Building Best Practices

Briefing Paper

Adaptive Risk Management

for Complex Supply Chains

Executive Summary
 omplex Supply Chains, also known as Chain Outsourcing, are now the rule rather than the exception.
C
The inter-related nature of complex supply chains can exert significant impacts, including effects on
managing risk in third party relationships. The implications of these statements conveys increased
urgency around the need to better understand step-function, cascading improvements in risk
management analytics, responses, and other processes that can enhance supply chain management.

This paper:
1. Discusses supply chain risk and the increased demands that complex supply chains place on
outsourcers and providers.

2. Provides strategies and tactics for building and applying complex adaptive solutions to your own
Third Party Risk Management (TPRM) program.

3. Serves as the foundation for a series of related resources for practitioners from the Best Practices
Complex Supply Chain Project team.

This paper provides a foundation for a more robust style of TPRM management – one that applies
complex adaptive systems to the field of risk management. Complex Adaptive Systems (CAS) is a subset
of complexity theory that provides us with a window into improving the viability and resilience of supply
chain ecosystems. CAS identify the relationships between individual entities and are built to adapt
quickly to changes across a complex ecosystem. By applying these systems to existing TPRM efforts, risk
managers are beginning to gain a new foothold on what needs to happen to better adapt to the challenges
presented by highly complex supply chains.

The Challenge
By definition, complex supply chain risk is the increase
in risk that is associated with the management of
complexity in the supply chain.i As supply chains
become more complex, a shift in the availability of one
element in the chain may disproportionally impact
other downstream elements, resulting in a cascade
of failure, e.g., raw materials; confidential and/or
restricted data; parts for assembly; assembled parts;
final products/services; and distribution and marketing
channels. All segments of a sourcing chain must be
covered by strong governance programs.

These complex Global Value Chains (GVC) lie at the heart of the majority of international trade and
investment.ii The effect, from an outsourcer’s perspective, is that there are a growing number of additional,
and potentially disruptive, suppliers behind its third parties. Appropriately managing the additional security
and operational risks that come as a result of these additional suppliers to supply chains poses unique
problems for both outsourcers and third party providers. Every element in the chain requires assurance that
the outsourcer’s risk standards are being met and executed down the entire chain.

Adaptive Risk Management for Complex Supply Chains 1

© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
 Supply chain risk management has
broadened beyond concerns for
sustainability to include a heightened
focus on environmental, social, and
governance (ESG) as companies
manage brand and reputation risk.
While contractual protections exist
for outsourcers, those safeguards
are not enough to ensure business
continuity and timely availability
of products and services, as
demonstrated by the pandemic. The
impacts have been particularly stark
in those industries that rely on “just in
time” inventory.

Shifting TRPM Management Styles

A more nuanced and robust style of TPRM management is possible. By utilizing an adaptive risk management
approach that encompasses CAS, practitioners can analyze and identify the larger picture against more
granular indicators to achieve fact-based predictions of where supply chain disruptions will have the highest
potential impact to gain added assurance in the supply chain.

CAS are by design comprehensive, quantitative, and predictive. Using CAS, information can be garnered to
guide targeted use of resources which is focused on identifying and resolving high risk disruptions. Tactics
for monitoring supply chain resilience can then be better directed, and plans made and tested for alternate
pathways ahead of any real-world service failures.

While this sounds familiar to risk managers, the adaptive quality of the approach is far more intricate
than typical styles, and better aligns with the complexity of the supply chain that is being examined. The
identification of key risk points within a system built to adapt is expected to yield a significantly more
successful response to major events if and when they do occur.

