How can Insider Threats manifest in the Supply Chain?

Posted on August 6, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Executive Summary

Insider Threat Management is difficult at the best of times, let alone cascading this implementation into the supply chain. The starting point for managing this risk is to understand how and where insider risks may arise in the supply chain, as well as assessing the likely business impact. Only then can these risks start to be managed effectively. The second consideration is contracting with suppliers to set expectations and form contractual obligations on expected practices: Some organisations rely solely on contractual obligations to manage their insider risks, an approach which is fraught with danger. This article explores these risks in more detail and outlines common pitfalls encountered when developing Insider Threat Management clauses in contract schedules.

Employees and contractors of your suppliers have access to your most sensitive information — Photo by Format on Pexels.com

How can insider threats affecting a principal materialise in the supply chain?

In this post, I use the term ‘principal’ to reference the party engaging a third party (e.g. a supplier). Insider threats can be malicious, complacent or ignorant, and there are two ways trusted insiders in the supply chain may impact a principal:

Principal is targeted directly by the insider – examples include supply chain attacks (ICT), issue motivated activism (e.g. anti-fossil fuels), or the introduction of SSFFC (Substandard, Spurious, Falsely Labelled, Falsified and Counterfeit) and / or non-conforming parts or components into the principal’s supply chain.
Principal is not directly targeted but is impacted by the consequences of the event – examples might include a workplace violence incident which causes a downstream business interruption that affects quality, availability or some other service level.

Under Australia’s new Security of Critical Infrastructure Act and Rules (2022) (referred to as SOCI), critical infrastructure operators are required to more actively manage insider threats and supply chain hazards. The relevant Rules have been reproduced below:

Personnel Hazards: minimise or eliminate material risks that negligent employees and malicious insiders may cause to the functioning of the asset (paragraph (c))
Supply Chain Hazards: minimise or eliminate the material risk of, or mitigate, the relevant impact of: misuse of privileged access to the asset by any provider in the supply chain (paragraph (b))

To comply with these obligations, organisations need to understand the intersection of insider threats and supply chain threats and how they might manifest in practice.

What insider risks can manifest in a direct impact on the principal?

We buy products or services from our suppliers, and we may also use other third party relationships such as alliances or consortiums to facilitate business in some way. This means that insider risks can impact people, assets, information as well as products, services and quality. Examples of insider risks in the supply chain are outlined below:

Risk	Description	Controls
Unauthorised use or disclosure of information	May involve the following categories of information: a) Intellectual Property & Trade Secrets b) Commercially sensitive information c) Personally Identifiable Information	Information Protection Programs Supervised Destruction at contract termination
Unauthorised use or copying of molds, proprietary materials, manufacturing equipment, tools or techniques	Where a supplier uses tools and equipment provided for a permitted purpose without authorisation (relevant to Contract Manufacturers and Contract Resesarch Organisations)	Supplier Assurance / Audits Equipment Disposition Market Surveillance Programs Supervised Destruction Contract clauses specifying ownership of IP
Supplier reputation (entity)	Adverse media / reputation Management track record Finances & Credit Ratings Watchlist & Sanctions checks Ultimate Beneficial Ownership & Control LItigation history & enforcement action Other checks as appropriate	Supplier Integrity Program Supplier Due Diligence Supplier Assurance / Audits
Supplier’s employees	Potential for infiltration by hostile actors (e.g. organised crime, nation state actors) of the supplier. Hiring of unsuitable employees, contractors by a supplier.	Workforce Screening Program (background checks) Supplier Integrity Program Insider Threat Management Program
Sabotage	Physical Sabotage ICT System Sabotage Data Sabotage Supply Chain Attacks Product Tampering	Physical Security Program Personnel Security / Insider Threat Program Supply Chain Integrity & Security Program IT Disaster Recovery
Introduction of SSFFC & Non-Conforming Parts	Failure of, or damage to, critical assets whilst in service due to malicious insertion or latent vulnerabilities in parts, components or software. Unidentified cybersecurity vulnerabilities in products or systems (e.g. network back-doors). Failure of products or components whilst operating withinin specifications. Substitution of authentic (conforming) for inauthentic (non-conforming) parts or components.	Supply Chain Integrity & Security Program Quality Assurance Program
Intentional Interference & Contract Frustration	Supplier / service provider under-delivers or incorrectly delivers intentionally for some reason (including through economic coercion or hostile control by other nation states)	Supplier Due Diligence Threat and Risk Assessments Contracting Supplier Assurance / Audits

Designing and enforcing Insider Threat clauses in contracts can be challenging

In my experience working on both supply chain security and insider threat engagements, it is common to see organisations placing a high degree of reliance on the provisions in a contract to manage these risks. Quite often these courses of action are driven by legal or procurement policy decisions in organisations which don’t fully appreciate their threat and risk environment.

