Page 40

Securing the Supply Chain through Integrated Risk Management by Andrew Razumovsky, Principal, CANDA Solutions, LLC

“Deliver uncompromised aims to protect critical technology from cradle-to-grave by establishing Security as a fourth pillar in acquisition, on par with Cost, Schedule, and Performance, and to embrace security, not as a “cost center” but as a key differentiator.”-Defense Security Services (DSS)

1 2

agility in response to deep uncertainty. It requires considerable effort and is dependent on the variety of crucial-to-success elements such as leadership, culture, people, processes and infrastructure. Another huge step towards the IRM goal is breaking organizational risk silos in order to achieve a comprehensive, company-wide security posture. One established approach to enterprise-wide risk is based on the security convergence model, bringing all business functions (IT, Security, HR, Legal, CISO, acquisitions, physical access and compliance) together to break down stove-piped systems. It is the only possible way to understand Enterprise in one holistic view. Strategic risk needs to be constantly defined based on the policies and procedures in place, with access, and measured vulnerabilities remediated. C-Suite and boards will drive Risk Management programs not just because of the mitigation planning, but on creating value and differentiators for the organization as a whole. Today there are more than 300,000 companies that are part of the Defense Supply Chain, ranging from small to major enterprises. And all of them are facing a multitude of issues from cybersecurity to compliance. Solutions for solving them

“Top 10 Factors for Integrated Risk Management Success” | Gartner, 2017 “Is Everything Under Control? Audit Committee Challenges “ | KPMG, 2017

40 / Service Contractor / Fall 2019

Professional Services Council

shutterstock.com/Ahmetov Renat


SS shared with industry its plans to execute on Deliver Uncompromised. A few key initiatives under way are the passage of Public Law 115-390; The SECURE Technology Act; NIST 800–171, DFARS 252.204-7012; and the establishment of a DoD Cybersecurity Maturity Model Certification (CMMC), where a required CMMC Level (potentially 1 through 5) will be contained within RFP sections L&M and will serve as a gate of entry to bid on a contract. All these requirements are targeted at lowering supply chain risk. One approach for the Defense Industrial Base (DIB) to consider as it competes within a Deliver Uncompromised  environment is through Integrated Risk Management (IRM). According to Gartner1, by 2021 more than 50% of large enterprises will use an IRM solution set to provide better decision-making capabilities. KPMG recently conducted a survey2 of more than 800 audit committee and board members and found that the top challenge facing companies is the effectiveness of their risk management program. Many noted that, increasingly, the focus should be on “key operational risks across the extended global organization – e.g. supply chain, Information Technology (IT) and data security risks, etc.” In order to manage complexity of the risks, executives have a multitude of options. Some could consider a “top-down” approach to link their strategic efforts to an organization’s risk profile. Others might put efforts in the “bottom-up” method, primarily focusing only on the individual lines of business. The key to IRM success is the dependency on the integrated view built on a solid foundation of framework, metrics and systems. Another major trend is building up an Organizational Resilience capability which increases business resilience and

Profile for Professional Services Council

Strengthening Defense Services for the Future Force  

PSC will host our first-ever Defense Services Conference on November 21, with senior executives from the Department of Defense (DoD) and the...

Strengthening Defense Services for the Future Force  

PSC will host our first-ever Defense Services Conference on November 21, with senior executives from the Department of Defense (DoD) and the...