The Landscape of Complex Supply Chain Risk Management

Worldwide and regional trade present compelling issues for risk managers due to the
intricacy of those operations. To match the complexity in the supply chain, the strategies,
techniques, and processes employed to manage that chain should anticipate, or at least
indicate, potential entity and location sensitive problems in the chain and provide for
agile responses when disruptions do occur. The end result is that managing jurisdictional
risk issues become a critical component of any successful program.
• Complex supply chain as a term applies to all elements required to bring a product
or service to market. For instance materials, parts for assembly, assembled parts,
final products/services, distribution/transportation/marketing channels, and labor
throughout; where a change in any element may impact other elements in the chain.iii

• Complex Supply Chain Risk Management represents the strategies, techniques,

and processes employed to ensure that each element of an outsourcer’s supply
chain meets the outsourcer’s risk standards, is executed down the entire chain, and
is designed to oversee the outsourced critical function is effectively supervised.

Adaptive Risk Management for Complex Supply Chains 2

© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
 In the UK and EU, complex chains are called
Chain Outsourcing.iv The European Banking
Authority (EBA) mandates that outsourcers go
far enough into their chain to make a real-world,
risk-based analysis, until the risk is at a level that
the organization deems low enough not to require
further due diligence.v In order for a vendor to
demonstrate that their third party has a robust
TPRM program that the outsourcer relies upon
for fourth (Nth) party risk management, the third
Responding to Supply Chain Risk
Recognizing risks (i.e., mapping risks) and then
quantifying those risks ahead of a crisis is essential to
identifying and effectively evaluating and managing
complex supply chains. Further, identifying and testing
real-world scenarios is essential to discovering what
failure may look like, so that operations planning can
be adapted to align with organization risk appetite.
The pandemic experience has demonstrated how
important it is to evaluate business continuity
planning, including stacked, multi-vector, and
unknown risks – and to exercise those plans for flaws
and opportunities for improvement.
Supply chain risk, including undefined risks,
concentration risks, and location risks, span all
areas of organizations and exist throughout the
supply ecosystem – human resources, privacy,
location, financial viability, IT vulnerabilities, cost
of containment and remediation, mental/physical
Adaptive Risk Management for Complex Supply Chains
© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
party must consistently apply a risk-based analysis
that involves testing of the fourth party’s program,
with the verification/testing results being provided
back to the outsourcer as part of that third party’s
risk management process. This is critical for an
Outsourcer to gain assurance that the third party
is properly managing downstream risk, and this
assurance process must be repeated at each link in
the supply chain.
health outcomes, and regulatory compliance. This
complexity provides significant challenges to
managing the security and operational risks that
come about as a result of that chain.
Increased demands on outsourcers and suppliers:
• Outsourcers and third parties need to reach
a higher level of communication that allows
for greater agility.
• Third parties have greater responsibilities
to create levels of safety controls and other
elements that include building deeper level
of supply with flexible options to meet shifts
in supply/demand throughout the chain.
• For all parties, capacity demands may arise
which are wholly unprecedented, and are
therefore difficult to plan for and remedy.
3
 Increased challenges within third party management programs include the need for:
• More agile onboarding.

• Processes that meet shifting jurisdiction and regulatory requirements.

• Greater anti-fraud controls on shifting-ground (rapid replacement of third parties, increased

governmental interactions, unprecedented demand for some products, bribery and corruption
increases due to desperation caused by increased global economic instability).

• Monitoring and analysis of changing third parties and of concentration risks.

• Policy reviews, that examine whether organizational policies are appropriate to the changing
landscape; updating policies accordingly (with all the internal review that process implies).

Preparedness and creative thinking are more
essential than ever. One key point that has emerged
in recent months is the need to revise due diligence
processes now to meet the evolving environment.
The old tactics are no longer successful in the
face of serious disruptions. It is also notable that
while a disruption in supply chains for parts can be
expensive in many ways, in digital ecosystems, once
data is lost or misused, it is compromised forever.
There are often hidden risks that require heightened
attention and new techniques for controls and
monitoring. Digital information ecosystems, merger
and acquisition environments, third and Nth party
relationships can all pose unforeseen impacts,
including concentration risk.
solution to every challenge. Assessment resources
simply may no longer be available and/or access
may be severely limited. Remediation efforts
are being impacted due to lack of access to the
technology, such as servers and/or the records at
office sites. Other impacts come from staff trying
to manage new challenges not previously present
in their daily lives (e.g., remote school learning, day
care needs, travel restrictions, etc.). Risk Assessment
data is often episodic and may not prove to be of
appropriate value in a dynamic environment.
Solution Building –
Strategies and Tactics
Risk managers are not alone in this predicament. The
complementary constituencies across the organization
and across vendors must work together to design
adaptive solutions. Complexity in the supply chain
applies to all resources required to bring a product
or service to market and the lifecycle of these
relationships. “To manage supply chain risk effectively
and holistically, it is important that organizations
ensure that supply chain risk management controls
are included at all tiers segments in the supply chain.”vi