Relying on contractual provisions to manage insider threats (or any other supply chain threat) means your organisation is reactive or response-driven: when you need to enact the provisions general incident or loss has already materialised, and sometimes the legal remedy may not be obtained until years after the event, during which time considerable management time, expense and effort has been expended.

Legal mechanisms are only one way to manage trusted insider risks

In addition to the above, I regularly encounter a range of challenges with these contract clauses, including:

Sometimes contracts are silent on Insider Threat Management, or the clauses that do exist cannot be readily or easily enforced.
Supplier contracts often last for multiple years, and renewals may be simple extensions without using the latest templates. This can mean a patchwork of standards and obligations exist throughout the supplier base, some of which may not align to the organisations current standards and practices.
Principal’s don’t specify their expectations of a suppliers Insider Threat Management program, which could be mitigated by providing standards and frameworks for suppliers to follow and referencing these in contract schedules.
Sometimes the relevant clauses are in a contract but they are never audited or enforced to confirm the supply plied is actually adhering to what they agreed to. Also, suppliers may have been compliant at a point in time, but then ceased to comply due to cost pressures or management decisions.
When dealing with the situation where there is only one or a small number of suitable suppliers globally, negotiating power is an issue. The principal may have the best intentions and a good framework to follow, but the supplier is not interested in agreeing to these clauses and refuses to sign the contract, knowing the principal will likely have to back down.
In some cases, it may not be possible for a supplier to agree to the principal’s requirements due to the nature of legal, industrial relations, employee engagement, or culturally-acceptable practices in the suppliers jurisdiction. Workforce surveillance practices such as Used Activity Monitoring is a good example here.

As you can see, there is a lot to consider when making policy decisions on Insider Threat Management practices generally, let alone when suppliers are thrown into the mix. Effective management requires a clear understanding of the threats and risks affecting the principal and how they may impact critical assets. Only then can a risk-based management strategy be developed tailored to the principals needs and risk profile. There is often little room for a ‘one size fits all’ strategy in this scenario.

Conducting a Country Risk Assessment for your key suppliers

Posted on March 20, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

Choosing a supplier is an important decision for any business, no matter the size or time in operation. We all know that picking the wrong supplier can have disastrous consequences for your brand, reputation and customer satisfaction. Globalisation has driven manufacturing to low cost destinations, typically in less developed parts of the world. Whilst this meant the ability to purchase a product for a cheaper price, it also came with risks relating to reliability, quality, supply chain disruptions, integrity and ESG (Environmental Social Governance) risks such as indentured labour.

Stories of bad procurement experiences abound in relation to sourcing Personal Protective Equipment like gloves and masks for health workers during the COVID-19 outbreak. For example, some customers purchased counterfeit product whilst others purchased products which did not conform to stated specifications and had to be destroyed. However, in other cases the government where the manufacturer or distributor (e.g. warehouse) was located stepped in to compulsorily acquire the products for their own citizens, at the customer’s expense.

As highlighted by these examples, three main risks need to be considered as part of any supply chain decision:

How well do you Know Your Supplier (KYS)
- Are they legitimate?
- Do they have a good track record in the market?
- Are they financially solvent?
- What do existing customers think of them (do they have any customers)?
- Will associating with them damage your reputation?
Does the product quality and pricing meet expectations?
- Are their products legitimate?
- Do they use substandard or counterfeit components?
- Do their products conform to expected / agreed standards and specifications?
- Are they competitively priced?
Is the supplier located in a high risk country?
- What factors external to the supplier might impact their ability to service your needs?
- How dependent are they on other parties, such as trucking companies and electricity utilities, to delivery on supply agreements?
- Are there any other considerations which might result in supply chain disruptions or non-delivery?

This concept of a ‘high risk country’ and the concept of country risk is examined in more detail below.

So what is country risk anyway?

The importance of understanding country risk is often overlooked, or given only a cursory glance by many businesses. As Australians we are truly privileged in terms of our advanced society, laws and infrastructure, and it is easy to forget that this is not the case for other countries (especially those manufacturing low cost products for import). When used by economists and the investment community, country risk refers to the “losses that could arise as a result of the interruption of repayments or the operations of entities engaged in cross-border investments caused by country events as opposed to commercial, technical or management problems specific to the transaction” (Toksoz).

