NIST Key Practice 5: Collaborate Closely with Suppliers

April 23rd, 2021 Jackie Risley Reading Time: 2 minutes
People Sitting Beside Brown Wooden Desk Near Flat Screen TV - FI

For some organizations, managing suppliers has historically been fairly transactional. Have they provided documentation needed for onboarding? Do they fulfill their contractual obligations? Should we renew this contract? However, the National Institute of Standards and Technology (NIST) notes that “[i]ncreasingly, organizations are treating their suppliers as members of their ecosystem and closely collaborating in a variety of ways.”

In its recently published Key Practices in Cyber Supply Chain Risk Management report, NIST advises that best-practice organizations “Closely Collaborate with Key Suppliers” within their cyber supply chain risk management (C-SCRM) programs. This blog is part of a series, which explores how technology investments can support successful implementation of NIST’s Key Practices.

Shifting Supplier Relationships

The global pandemic drove home the risks associated with reliance on suppliers and the interconnectedness of the global supply chain. As organizations recognized that the resilience of their suppliers was critical to their own, many organizations shifted to a more collaborative approach.

In regulated industries, those deemed essential services needed to ensure that their critical suppliers could continue operations. But even in non-essential businesses, buyers began to take a more collaborative approach to risk, such as renegotiating payment terms in order to help a critical supplier maintain operations.

How the Technology Can Support This

The frequent visits, more formal meetings, and frequent communication recommended by NIST to build strong collaborative relationships take time and resources. Unfortunately, those are in short supply in many C-SCRM programs. While technology is often viewed as a barrier to more personal interactions, it has the potential to empower supplier collaboration when it includes:

  • Intelligent automation to reduce time spent on low-value tasks. Too many programs rely on manual processes to manage activities across the supplier lifecycle. Capabilities such as workflow and AI/machine learning can free up employees to focus on supplier collaboration.
  • Robust reporting to understand which suppliers should be prioritized, track activities and status, and provide visibility to senior management. In a survey, a mere 20% of respondents indicated that they could quickly and confidently report on the most basic data point: what third parties they have. That suggests that most organizations are spending far too much time chasing down data, rather than building supplier relationships.
  • The ability to conduct business impact assessments (BIAs) that proactively identify challenges facing suppliers during adverse events (e.g. weather, biohazards, etc.). BIAs provide an opportunity to partner with suppliers to anticipate or prevent disruptions and keep them from affecting the business relationship (e.g. renegotiating contractual delivery dates).
  • Automated remediation processes that facilitate an interactive, non-punitive approach to addressing any issues and corrective actions. This ensure that clear expectations are communicated and fulfilled while creating a robust audit trail.
  • Opportunities for mentoring and training suppliers, as recommended by NIST, so that they can understand and continue to improve best practices. These can include embedded guidance within the product, integration with learning management (LMS systems) to provide training, and education resources through peer interactions/round tables and industry events.
  • Easily accessible communication channels between the buyer and the supplier to complement formal interactions. These can include features such as threaded comments as part of the assessment process and a feature-rich supplier portal to manage communications in addition to methods such as email.

The NIST guidance include a total of 8 Key Practices, which are explored in this blog series. The complete list includes:

  1. Integrate C-SCRM Across the Organization
  2. Establish a Formal C-SCRM Program
  3. Know and Manage Critical Suppliers
  4. Understand the Organization’s Supply Chain
  5. Closely Collaborate with Key Suppliers
  6. Include Key Suppliers in Resilience and Improvement Activities
  7. Assess and Monitor Throughout the Supplier Relationship
  8. Plan for the Full Life Cycle

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management