Strategy building around complex supply

chains requires that practitioners:
Traditional Business Continuity Planning (BCP) has
been found wanting during the combined weight
of the pandemic and other stacked, multi-vector
risks (extreme wildfires, earthquakes, political
unrest and instability). Risk managers are reporting
that vendors are less responsive to requests for
information, especially when dealing with larger
companies, resulting in important reviews, audits,
and other key assessments being delayed or even
not completed. In-person onsite audits are not
feasible, and virtual assessments do not provide the
1. Focus on what is business critical during
any crisis – this validates organizational
value by keeping essential services available.
2. Assess opportunities to adapt – ideally
under pre-planned movement to alternate
vendors, locations, service models, etc.
3. Review and respond to the next new normal
– this helps build a more agile and resilient
response over time.

Adaptive Risk Management for Complex Supply Chains 4

© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
 Organizations should plan for business model shifts
that adapt existing plans or plan for new services
as client needs change over time. Enterprise Risk
Management (ERM) and TPRM should be built to
support each other in order to bridge silos and to
provide a single source of information across the
supply chain, such as a risk intelligence listening
post (industrial and operational technology security,
digital security, and other ecosystems).
Risk Managers can set realistic, high-level goals,
using an adaptive method with each process building
on knowledge gained through strategy building:
• Analyze on a broad, coarse level the
aspects/issues associated with your supply
chain and the associated locations.
• Identify the more drilled-down, granular
indicators that will provide the best
predictions of supply chain disruptions.
• Identify the most on-target techniques to
assess and monitor your supply chain.
• Given your organization’s risk posture (ethical,
compliance, competitive), determine how
deep you can and should go in monitoring
(before/during relationship management).
Recommendations and Conclusions –
Strategic Shifts & Related Tactics
Complex supply chains are susceptible to cascading
failures from subtle shifts at key network points
and across multiple jurisdictions. To protect against
cascading failure in the supply chain, a robust adaptive
system should be put in place ahead of a crisis which is
responsive to the complex nature of supply chain.
Making the strategic shift to manage for these
vulnerabilities can be accomplished in part through
the use of complex adaptive systems. The resulting
Adaptive Risk Management System will be more robust
than management styles that view only one segment
or two segments of the supply chain at a point in time
because adaptive systems:
1) Are designed to evolve.
2) Maximize current risk intelligence.
3) Provide opportunities for small actions to
have big stabilizing effects.
Risk managers can use elements of adaptability to
support operational stability in the face of disruptions.
Resilience is being seen in a new way, with increased
emphasis on mitigation, which includes insurance.
Different, new levers can be put into play which provide
greater insight, in turn leading to applying new levers
throughout the supply chain.
Adaptive Risk Management for Complex Supply Chains
© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
Emerging Best Practices
Risk managers have been actively building solutions
as they attempt to assess their preparedness, both
internally and externally across their supply chain in
the currently unpredictable environment. Emerging
solutions that risk managers report as being
effective in this new environment include:
• Develop and implement a Risk Operations
Center centralized listening post to
gather, cross reference, consolidate, and
disseminate risk intelligence to all company
operations and functions.
• Map the linkages between parties. This is
an essential practice. Plan for agile shifts
to alternative resources. This includes
preplanning to avoid component level
instability. For example, alternate means
for movement of parts from supplier to
user if current channels are disrupted; set
up a proprietary network for potential
larger network disruptions, equivalent to
dedicated closed network and to move data
through linkages. Without a clear map of
relationships, it is not possible to preplan
alternative supply links.
• Examine enhanced horizon scanning
techniques, selecting those methods that
can lead to adaptability and agility for
the organization’s unique challenges. Use
objective predictive tools (i.e., quantitative
models, horizon scanning for information
gathering and analysis automation). A
practitioner may not be able to see what the
disruption will be, however, horizon scanning
can provide visibility into the points that are
critical based on appropriate mapping and
the mechanics of dynamic relationships.
• A common taxonomy needs to be employed,
enterprise-wide, as well as across organizations
to the vendor level, so that risk managers,
business unit heads, senior management, and
boards are all able to communicate about
challenges and how to best build adaptation
into operations and management systems. This
is especially true for industrial (operational)
technology security where information security
and engineering collide.
• Employ a hierarchical feedback/feed forward
model that is responsive to the organization’s
overall strategy. Incorporate TPRM processes
into the broader ERM governance systems,
allowing for quicker identification of problems
from a single source and a more agile
response. It has to be communicated clearly
that the flexibility required by adaptable
systems are not contradictory to standardized
processes and cannot compromise existing
standardized processes.
5
 • Build redundancies as a key part of business
resilience. Mandate contracting process that
include exit strategies that are capable of
responding more with agility when trigger
events occur (e.g., identify new, unacceptable
down chain parties and other key triggers).
Make the business case for vetting contingent
providers capable of agile response to critical
function disruptions (e.g., vetting “standby”
vendors to service critical points that
mapping revealed require planning for agile
execution when disruption hits).
• Automate “wisely” Use real-world indicators
and scenario testing to guide improvements
in prediction times and response capabilities.
Plan for what shifts would have to occur on
the ground in that instant (changes day to
day). Use preparedness plans that contain
multiple strategies (at best cost) that can be
put in place ahead of a crisis.
• Streamline risk-based (quantitative,
analytic) vendor risk management based
on potential for failure. Establish quick
turnaround polling of suppliers to evaluate
shortlisted questions (10-20 questions)
regarding that supplier’s current status (e.g.,
are your operations still functional; what is
your capacity; can you meet agreed upon
KPIs; how can we support your value as a
vendor in our organization).