The term political risk may also be used interchangably with country risk in some situations, however it is typically used to refer to those sources of risk with a political dimension whereas country risk as used here is much broader. According to Moosa (2002), country risk analysis is used in three scenarios:

Multinational companies use it as a screening tool to select preferred countries for investment and / or market entry based on risk factors;
Country risk metrics can be used as part of a continuous monitoring program for in-flight projects or investments (see below); and,
It can help identify, assess and manage country-related risks pertaining to projects or other initiatives in a foreign country.

For the purposes of this article, the selection of suppliers falls into the latter category.

You don’t need to consider country risk as part of every supplier decision

Not every product is created equal – some products may be more highly commoditised (and therefore readily availble from multiple suppliers) than others. Typically, it is not necessary to follow the practices outlined in this post for products which can be easily purchased from many suppliers in many different countries (and indeed regions of the world).

Situations where a business should to conduct a proper country risk study of its supply chain include:

Companies that are sourcing a contract manufacturer to build their products to specification
Products that require rare or hard to obtain ingredients / materials / components
Products that require specialist skills, equipment or manufacturing conditions (e.g. clean rooms)
Products that require components which are made under license by a fourth party

Where does country risk fit into the overall decision process for a supplier?

The process of choosing a supplier generally involves at least five core steps:

Identify and document your business requirements
Identify source countries for the product
Identify potential suppliers (i.e. individual businesses)
Negotiate and award the contract
Monitor the supplier for the life of the contract

Often, the identification of a potential supplier is conducted in tandem with the country risk assessment, however the order really depends on how many supplier choices exist. For example, in the case of contract manufacturers there may be suitable suppliers across multiple countries. Assuming these contract manufacturers are broadly comparable on other attributes such as price / quality and KYS outcomes, the inherent country risks may become a determining factor in the ultimate decision.

Photo by Startup Stock Photos on Pexels.com

What does the country risk assessment process involve for suppliers?

In my career, I have seen many country risk assessments which really miss the mark. They might be a great piece of research that consumes copious numbers of pages and tells you everything you might ever want to know about a country, but so what? We’re in business, not writing a doctoral thesis or encyclopedia. Many country risk assessments are actually what are referred to as ‘country studies’, effectively research documents that catalogue many facts about a given country but are not linked to risks per se. I use a three-step process to produce a country risk assessment for a supplier, as follows:

Map the supplier’s value chain – use Michael Porter’s value chain analysis to gain at least a basic understanding of what is required by the supplier to make your product. For example, if your supplier runs an iron foundry, you care about electricity and water as inputs. The reliability of your supplier’s phone network is important for delivery and payment, but without power and water there is no product. If your supplier depends on third parties for components, you need to understand this as well.
Identify country risks – there are numerous methods for this, with two common ones being PESTLE and PMESII. If you already have a country study, this should be used as an input to this risk identification stage. Use desktop research and interviews to identify the required information, and then categorise your findings using the PESTLE and PMESII taxonomies:
- PESTLE – stands for Political, Economic, Social, Technological, Legal and Environmental and is commonly used in government and business. Each of the PESTLE categories has a multitude of sub-factors, such as types of contract law (as a Legal example) which should be researched, discounted, or included where relevant
- PMESII – stands for Political, Military (or law enforcement / organised crime), Economic, Social, Information (as in the reliability of information such as public records and the media) and Infrastructure. PMESII is a methodology used by the intelligence community.
- Either method, or any variation thereof, should be developed based on your scope of work and objectives.
Write up the country risk assessment and risk mitigation plan – the last step in my method for preparing a country risk assessment for suppliers involves overlaying the country risks against the value chain. Where possible, market forecasts and internal metrics (e.g. revenue, production) should also be referenced to ensure identification of country risks that actually impact the value chain. Once you have identified risks relevant to the value chain, these risks can be assessed and potential mitigation options identified for consideration.

Why should I bother? What is the cost-benefit here?

