Apr 13, 2021

9 Steps to Build Supply Chain Resilience

Georgia Wilson
6 min
Coupa logo on the side of a tall skyscraper building, supply chain resilience, risk management
Madhav Durbha, Vice President, Supply Chain Strategy at Coupa Software...

U.S. President Biden signed an Executive Order on the 24th of February, focused on making America’s supply chains resilient. The order states that resilient, diverse, and secure supply chains are necessary to ensure economic prosperity and national security. Greater domestic production, built in redundancies, adequate stockpiles, and safe and secure digital networks are the characteristics of resilient supply chains as cited in the order.

The order has two components. There is a hundred day review and a one year review. The outcome of the reviews will be reports that identify any and all risks related to manufacturing capacities, skills, single source risks, and deep concentration of sources of supply among others. The 100-day review includes semiconductors, high capacity batteries, critical minerals and rare earth materials, pharmaceuticals, and active pharmaceutical ingredients. Included in the one year review are these additional industries: defense industrial base, public health, communications technology, energy sector, and transportation industrial base. The Assistant to the President for National Security Affairs (APNSA) and the Assistant to the President for Economic Policy (APEP) will coordinate the reviews that will involve a number of other entities.

In a previous blog, I discussed recommendations for how the Biden Administration can bolster the success of this initiative. The Executive Order has significant implications for companies that are in the industries in scope. It serves these companies well to be proactive by taking a number of practical steps before the government starts to mandate them to do so. Besides proactively addressing any regulatory mandates, these steps will help companies in making their supply chains far more resilient. Let us examine these:

  1. Map your multi-tier supply chain: Even the most mature and sophisticated companies often lack visibility beyond their Tier 1 or Tier 2 suppliers. Single source risks can be hidden in lower tiers beyond plain sight. Going through the multi-tier mapping exercise can help your organization identify hidden risks in your supply chains, for example, a specific type of polymer supplier that serves multiple industries and geographies.
  2. Assess the impact of the single source risk: Understanding the percentage of the overall portfolio tied to a single source or derivative components from the single source, along with the revenue contribution, helps you assess the impact of what happens when the single source is no longer available.
  3. Find alternate sources where possible and practical: Collaborate with and guide your supplier community in finding potential alternatives for a lower tier single source supplier. If the single source is a Tier 1 supplier, create and launch sourcing events to identify alternate suppliers. When not feasible in certain situations, such as when the supplier has a very unique intellectual property, a potential acquisition strategy should be evaluated. Alternatively helping the supplier diversify geographically will help mitigate risks. In areas where an entire industry depends on a critical supplier, a collective approach works better than each company for itself.
  4. Monitor suppliers for risks: The explosion in data sources and cloud powered AI allows organizations to monitor the supplier base for emerging risks such as judicial, financial, and environmental risks. Natural language processing can be applied to tap into news sources to identify newer sources of risks. Buyer and supplier networks tapping into transactional data can gain from broader community intelligence to benchmark and compare supplier performance.
  5. Mitigate risks with continuous design: In a world where disruptions are the new norm, episodic approaches to supply chain design no longer work. Organizations are moving from episodic to continuous design. Digital twin technologies can help tremendously in reducing the flows from riskier supplier nodes to test the resiliency of the supply chain and assess operational and financial KPI impact. Alternate scenarios can be evaluated and implemented through the continuous design process. Cost-to-serve models can inform what alternative strategies make sense to mitigate supplier risks and the incremental cost associated with the same. Strategic stockpiling locations can be determined and inventory policies can be established for the same. Algorithmic intelligence can be used to establish triggers to assess significant shifts from baseline and drive the need for redesigning the supply chain.
  6. Model and implement networks of the future: The Executive Order will push for more near-shoring of the manufacturing of critical components and products. It is reasonable to expect significant shifts in the centers of gravity of the existing networks with higher levels of fragmentation and shortening of supply chains. This has implications on capital investments, taking advantage of government incentives, routes to market, assessing alternate sources of supply, among other things. The aforementioned digital twin technologies can help model networks of the future and help you be better prepared.
  7. Turbocharge sustainability and diversity initiatives: With concerns about climate change and the topic of systemic racism coming to the fore, the Biden administration is also approaching the Executive Order through the lens of job creation in underserved communities and promoting a clean environment. As near-shoring efforts ramp up, companies need to perform carbon footprint studies to ensure documentation and reports on the improvements being made to reduce greenhouse gas emissions. Hiring and supplier selection processes should account for diversity targets and focus on attaining them. Documenting sustainability and diversity initiatives will be critical as it is reasonable to expect the government to be incentivizing these activities. This also helps with corporate ESG (Environmental, Social, and Governance) priorities.
  8. Tighten the cyber security protocols: As the highlighted industries in the Executive Order are deemed to be of importance from a National Security perspective, cyber risks are cited as critical to be addressed. Companies in the aforementioned industries should focus efforts on auditing systems security and ensuring cyber risks are mitigated and appropriate defenses are in place. With the risk of a rogue hacker potentially bringing an entire supply chain down to its knees, organizations will need to be adequately prepared with cyber security measures and document the steps taken towards cyber security. 
  9. Proactively engage with government agencies and peers in the industry: If you are in one of the affected industries, joining hands with your peers and competitors for the common good of the industry will bring a collective voice to represent industry interests. Building supply chain resiliency will not happen overnight. It will require significant collaboration between the government and the private enterprises. As an example, mass relocation of manufacturing, besides being capital intensive which will call for government incentives, also exposes the skills gap prevalent in the manufacturing industry. In industries such as semiconductor manufacturing, with more companies becoming fabless, there is a significant atrophy of the skills and training needed to ramp-up manufacturing. Being proactive will help influence regulation that will better serve the needs of the industries and communities as a whole, making it a win-win.

