The Deloitte Global Chief Procurement Officer Survey revealed that the most successful CPOs focus on seven key areas. Among them are "define a truly balanced scorecard", "spend more time on strategy and transformation" and "get the digital house in order".
In practice, this means identifying factors - such as cyber risk - whose measurement leads to materially improved business outcomes, implementing practices which build for future success and improving the availability and application of data across procurement applications.
"Procurement leaders need to understand and build risk, resilience, and agility metrics across their organisations. They can consider moving beyond one-off pilots and using scalable platform capabilities. Making direct investments in and prioritizing the fixing of data and making their processes predictive and autonomous can help create measurable impact."
- Deloitte
Darkbeam's Supplier Cyber Risk Management platform directly enables each of these factors, supporting procurement leaders in implementing cyber risk best practices across their organisation.
Implementing best practices in third-party cyber risk management helps to reduce the likelihood of the company suffering financial, operational or reputational damage resulting from cyber crime targeting any supplier in their supply chain.
Consistent standards
When onboarding new suppliers, it is standard to request that they complete a Vendor Risk Assessment form. These often include a section of cyber risk questions.
Companies invest a significant amount of resource into vetting third parties in this way (almost two million pounds per year on average for large companies) but 64% of procurement leaders say they are 'only somewhat' or 'not effective'.
Reasons for this ineffectiveness vary. In some cases, the results are never fully processed. In others, results are used for reporting purposes but the manual nature means that corrective actions not are taken to manage risk. On top of this, many suppliers (over half) admit that their response is not always entirely accurate.
By applying automated testing, Darkbeam's risk scores adhere to consistent, comprehensive standards for all suppliers. This enables like-for-like measurement and comparisons of cyber risk across an entire supply chain.
Automated assessments of risk remove human elements and allow for consistent, unbiased decision making which leads to a reduced risk of disruption and costs.
Continuous assessment
Vendor Risk Assessments (as above) provide a snapshot in time. Even assuming the response is entirely accurate and fully processed, it becomes immediately outdated the moment the vendor completes their submission.
Darkbeam's Watchlist feature allows Category Managers to continuously monitor suppliers over time. Any changes to risk levels within a supplier are highlighted and can be acted upon using Darkbeam's shareable reports.
In this way, the Darkbeam platform removes the pitfalls of retrospective reporting and enables procurement teams to actively manage risk across categories with no additional commitment of time.
Continuous assessment and monitoring of cyber risk highlights emerging risks and ensures that decisions are made using up-to-date data.
Procurement-wide scale
Whilst it is true that some categories introduce more real-terms risk than others, best-practice dictates that risk management be consistently applied across the company. The primary implications of cyber crime against supply chains (financial, operational and reputational damage) apply regardless of the supplier's category.
Through Darkbeam's generous licenses and easy-to-use interface, even large procurement teams can manage cyber risk across every category with ease.
Similarly, supplier numbers are not a limitation when using Darkbeam's capabilities. Many of our clients monitor thousands of suppliers using the in-built Watchlist functionality.
In situations where procurement teams must limit the number of suppliers being monitored, Darkbeam can support clients in minimising the impact of this limitation through strategic guidance and Value at Risk modelling.
Monitoring cyber risk across all categories ensures a holistic view of potential cost and disruption related to cyber crime targeting suppliers. Although some categories of spend present a more immediate risk, all suppliers have the potential to cause material harm to the business.
Cross-functional access
By design or otherwise, large organisations often operate in silos. Despite this, issues such as cyber risk management have multiple stakeholders (across the procurement, risk management and cyber security departments).
Utilising the Darkbeam platform, each of these siloed teams can share consistent viewpoints of their supply chain cyber risk position, enabling a strategic approach to cyber risk governance.
Darkbeam's multiple layers of reporting are designed to enable these various stakeholders to use supplier cyber risk data in a way which best suits their expertise. For example, procurement professionals can make quick decisions with top-level scores while their cyber security colleagues can dig into deep reporting of individual risk factors – all from the same platform.
By utilising the same view of risk levels, each stakeholder can apply their specific expertise to reducing the overall risk of operational and financial harm.
Workflow integration
Despite best intentions, platforms purchased by large organisations are often under-utilised (as many as 50% according to a study by Productiv). The human tendency to revert to old habits, coupled with heavy workloads among procurement teams, mean that any new system must be integrated into workflows in a way which is net-positive in every usage. Darkbeam approaches this in two ways.
Firstly, Darkbeam data is widely available in a very large range of procurement platforms – with billions of pounds of value at risk being monitored in this way each week. Through integrations with the procure-to-pay and similar platforms used by team members in their daily routines, Darkbeam data becomes immediately valuable without additional steps to their workflow.
Secondly, Darkbeam's platform continuously monitors suppliers in Watchlists, accruing data for reporting in the process. In this way, each refresh cycle of a company's Watchlists (which can be weekly or monthly) contributes to the value the organisation receives from its usage. Rather than sitting dormant when unused, Darkbeam is continuously building strategic value for each user.
Integrations with existing platforms allow supplier cyber risk management to seamlessly enter the procurement workflow.
Leadership reporting
As a significant business risk, supply chain cyber risk levels are increasingly being monitored at Board level. Cyber risk reporting in general, however, is often met with confusion from non-technical Leadership teams.
According to McKinsey: "Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization."
Darkbeam enables Board-level reporting by attaching a comparable numerical score to individual suppliers and those grouped into Watchlists. As most clients configure their Watchlists to be category-specific, this allows for simple reports into overall risk levels and comparisons between categories.
The in-built score-tracking within Darkbeam's platform means that changing risk levels can be monitored and reported with ease and, as these scores are generated against cyber security best practices, they can be trusted to accurately reflect the organisation's third-party cyber risk exposure.
Understandable, consistent reporting which aligns to industry best practices allows for strong governance and efficient communication with Board-level stakeholders.
To learn more about how Darkbeam can support your business in implementing supplier cyber risk management best practices which materially reduce your risk of financial, operational or reputational damage, please contact us using the form below.