In her latest book on Political Risk, former US Secretary of State turned Stanford University professor refers to political risk in the context of her “five hards of political risk management” (p82):

Hard to reward
Hard to understand
Hard to measure
Hard to update
Hard to communicate

I have encountered situations where well-intentioned businesses sought to manage country risk, such as when selecting a single contract manufacturers for all their production, only to find executives balk at the thought of spending a thousands of dollars to identify and assess risks which in many cases would protect from losses of millions in future revenue. Whilst it might be hard to quantify the return on investment that justifies spending on country risk, the benefits are clear, as illustrated by this example from MIT Professor Yossi Sheffi’s excellent book ‘the resilient enterprise’:

On 17 March 2000, lightning resulted in a fire at the Philips NV semi-conductor plant in New Mexico, USA which damaged manufacturing clean-rooms and destroyed inventory under production. Two of the plant’s most important customers were Ericsson and Nokia, then leaders in the mobile phone market.

In Finland, Nokia received a call from the plant informing them of an anticipated one-week delay. However, on further investigation Nokia determined the downstream effects would impact millions of its handsets, jeopardising sales and market share. Nokia began to enact its contingency plan, including buying excess capacity in the global market.

Nokia’s primary competitor, the Swedish company Ericsson, also received the same call but was reportedly less concerned. By the time they realised the materiality of the situation it was too late. This event ultimately triggered billon-kronor losses for Ericsson, resulting in its exiting the mobile phone market entirely.

This example highlights the importance of understanding all aspects of risk in the supply chain – making early, informed actions are critical to managing supply chain risk.

The country risk assessment process isn’t just a once-off

Most relationships in life start out well but deteriorate over time. Like any business relationship, suppliers need to be continuously monitored and the relationship nurtured to ensure long-term benefits to all parties. The concept of ongoing or continuous monitoring in due diligence and risk management generally has been around for many years, but has only recently started to take hold. Two elements need to be continuously monitored so as to properly manage supply chain risk:

Ongoing monitoring / continuous monitoring of the supplier themselves for factors such as financial solvency, quality, changes in ownership; and,
Ongoing monitoring of those external ‘country risk’ factors which the supplier may not even be aware of but which could disrupt ongoing supply.

One way to conduct ongoing (continuous) monitoring is through a strategic ‘early warning’, ‘situational awareness’ or ‘risk sensing’ capability which monitors the operating environment for tripwires, or leading indicators of an emerging risk which allows for closer monitoring and timely response. I will discuss how to build one of these capabilities in a future post.

End User Verification

Posted on February 7, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

In a product development context, an ‘end user’ is defined as the person who ultimately uses, or is intended to use, a product. However, ‘end users’ are also captured under various laws, including Export Control Regulations, where they are defined as “the person that receives and ultimately uses a good, service or technology“. End Users pose a particular challenge for all IP Rights Owners and Manufacturers in that once a product has been sold in the global market, it is very hard to control what happens to it. Depending on the product and its attractiveness to an end user, a product could ultimately end up with criminal counterfeiters, gray marketers, and sanctioned parties.

men standing in a warehouse talking — Photo by Tiger Lily on Pexels.com

Where sanctioned parties are concerned, if a proscribed end user obtains as little as one unit of a product, this event may constitute a criminal offence (for example, the supply of materiel to North Korea) and could result in enforcement action and reputation damage. In contrast, selling a substantially discounted bulk shipment of product to an Original Equipment Manufacturer (OEM) which then resells the consignment onto an unauthorised distributor has the effect of “flooding the market with cheap product, eroding profit margins and disrupting the distribution channel” (Post & Post, 2008). Whilst the potential impacts of regulatory and business risks associated with sales to unauthorised end users are materially different, the nature of any due diligence program to mitigate these risks is the same.

This post provides an overview of the concept of ‘End User Verification’, starting with a review of the regulatory and business risk drivers, before examining the process, identifying applicable red flags / data sources and threat patterns, before concluding with a discussion on what a good ‘End User Verification’ process looks like to enable the risks to be effectively managed.

Regulatory Drivers for End User Verification

Globalisation presents risks and opportunities

A number of global regulations have a specific bearing on End Users, placing regulatory obligations on manufacturers and IP Rights Owners to understand who they are actually doing business with prior to closing a sale. Key regulations with an ‘end user verification’ obligation include:

Export Control Regulations (aka ‘trade compliance’) – which require parties involved in the sale of military or ‘dual use goods‘ (those with both military and civilian applications) to obtain licenses or permits prior to a sale. Often, additional steps must also be taken from a supply chain integrity and security perspective to ensure such goods are not diverted before or after delivery.
Economic and Trade Sanctions – can be applied by supranational bodies such as the United Nations Security Council, or individual countries (such as the United States Office of Foreign Asset Control). Very simply, sanctions laws can be breached if a product, financial transaction, or service (amongst other things) is provided to a sanctioned individual, entity, jurisdiction, or industry in a specified jurisdiction.
Bribery & Corruption – the most far-reaching anti-bribery and corruption laws are the US Foreign & Corrupt Practices Act (FCPA) and the UK Bribery Act. The risk here for IP Rights Owners or Manufacturers is that one of their distributors may be paying bribes to public officials, for example, to purchase their products, for which they are liable. Associated red flags might include orders from commercial enterprises where the purchaser should actually be a government agency.