This Executive Order is certainly a pressing need of our times. It further elevates the criticality to build resilience in supply chains, not just for America, but for the world. Organizations in the highlighted industries and beyond will need to be proactive in addressing supply chain vulnerabilities. This calls for investments and the C-suite should be willing and open to sponsor supply chain resilience initiatives.

Hear more from Madhav Durbha on April 15th as he is joined by Georgie Lawrie, featured analyst from Forrester for a webinar discussing the value of continuous design for supply chain resiliency to evolve operational and business models as conditions change.

Register now, for Coupa's 'Continuous Design for Supply Chain Resiliency' webinar featuring Forrester.  

Share article

May 10, 2021

Biden’s Supply Chain Intentions Depend on Cybersecurity

Oliver Freeman
6 min
President Biden’s supply chain executive order is heavily dependent on the lessons learned by cybersecurity leaders in recent years but will he take note?
President Biden’s supply chain executive order is heavily dependent on the lessons learned by cyber security leaders in recent years but will he take...

In recent years, the United States’ supply chain network has faced an onslaught of cyberattacks. The attacks have left the global superpower a shaking nation with a whole portfolio of challenges, risks, and vulnerabilities exposed to the masses. From the SolarWinds attack to the dependency confusion attack that breached companies like Apple, Microsoft, Uber, and Tesla, to the most recent US pipeline ransomware hit, it’s evident that, in an increasingly digital age, cybercriminals fear no traditional governmental powers, and supply chain networks need to hunker down on cybersecurity. 

Looking back at the height of the COVID-19 pandemic, western nations found themselves ill-equipped to deal with the novel Coronavirus; not due to lack of knowledge or medical inability but because supply chains were in a chokehold and supplies like personal protective equipment (PPE) for frontline workers weren’t being manufactured fast enough. 

To address this problem and mitigate future risks, Biden signed Executive Order 14017, aptly titled “America’s Supply Chains”, in February 2021. 

The Executive Order (EO) called for a comprehensive review of US supply chains to figure out exactly where the vulnerabilities and risks are, to help institutions and organisations manage any future disruption caused by COVID-like events. 

The EO focuses on six primary sectors:

  • Agriculture
  • Communications and information technology
  • Defence industrial base (DIB)
  • Energy and power
  • Public health
  • Transportation

The listed sectors, as you might expect, are increasingly dependent on digital products and services to maintain daily operations, which increases their vulnerability to potential attacks ─ so they need cybersecurity. In fact, cybersecurity should be front-and-centre as a critical facet of the EO if the federal government truly intends to create a more robust and resilient supply chain in the face of rising criminal adversity.

