In the 21st century, as digital supply chains stretch across the globe, the weakest link, the riskiest link, is the one that flies under the radar.
Johan Gerber, executive vice president of cyber and security products at Mastercard, and Jennifer Bisceglie, CEO of Interos, told Karen Webster that the “whack-a-mole” approach to risk control no longer applies.
And risk control, they said, is not simply a matter of battling back against cybercriminals, girding against hacks and ransomware. Risk comes in many forms, and can be tied to any number of external and internal factors confronting an enterprise.
Those factors can involve environmental, social and governance (ESG) developments, regulations, and as the war in Europe has shown, geopolitical developments too.
As it’s done right now, “risk control is everybody’s job — and no one’s job.”
Departments within companies have different goals and visibility over what’s going on. The CFO’s view may be different than the procurement officer’s.
Vendors might not know all that much about suppliers, and companies operating across borders may not know as much as they’d like about what’s happening on the ground in a far-flung market.
(In one example, Bisceglie said that many companies with long supply chains may not know they are ultimately doing business with Russia and may be running afoul of sanctions.)
The weak links, then, form via relationships that have other relationships that somehow become material when exogenous shocks happen — and the shockwaves buffet unsuspecting firms in their wake.
The Fragmented Approach
Right now there’s no easy way to get a grip on the risks lurking out there. Beyond cybersecurity — which has dozens of frameworks across the globe, as Gerber noted — there are no uniform approaches to gathering the data needed to quantify risk, much less deliver actionable insight to executives.
The executives themselves know that there’s a gap between what should be done and what is being done. Fully two-thirds of companies know they should be tracking and tackling risks more adroitly, yet only 11% are monitoring third-party risk on a continuous basis.
Risk control itself has changed, too, said Bisceglie. It’s not just about the transaction anymore. it’s not disaster recovery. Now more than ever it’s part of the cost of doing good business.
Automation is critical, and so is collaboration between departments, to tackle the complexities of 21st century supply chains that stretch across digital and physical channels.
Said Gerber: “The dependence on several layers of suppliers in the digital ecosystem has exploded.” And during the great digital shift, he said, companies have not had the time (or the technology) to get a handle on the interdependencies fostered by an interconnected world.
In a hypothetical offered by Bisceglie, a supplier to a larger company, breached by hackers, and with operations compromised, may not be able to get products to a large customer. Therefore, the supplier is unable to keep payroll going — and hits the rocky shores of financial instability. Against a wider backdrop, a cyberbreach could conceivably hit gas and transportation infrastructure, which means that logistics are hobbled … and goods cannot get to store shelves.
To that end, the companies said in a statement earlier this month that they would work together to expand the payment network’s security strategy by adding Interos’ multitier risk-monitoring capabilities for financial institutions. The Systemic Risk Assessment is a fully automated platform, making use of artificial intelligence (AI) and looking into mapping, monitoring and modeling the business relations that are part and parcel of every business ecosystem.
Thankfully, risk can be measured, and digested, and used to create action plans. And the critical push comes with data collection — and a unified approach.
As Bisceglie said, “When you think about going from 0 to 60 [with these supply chains] the only way to so is realize that we have to adopt technology and treat risk like an interconnected, Big Data problem in order to get the transparency and trust that we need.”
Supply Chain Insight
Those technologies can give insight into whether firms are dealing with “good” suppliers, and whether their supply chains are truly resilient — and eventually, with a bit of education in the mix, develop a multivector approach to analysis.
It’s no longer enough to just examine direct B2B relationships. Gerber noted that regulatory scrutiny is extending across business relationships, beyond merchants, acquirers, and banks … right down to the fifth and sixth “levels” of business relationships.
“The weak link is that transparency in the sub-tier relationships,” said Bisceglie, whose firm has invested in the artificial intelligence to map about 350 million global business entities, through public data, government filings, news alerts and other sources.
Big data and advanced technologies, Bisceglie said, allow for continuous monitoring and “low impact” visual cues that present information quickly and intuitively enough to help executives understand where to deploy risk-control resources with haste. Thousands of data points, wending their way across the analytics platform, can be boiled down to the 10 or 20 key insights — rendered as risk scores — needed to help companies achieve their business goals.
Along the way, the platform approach brings different stakeholders together within an organization.
And across industries, too.
As Gerber told Webster, Mastercard and Interos’ ultimate intent is to help set standards through a framework approach. In that eventuality, and through the platform, companies examine their interconnected relationships in exactly the same way.
In terms of the positive ripple effects, Gerber said, companies can use the data to improve their own vendor agreements, establishing incentives and key performance indicators (KPIs) that are for more efficient than simply following security level agreements that can run into the dozens of pages.
“This allows us to benchmark, track and improve risk control,” he said. The framework approach allows for an elegant, simple, repeatable and scalable way to communicate across enterprises and peers, getting everyone on the same page about what needs to be done, where and why.
As Bisceglie told Webster: “The companies that are going to win are the ones that leverage the technology that’s available today to solve for that weakest link — with the benefits of trust and the transparency in their extended relationships.”