Business Drivers for End User Verification

Gray Markets & Parallel Imports arise where a company purchases product in bulk in a low cost jurisdiction, and ships them to a high cost jurisdiction for resale. Gray market operators can work in global syndicates and quickly cause harm to consumer trust in your brand, frustrate authorised distributors by eroding their market, and impact sales. The second business driver for End User Verification is Brand Protection and Anti-Counterfeiting. In some markets, is not uncommon for unscrupulous competitors or criminal counterfeiters to purchase products for reverse engineering.

A simple example might be where a buyer based in a country where you do not currently have a distribution arrangement purchasing samples of your product for counterfeiting and subsequent sale. Where products are in high demand from consumers in a given market, and that environment is conducive to counterfeiting, particular care should be taken to evaluate purchasers. Whilst it may be possible for counterfeiters to acquire your product from another market or a secondary market, this doesn’t mean you need to make life easy for them.

people standing on road beside market and high rise buildings — Photo by Rafael Guimarães on Pexels.com

The End User Verification process

There are two elements of the End User Verification process which can be undertaken simultaneously or separately, being (1) due diligence on the customer (i.e. ‘know your customer’ steps), and (2) due diligence on the transaction. Knowing your customer involves understanding who they are and whether they are in your target demographic, as well as other factors such as their credit rating. Performing due diligence on the transaction involves understanding what the customer intends to do with your product, the viability of these claims, and the risks inherent in the transaction.

To give an example, a regional government education department purchases 100,000 computers, at a steep discount because of the volume. On the face of it, the government education department makes a good customer – they can afford to pay, they are not associated with any sort of illegal activity (e.g. named on a sanctions list) and they are the sort of customer a computer manufacturer might want to sell to, so they pass step 1, the ‘know your customer’ test. As you review the transaction, you find that that region only has the need for 50,000 computers based on student numbers. So why purchase 50,000 computers more than they could legitimately need? You reflect further and consider that bribery and corruption in that country is high – could the procurement officer be purchasing 50,000 more computers than the school requires so they can be sold to a reseller in the region at a steep discount, minus a kickback for their efforts? Clearly further investigation (End User Verification) is required.

With the ability to make or break a sale, it is essential that the End User Verification process be independent of the sales department. For a start, doing due diligence on your own deals, which you want desperately to succeed so you can earn your sales bonus, is a clear conflict of interest. Secondly, this is not the core job of a sales team – they are unlikely to have the specialist skills required to perform the work and perhaps worse, could even engineer the End User Verification process so that any red flags remain hidden until long after they have left the company.

Data Sources, Red Flags and Threat ‘Patterns’

In the context of a transaction involving a large purchase of product, End User Verification involves understanding who the customer is, why they want to purchase that volume of product and what they intend to do with it. This involves a number of steps such as:

Determining whether the company is a going concern, and whether it has adequate financial, sales and distribution capabilities to actually execute against its stated intent
Understanding whether the company’s characteristics, such as its date of registration, beneficial ownership, shareholders, market presence, business licensing, and other factors align with the seller’s expectations
Understanding the track record of the business’ management team – can they execute against their stated intentions?
Identifying what controls, if any, should or are in place to prevent the buyer (End User) reselling the product to an unauthorised third party

Due diligence teams typically compile their own lists of red flags as well as threat ‘patterns’ (aka ‘typologies’ or ‘fraud schemes’) as they relate to their respective organisations. These can be used to inform the basis of questionnaires sent to a prospective new customer or asked by the sales or compliance teams whilst reviewing and approving any sale or discount.

analytics text — Photo by Timur Saglambilek on Pexels.com

Managing the risks – what does a good End User Verification program look like?

Key elements of an EUV program

A robust due diligence program is essential to minimise the risk that a product shipment will be diverted to an unapproved end user. End User Verification typically forms part of a broader program that encompasses Supply Chain Integrity and Market Surveillance (Post & Post, 2008) which comprises elements such as:

Knowing who your customer actually is
Evaluating the transaction and its legitimacy
Performing market surveillance to monitor the market for your product and the quality of any products being sold (i.e. authentic versus counterfeit)
Identifying the risks in supply and distribution chains and implementing effective internal controls, and,
Implementing appropriate supply chain integrity mechanisms, including track and trace programs, to identify the source of any diverted product on the market

Who should perform the due diligence?