Digitisation Dangers The Nation

When it comes to a globally interconnected supply chain, the ambitions of Biden’s administration are potentially a little far-fetched and off-the-mark, in reality. I say that because an overwhelming number of industry-leading organisations ─ even in the tech realm ─ still do not feel confident in their ability to deal with the vulnerabilities in their supply chain. Most of which come not from internal operations but from externals ones in the form of third parties and suppliers that they collaborate with. 

According to the dated but increasingly relevant Marsh Microsoft 2019 Global Cyber Risk Perception Survey introduction, “cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector. The hard truth organisations must face is that cyber risk can be mitigated, managed, and recovered from, but it cannot be eliminated.” 

Taking a look at the survey results reveals a telling tale: that third-party providers and supply chain operations external to an organisation are most likely to be the victim of cyberattacks and potential infiltration. 

The survey found a wide discrepancy in many organisations’ view of the cyber risk faced by supply chain partners, compared to the level of perceived risk they themselves pose:


This variance is consistent across industry sectors and geographic regions, and the largest organisations exhibited the largest dissonance: 61% of companies with revenues of US$5bn or more suggested that their supply chain partners pose a risk, whereas only 19% say they themselves pose a risk to the third-parties involved:


Low Confidence in 3rd-Party Risk Mitigation Capabilities

The above paints a pretty poor picture of the overall supply chain security ─ a disconnect between large organisations and their suppliers, which could be driven by companies’ low confidence in their ability to mitigate cyber risks posed by their commercial partners. The number of companies that considered themselves “highly confident” in that area is few and far between, with only 5-15% of respondents feeling prepared to deal with the cyber risks caused by certain types of third-party providers. 


So due to the very obvious lack of knowledge, it’s clear that supply chain professionals and organisations, as well as the Biden administration, should call upon their cybersecurity industry peers ─ white hat professionals ─ to take the fight to black hat cybercriminals.

How Cybersecurity Professionals Can Help

According to Padraic O’Reilly, CPO and Co-Founder of CyberSaint, the success of Biden’s Executive Order is heavily dependent on its stakeholders taking note of lessons from cybersecurity’s supply chain risk management initiatives, including: 

  1. Identifying the main weaknesses along the chain of production before determining which ones can be fixed cost-effectively. Then, compare that with the cost of the potential impact ─ discover where the holes are and what’s worth prioritising. 
  2. Thinking about the supply chain as a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple data sources, and supply chain risk is the same. Don’t think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis. 
  3. Standardisation across the globally interconnected supply chain is hard, and communication is key. Cyber experts are hot on the topic, as managing risk is exactly what they do. Vulnerabilities and risk is the language that they speak in. They’ve been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about. 

Cross-sector collaboration with a strong focus on communication across hierarchical levels is at the very core of the cybersecurity function. If Biden hopes to see his supply chain initiative reign triumphant, his administration must ensure that efforts are coordinated across agencies, public entities, and the private sector industry. The administration must also carefully consider the potential impact of increased regulation that should be put in place following the year-long project ─ it could make or break the initiative across various sectors. 

According to O’Reilly: 

“The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach.

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success.”

Adapting To The Unknown 

The fact of the matter is, when it comes to the US supply chain, we mostly haven’t got a clue. It’s a massively interconnected network that represents an ecosystem ─ one with risks coming from all angles and multiple points of failure. It’d be almost impossible to figure out all of the potential risks, as Biden’s initiative intends, so, according to O’Reilly, it’d be beneficial to focus not on sniffing out every single supply chain vulnerability but on advanced persistent threat (APT) incentives:

  • What are the low-hanging targets?
  • What do criminals want?
  • What are they capable of? 

“Doing some scenario modelling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going”, O’Reilly adds. 

So the final point to the Biden administration and organisations that are working on Executive Order 14017 is clear: cybersecurity professionals have an advantage over their peers because they already live to standardise data; they view risk through a lense of complexity and costliness of failure, and if the two parties can collaborate effectively, there’s a chance that security professionals can finally understand the full extent of the supply chain ecosystem and, with any luck, secure it from future attacks. 

Share article