Assurance Frameworks and the energy supply chain

Jake Holloway, Chief Product Officer at Crossword Cybersecurity PLC, explains why Supplier Assurance Frameworks are becoming more-and-more essential.

The nature of the energy industry means that it inherently has complex supply chains. Each organisation in the chain is a potential weakness that can impact the provision of energy to critical infrastructure, businesses and consumers. Those points of weakness, as we have seen in recent years, can lead to outages because, ultimately, our energy supplies are only as strong as the weakest link in the chain. Only in August this year we saw outages across the South East of England, caused by a ‘seemingly’ impossible combination of circumstances. But equally, we hear examples across the globe of nation states and hacking groups exploiting cyber security weaknesses in the supply chain to take supplies offline, such as those affecting the Ukraine in 2015 and 2016.

A new era of supply chain management

In order to manage risks and build healthy and resilient energy supply chains, the right supplier assurance processes need to be in place. This could be seen as a challenge for procurement teams and the supplier onboarding process, but it reaches much further, with risk assessments needed across areas as diverse as certification, equipment handling, quality control, the Modern Slavery Act, Health & Safety, GDPR and cyber security to name but a few.

Each of these areas impacts departments in different ways, and indeed may require specialist expertise to assess the risks. Cyber security is a great example, where a weakness such as an unpatched VoIP phone or IoT sensor, may be exploited in one supplier to reach other parts of the supply chain.

Normally, supplier assurance and procurement teams would stay well away from these technical and complex areas. For instance, with cyber security, where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external. Any reports, risk acceptance or remediation activities are left with the specialists while supplier assurance teams focus on the core of financial risk, insurance cover, standards, supply continuity and so on.

Building a Supplier Assurance Framework

Organisations need a different approach to reduce risks associated with suppliers, vendors and other third parties. One that combines the supplier assurance and procurement team’s approach based on good practise, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of other teams. Supplier assurance and procurement teams have a far greater role to play in this than they may imagine through the implementation of a Supplier Assurance Framework.

A good framework, starts with the need for supplier assurance and other departments to gain an improved understanding about each other’s domains, objectives and responsibilities. A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that departments sphere.

Each supplier can then be measured against these criteria, and their supplier impact level established. A different approach for each level of impact should be agreed jointly and completely standardised across the organisation. For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls. For cyber security, for example, this should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work. It also has the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.

Where a technical assessment is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed. This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.

The approach at each level of supplier impact should also contain the ongoing levels of compliance required in order to maintain good risk management. Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third-party risk – whether cyber, materials, continuity, financial or regulatory.

Shared supplier risk information

What really helps is that the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks. We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, slavery and other risks all on one simple chart for each supplier. This gives them a shared understanding of the totality of risk from each supplier and helps specialist teams, such as IT, and the supplier assurance team understand how their worlds fit together.

At a time when the energy industry is facing threats arguably greater than ever before, building a supplier assurance framework helps companies take control of their third-party risks, by allowing them to control, manage and measure their exposure.