Recent Searches
Trending
Building and streamlining C-SCRM capabilities for a hyper-federated federal organization through the lens of people, process and technology
The better the question
Early detection of supplier risks will enable risk-informed decisions.
New technologies are accelerating the pace of digital change and the broad-scale use of automation, data analytics and the cloud. Government and public sector organizations are increasingly concerned about their resiliency capabilities and are looking to provide a safer, more secure and affordable approach to managing their systems and data. A breach from a supplier or third party could be one of the greatest risks they face.
A federal agency engaged Ernst & Young LLP (EY US) to establish its enterprise cyber supply chain risk management (C-SCRM) program, focusing on helping leaders make risk-informed supplier decisions, reduce supplier risks and meet multiple federal compliance requirements. Doing business with a supplier that provides services, products or software and – knowingly or unknowingly – could be breached presents a major risk. This may result in financial loss, intelligence leaks, stolen intellectual property or reputational harm.
With a focus on information, communication and technology (ICT) and other department services and products, the federal agency wanted a better understanding of the potential risk that a supplier could pose to the organization across multiple risk lenses, such as cybersecurity and foreign interest. By understanding the potential risk, a leader will be able to make a risk-informed decision prior to securing a procurement.
In addition to the risk elements, there are many regulations and executive actions designed to protect organizations from breaches or supply chain attacks. Both risk and regulatory compliance have driven C-SCRM to be a top concern for this entity and other federal agencies today.
The better the answer
Establish the processes. Train people. Apply technology and the right tools. Focus on what’s important.
EY US is recognized for its extensive risk and regulatory experience, system implementation and superior service delivery in SCRM services. It brought these capabilities to its engagement with a federal agency.
The EY approach helped the entity establish the processes and implement a C-SCRM program by driving innovation and leveraging two leading-edge technology platforms:
Utilizing commercial best practices honed from 15+ years of experience, EY teams developed tailored processes and implemented a supporting technology solution for this federal agency. The SCRM processes are risk-based so that the level of diligence conducted increases based on the risk the supplier presents to the organization. The established process is accompanied by the ServiceNow Vendor Risk Management application, which EY teams tailored to:
The combination of best-in-class processes and a tailored technology solution set a new standard that government agencies are able to use to establish a leading-class C-SCRM program.
Business Relationship Economic and Threat Analysis (BRETA) is an automated tool that enables risk scoring by culling publicly and commercially available data sources from government and public sector resources to assess risks. It provides a multidimensional overview of threats in business relationships across six categories: financial, cybersecurity, geopolitical, technical, supply chain, and regulatory and compliance.
Working with the federal agency, EY teams used BRETA in combination with government data sources and analysts, conducting a detailed C-SCRM assessment to identify potential threats, monitor suppliers and offer actionable insights for risk mitigation.
From a risk perspective, the federal agency is now able to:
SCRM programs are essential to improving the overall cyber posture of an organization – what makes this solution so compelling is the speed to market to stand up a program, the unique risk assessment capability of the BRETA tool, the alignment to NIST compliance standards and ultimately the ongoing monitoring capability to capture new risks over time.
The better the world works
Delivering an enterprise service that integrates risk assessment and risk treatment into the supplier management life cycle
EY teams worked with a federal agency to define what would be its end process: risk-based assessment process, entity onboarding, monitoring activities, mitigating identified risks, understanding how to handle new requests for suppliers, training users and suppliers, and integrating the service with other entities outside of the CISO. The integration helped with the change management efforts by embedding the C-SCRM services into existing procurement approval processes (e.g., the Federal Information Technology Acquisition Reform Act) and helped enrich the assessments by enabling intelligence teams to conduct a classified evaluation of high-risk suppliers.
After more than two years supporting this agency, EY teams has assessed over 2,000 supplier ICT or other department products and services. The C-SCRM assessments have helped change behavior while meeting government C-SCRM program requirements. Before the C-SCRM program, entities would have limited ability to assess a supplier and essentially would be “accepting” the risks present within the supplier – now leaders can make risk-informed decisions.
This was one of the first federal government agencies to stand up a C-SCRM program, and it is helping to set a standard for other government entities as they build their own programs to manage supplier cybersecurity risks at an enterprise level.
Our clients are facing increased uncertainty and disruptions, which is driving them to reassess their strategic imperatives and think differently about their operating environments. EY BRETA, coupled with our people, skills and experience, enables them to assess and monitor potential threats to their businesses and transform their decision-making from reactive to proactive.
How EY can help