Some organisations make performing due diligence the responsibility of the Sales & Distribution teams, whilst in others this work may be performed by Risk & Compliance, Audit or Finance, or alternately it may be outsourced to a specialist service provider. When deciding who will undertake the due diligence, it is important to avoid any conflicts of interest. It goes without saying that the person making the sale is almost always incentivised to make sure a deal goes ahead. They are therefore conflicted when it comes to performing any due diligence, and should not be considered independent. A good End User Verification program involves someone else in the organisation, divested from the Sales process, performing the due diligence.

Hot Tip: Throughout my career, I have worked with Sales & Distribution or Corporate Strategy / Mergers & Acquisitions teams to perform due diligence on prospective business partners, customers or investments. I know there is nothing more frustrating for someone than to spend months, or even years, converting a deal only to have it killed at the last minute because the customer was not who they claimed to be.

To avoid this situation, I try to be proactive and conduct at least basic screening at the first available opportunity (i.e. as soon as the prospective client list is drawn up). There might be 100 prospects on a list, but performing some initial due diligence quickly identifies unsuitable opportunities which can be eliminated, leaving front-line teams to focus their efforts on deals likely to succeed. As a customer moves along the sales funnel, additional due diligence checkpoints can be added so that progressively more in-depth screening is performed (commensurate to the risk of the transaction, product, customer or jurisdiction), until the deal is done.

Knowledge & Training

In order to be effective in their role, employees performing End User Verification must understand what a legitimate business looks like when reviewing its footprint in the market. These employees mus be able to identify red flags and indicators in a variety of jurisdictions, business types (e.g. distributors, OEMs), understand public and financial records, be competent at performing internet investigations, and have good general investigative and analytical skills.

The task of End User Verification and other ‘know your customer’ activities is not always straightforward: It is quite easy for a ‘dodgy’ company to be made to look legitimate to outsiders. The news and proceedings of regulators around the world are full of examples of businesses (including those with professional Anti-Money Laundering and Sanctions Compliance staff in companies such as banks and government agencies) which have failed to identify such businesses through their diligence process. As such, it is essential that those performing the task possess the requisite knowledge and skills to effectively perform the role.

Access to Resources

Performing effective End User due diligence requires access to the right resources to identify red flags and other risk indicators. Depending on the extent of diligence performed, this can require access to a variety of free and paid information sources, including:

Company, Director and Beneficial Owner records for the relevant jurisdiction
Sanctions and other commercial watchlists, such as RDC or Refinitive’s WorldCheck
News sources, including general media (e.g. Factiva) and specialised industry publications
Biographical sources, such as LinkedIn and other business journals, which provide the ability to assess management’s track record in the industry
Investment databases, such as Crunchbase, which can show cases where new funding sources have been obtained for growth, new market entry or innovation

Performing this sort of work requires a budget. If you are performing the due diligence yourself, you typically need to review multiple independent sources (many of which typically require an annual license subscription which doesn’t work for on-off purchases) to build the picture required to make your assessment on the End User’s validity – there is not such thing as a ‘universal database’ that will answer this for you. Further, for many sorts of due diligence inquiries databases and desktop research is only the first step in the process. You will often need access to specialist resources for tasks such as interviewing customers and competitors which cannot be replaced by a database or automated.

ForewarnedBlog.com

Actionable insights on security, fraud, integrity and resilience for innovative industries

Tag Archives: 3rd Party & Supply Chain Operations

How can Insider Threats manifest in the Supply Chain?

Executive Summary

How can insider threats affecting a principal materialise in the supply chain?

What insider risks can manifest in a direct impact on the principal?

Designing and enforcing Insider Threat clauses in contracts can be challenging

Further Reading

Conducting a Country Risk Assessment for your key suppliers

Introduction

You don’t need to consider country risk as part of every supplier decision

Where does country risk fit into the overall decision process for a supplier?

What does the country risk assessment process involve for suppliers?

Why should I bother? What is the cost-benefit here?

The country risk assessment process isn’t just a once-off

Further Reading

End User Verification

Regulatory Drivers for End User Verification

Business Drivers for End User Verification

Data Sources, Red Flags and Threat ‘Patterns’

Managing the risks – what does a good End User Verification program look like?

Further Reading