Practitioner Resources
This briefing paper is a summary level overview of the topic of Complex Supply Chain Third Party Risk
Management. It serves as an introduction to a series of related articles and free practitioner level guideline
mini-tools in selected topic areas related to Complex Supply Chain Management, focused on third/Nth party
risk management. This content will be released throughout 2021 focusing on areas within complex supply
chain management that have been identified as particularly of interest in this arena.

You can find practitioner, C-suite, and board level resources for complex supply chain risk management and
other TPRM challenges at: https://sharedassessments.org/blog/

Adaptive Risk Management for Complex Supply Chains 6

© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
 Acknowledgments
This is one of series of best practices resources
for Third Party Risk Management. We thank the
Shared Assessments Best Practices Group volunteer
subcommittee members who conducted this effort:
• Jolanta Broslawik, Senior Manager - Vendor
Technology Risk Mgmt, Charles Schwab & Co.,
Inc.; Project Member Co-Lead
• Kaelyn Lewis, Senior Risk Analyst, Rochdale
Paragon (apogee iQ); Project Member Co-
Lead
• Phil Bennett, Manager, Information Security
Metrics and Analytics, Navy Federal Credit
Union
• John Bree, Chief Evangelist – Supply Wisdom
(NeoGroup)
• Laura DeWert, Vendor Risk Analyst, BMW
Financial Services N.A.
• Angela Dogan, Founder & CEO, Davis Dogan
Advisory Services, LLC
• Nasser Fattah, Cybersecurity and Vendor
Risk Management Leader in the Financial and
Health Industry
• Brenda Ferraro, VP of Third-Party Risk,
Prevalent, Inc.
• Christina Howlett-Perez, Manager,
Procurement, Wellington Management
Company LLP
• Alpa Inamdar, Head of Third Party
Governance Line of Business Administration,
BNY Mellon Corporation
• Emily Irving, VP RQA, Third Party Risk
Management, BlackRock, Inc.
• Sri Kaza, Senior Compliance Analyst, State
Farm Mutual Automobile Insurance Company
• Paul Poh, Managing Partner, Radical Security
• Michael Riecica, Director, Security Strategy
and Risk, Rockwell Automation, Inc.
We would also like to acknowledge The Santa Fe
Group, Shared Assessments Program subject matter
experts and other staff who supported this project:
• Bob Jones, Senior Advisor
• Charlie Miller, Senior Advisor
• Gary Roboff, Senior Advisor
• Marya Roddis, VP Technical Writing; Editor
Adaptive Risk Management for Complex Supply Chains
© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
About Shared Assessments
The Shared Assessments Program is the trusted
leader in Third Party Risk Management, with resources
to effectively manage the critical components of the
Third Party Risk Management lifecycle.
Program resources are creating efficiencies and
lowering costs for all assessment participants; kept
current with regulations, industry standards and
guidelines and the current threat environment; and
adopted globally across a broad range of industries
both by service providers and their outsourcers.
Shared Assessments offers opportunities for
members to work alongside peers to address global
risk management challenges through committees,
awareness groups, interest groups and special
