Empowering the Business of Cybersecurity

Navigating Supply Chain Risk Management Compliance

Compliance

Supply Chain Risk Management (SCRM) assesses risk for vendor products or services to your organization’s critical assets. Various regulations and frameworks mandate the protection of these assets, including NERC CIP, ISO 27001, and TSA.

For organizations subject to these regulations, SCRM compliance is not optional—it’s mandatory. But how does an organization achieve compliance? The answer is often complicated and varies depending on factors such as the vendors involved, active contracts, environmental complexity, audit expectations, regulatory interpretations, and culture.

Anyone responsible for generating evidence for a compliance program knows that interpretation is a significant challenge, and SCRM compliance is no exception. Vendors differ in countless ways, including how they interact with an organization. Many organizations often aim for the popular approach of minimum compliance to manage costs and resources. This strategy can increase the risk of overlooking critical information. The interpretation of minimum compliance is usually left to the auditor, which can quickly lead to uncontrolled risks.

In an ideal world with unlimited budgets, cybersecurity would take precedence, and compliance would naturally follow. However, most organizations operate within budget constraints and exist to generate profit or value to the public.

Managing SCRM with Collaboration

Another challenge in meeting SCRM compliance is the tendency to isolate the compliance program within the impacted departments or systems. Organizations function like organisms, with interconnected joints, muscles, and organs working with one another. Can your organization operate sales without finance and vice versa? Running a compliance program in a silo has its pros and cons, but the cons may outweigh the pros.

Let’s look at a hypothetical example. Consider an organization, ACME Corp., which operates an enterprise-wide risk register for all departments. Recently, ACME became subject to NERC CIP because it acquired electrical transmission assets. To avoid regulatory penalties, ACME chose to develop a compliance version of their risk program and isolate its enterprise risk register from the newly acquired assets. The rationale is less risk of regulatory violations and the compliance program is compartmentalized to new requirements. Now, let’s introduce SCRM and a common vendor, Vendor ABC, shared between the transmission and corporate assets. This scenario raises several questions:

GRC Gears
  • Do we need separate corporate and transmission teams to manage Vendor ABC’s assets?
  • How can we apply our established corporate relations with Vendor ABC to our newly acquired transmission assets?
  • If a risk with Vendor ABC appears in the enterprise risk register, how does it reflect in the transmission risk register?
  • With different teams assessing the same risk, will we have different results and responses?

While ACME may achieve project compliance at a specific point in time, ongoing compliance operations could lead to violations, increased costs, and complexity. Visit our blog on Adopting IT/OT Convergence to learn more benefits for the enterprise.

SCRM is subjective for each organization due to the unique risks they face. Focusing on risks at the enterprise level strengthens your defense during audits, where your effectiveness in identifying, assessing, and responding to cyber risks is assessed. Whether dealing with the power grid, energy, food manufacturing, or water formulation, vendors play a crucial role in your cyber protection strategy.

Requirements of Supply Chain Risk Management Compliance

Requirements

To reduce the risk of regulatory violations during compliance operations, consider the following recommendations:

  • Develop and integrate operational requirements with your regulatory requirements.
  • Reduce efforts to find workarounds and accept the requirements.
  • Use the requirements to guide your solution, then get creative—not the reverse.
  • Establish relationships with vendors and find ways to collaborate.
  • Revisit previous attempts to resolve similar challenges, today is a new day.
  • Focus on risks to your organization, not just compliance.

Every organization has its own culture and requirements, and there are likely many more options to reduce the risk of regulatory violations. This underscores the importance of focusing on requirements.

SCRM programs can be simpler than perceived. Regulatory compliance is mandatory for an organization due to external regulations. With the increasing number of cyberattacks using vendors as vectors to access target organizations, SCRM is a critical domain. While many recommendations and alternatives can be proposed, creativity mixed with different perspectives can help you find the right solution.

Creativity is one of the most valuable skills you’ll use in your lifetime. When faced with only two choices, make a third. As the saying goes, “When opportunity doesn’t knock, build a door”.

Conclusion

Shift your focus to ensuring your risk management program meets regulatory requirements. Your enterprise risk management program should already align with your corporate goals and objectives. Can an audit find fault in your organization’s goals and objectives and how your compliance program supports it?