Boardroom Leaders Need to Look Outside

Boards might be focused on the risks that arise from within their own organisation, but outside suppliers can cause harm too.

When an organisation’s suppliers get it right, they provide and add good value to go with the product or service.  When they get it wrong, however, they can become a source of financial and reputational damage — or even a back door for cyber criminals.

It is risk to which few boards seem to be alert.  Executive directors are usually focused internally on ensuring they hit their own targets and, while some non- executive directors are trying to look at the whole picture, it is difficult for them to really see into the supply chain.  And with companies becoming more reliant on third parties to deliver products and services, acquiring that overview is a strategic imperative.  It requires boardroom leadership in the form of challenge.

Suppliers should be a board issue, not just for executives but for non-executive directors, too.  If you are not clear on the management of your supply chain, you could get caught out by reputational issues such as suppliers breaching labour regulations.  Or you could have exposure in terms of currency fluctuations and movements in commodities.

Then there is the question of cyber security.  Big companies put a lot of time and effort into protecting their computer systems and the information they hold, but they could still be vulnerable if their suppliers don’t do the same.   There have been major breaches as a result of weaknesses in the supply chain.  Suppliers are drawn from many sectors, including small and medium businesses that in many cases do not have professionals dedicated to cyber security.

In some cases those weaknesses might allow criminals to gain access to data held by a third party, but in other cases the supplier might simply be a soft way in.  The hackers who stole millions of customer records, including credit card information, from Target in 2013 appear to have broken into the American retailer’s computers through its heating and cooling system, which was remotely managed by the company that supplied it.  The Wall Street Journal reported that the thieves stole log-in details from the supplier and used these to break in.

Freshfields, the law firm, advises that companies need to address the competency of their suppliers to handle sensitive data in the same way that they would look at insolvency risks.  They should not fall into the trap of thinking that it is just an IT problem — it is far more than that.

For example, they could require suppliers to co-operate in a security audit or to achieve a cyber- security standard.  They might even choose to help small suppliers build resilience into their systems.  And one of the key questions that non-executive directors should ask of executives is, ‘Are you judging the relationship with suppliers based on the financial value they provide and also, on the level of trust we place in them?’.”

It seems like a good idea for non-executive directors to make time to visit suppliers:  Boards should get out more, to do ‘look and see’ visits, to smell and touch what is going on.   Yes, this sort of activity takes significant commitment and will not always be practical, but that said, it is worth the effort when there are big potential risks.  Non-executive directors need their eyes wide open . . . they should also look down the chain at how suppliers treat their suppliers.  You can’t mitigate risks unless you know what they are.