please far away.
39:00 - So just to differentiate single sourcing from soul sourcing so single sourcing is an actual category strategy whereas soul sourcing is there are no substitutes in the market that you want to purchase from again. It depends on what your objectives are, single sourcing has a risk obviously in that if the supplier fails the ability to substitute is either limited or almost non-existent or could take some time or could be very expensive for the organization.
39:42 - But they could be doing something that nobody else does so I think the issue with increasing over the years is that companies want to create a unique selling proposition for themselves they want to create that uniqueness. It's very attractive to the marketplace but the downside of doing that is that if you want to deliver something to the market and using a supplier that has some key
40:08 - skills it creates a dependency. So unless you're working really in partnership with that supplier and you know there's a two-way relationship there is mutual support and recognition then to me single sourcing creates a risk that is probably above tolerance in most cases. So again really important. Do you want to turn anything to that Tim,
40:39 - well I just want to Tom's question is it still used and how is it doing with the current chronicles it's actually, it's absolutely still used I think. You know in the current crisis that people are thinking about where you know as we work through Brexit and as we're working through the pandemic now people are thinking where are my niche dependencies,
41:06 - do I need to put some business continuity plans in place. I did some work earlier here in the last year's clients in London as we were working through their pandemic work stream and we did identify quite a number of key dependencies again you're not talking about being able to substitute
41:24 - these overnight some of them were taking 6, 9 12 months and again it's that kind of time scales that we're talking about. So absolutely, yes they are still in place they're being used a lot of them are very hard to substitute, you're talking about long-term substitution and most companies that I've talked to would prefer to work their way through any risks that
41:49 - arise rather than a kind of knee-jerk reaction to getting us a second source in which in a lot of cases is very difficult or actually you know changing the product line or service line all together. But again you know just to go back to the point that Tim made earlier about business continuity, the two go hand in hand risk and bcm particularly those niche dependencies particularly with concentration risks particularly with strategic supply really important.
42:24 - Okay thanks for that Dom, we don't have oh no we've got one just popped in, Stephen Singer just before the bell was interested in your mention of ISO 28000. A quick google shows the current issue of the standards 2007 so it's pre-Annex SL but there is a dis currently under
42:43 - development BSI appear to offer certification and any interest in NQA looking into the same well thank you Stephen the answer is yes subject to demand now you've mentioned that I will take it away and have a look at that in further detail, but 
42:59 - you're right it is pre-Annex SL which is a shame because Annex SL does offer that common standard particularly for integrated management systems.
43:09 - So I suppose a question for you Stephen would you be interested in it maybe we should stay in touch and as ever you can always get in touch with myself or Dom via LinkedIn.
43:22 - So and Dom so cyber attack risk really not such a worrying supply chain that's not what's saying it is very much a worry in part it depends on what is what services are being supplied within that supply chain and there and in particular whether or not elements of that supply chain are an attractive or worthwhile target for some for these organizations that
43:48 - do this the survey, that I've seen is that in terms of the things that many organizations worry about cyber is not at the top of their list and in some cases it is really is quite a bit lower.
44:00 - But it will always be a risk particularly for information services type organizations and then Angelo has said how much do you rely on ISO certification for the effectiveness of their supplier controls ISO certification can be excellent, an excellent way of
44:24 - drawing comfort from the effectiveness of a supplier's controls they're having a third party independent stand audit on their controls which are typically recognized as industry best practice.
44:39 - So and I'm going to ask you to jump in here in a second on this typically where organizations have got an ISO certification in place that is a big tick in the box usually in any procurement exercise. Dom do you want to add to that? Yeah I think so but there's a couple of things
44:56 - just to look out for I think the first thing is particularly the large organizations is that certificates may only certification mate may only cover a proportion of that organization a particular business unit. So again you have to question a supplier that's claiming to have such and such an ISO whether it covers a whole enterprise and again the second point for me is kind of the certification is a measure of the what you're looking for as well as a
45:26 - measure of the house. So, things like capability maturity standards are really important in my view because the maturity in which an organization manages its processes and a bit like what I showed you earlier everybody becomes a risk manager the assurance that a supply can give a customer
45:49 - is you know cannot be underestimated. So again I think it's a mix of those accreditations but you know if I’m in procurement and I’m running a tender it would give me a comfort but again it has to be accompanied with something else that says that's great that's the what but you know what can you give me some assurance on the how
46:12 - how mature is your organization in managing risk and compliance. For example I think I’ll just add to that job so this is not about an ISO certification but there's a new American standard coming out from the U.S department of defense called CMMC that looks at two things one are a set of information security controls NIST 800-171 controls but in parallel
46:36 - to that it also looks at the maturity of the organization and the implementation and governance and the embeddedness if you like of those controls as well so building on Dom's point and very much so it is a mix of those things and we have Dom you said thanks for the supply makes sense attractiveness of giving supply as a cyber attack target but then what was.
47:04 - Okay cyber skills shortage yeah there is there is a big issue and I certainly in the UK and I suspect globally as well that there aren't enough people with the right cyber security skills to help defend UK PLC it is a problem and it's a risk that organizations have to take into account but again it depends whether or not they're an attractive target and the extent to which they prepare to invest in inside but depending on how they perceive that.
47:36 - Okay. Right I think we've overrun slide it by three minutes but that's great we've had some very good questions so thanks very much everybody as a reminder you will be receiving a copy of this webinar it'll also be available for download on the NQA website.
47:57 - So I'd like to finish in particular by thanking Dom Owen from tune to R.I.S.K for coming on and his really experienced and valuable in insight and we look forward to working with you again Dom and once again everybody thank you very much and goodbye.