projects.
For more information on Shared Assessments, please
visit: http://www.sharedassessments.org.
Shared Assessments committees and working
groups create deliverables such as this
briefing paper as part of a larger body of
agnostic research, articles, educational and
certification materials, and other resources
that support best practice development in
third party risk management.
The Shared Assessments Program TPRM
Framework encompasses the full body of work
from these ongoing efforts. As a dynamic,
living document, the Framework informs our
educational materials, program tools, and
other resources, which are regularly modified
and updated to reflect new risks, the changing
regulatory and industry environments and
the continuing evolution of effective risk
management approaches.
The Framework is available to members at:
https://sharedassessments.org/framework/
7
 Disclosure: The content of this series is not intended to convey or constitute legal advice, is not to be acted on
as such, and is not a substitute for obtaining legal advice from a qualified attorney. These materials include the
strategic and tactical processes deemed the most generally applicable to and useful for the most parties, both
outsourcers and third parties. This material is not intended to be inclusive of every case required by statute or
regulation for any specific industry, nor those mandated by any and all industry standards.

Endnotes
i Shared Assessments TPRM Glossary. 2020. https://sharedassessments.org/glossary/

ii OECD Policy Responses to Coronavirus (COVID-19). COVID-19 and global value chains: Policy options to build more resilient production
networks.3 June 2020. OCED. http://www.oecd.org/coronavirus/policy-responses/covid-19-and-global-value-chains-policy-options-to-
build-more-resilient-production-networks-04934ef4/

iii Shared Assessments TPRM Glossary. 2020. https://sharedassessments.org/glossary/

iv Complex Sub-outsourcing (Subcontracting) Chain Risk is the risk that long and complex sub-outsourcing chains reduce the ability of
outsourcing organizations to oversee outsourced critical or important functions and the ability of competent authorities (jurisdiction-
specific regulators) to effectively supervise them. The proportionality principle aims to ensure that governance, including that related to
outsourcing, is consistent with the individual risk profile, the nature and business model of the institution and the scale and complexity
of their activities, so that the objectives of the regulatory requirements are effectively achieved. Shared Assessments Glossary. 2020.
Adapted from EBA Outsourcing Arrangements 2019. https://sharedassessments.org/glossary/

v Final Report on EBA Draft Guidelines on outsourcing arrangements. 25 February 2019. https://eba.europa.eu/eba-publishes-revised-
guidelines-on-outsourcing-arrangements

vi Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication 800-53 Revision 5. September 23,
2020. National Institute of Standards and Technology (NIST). https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Adaptive Risk Management for Complex Supply Chains 8

© 2020 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.