Welcome to a blog post series on Exiger’s fight to secure supply chains, sponsored by Exiger LLC. In this series, we have explored the ongoing efforts of Exiger to lead the discussion and enhancement of Supply Chain Risk Management. In our concluding episode 5, I visit with Dan Banes, President of Commercial Technology, and Mark Henderson, Director of Solution Design Lead, and discuss supply chain issues in the energy sector.
Energy is one of the high-profile natures of the energy business, with long-standing business relationships, literally around the globe. Due to this high-profile nature, anytime there is a cyber-breach, it garners much attention. To see this play out, one only has to look at the Colonial Pipeline hack. This profile means that the whole world is watching the energy and the energy ecosystem.
We discussed some of the key drivers for change within the energy industry around third-party and supply chain risk management. Banes believes there are a couple of key trends in energy around supply chain risk management. The first is transparency (or perhaps lack of transparency) and the fact that many energy companies only have visibility into the first layer of their supply chain. This could be in the company they purchase their hardware from or the software products they install. He believes energy companies need to go down into those next layers to understand the additional suppliers that feed into those pieces of hardware or software.
The second area we reviewed is the monitoring of cybersecurity risk. Henderson said typically, and the approach has focused on “things like questionnaires and attestations that companies sign that say that they have a robust cybersecurity program.” He said, “now data is available for companies to do their homework themselves. This allows companies to understand the different companies within their supply chain and have transparency of the third parties you deal with directly and those suppliers down the chain. It allows a company to be alerted to a vulnerability and then quickly mitigate before a cyber security breach or attack happens.”
He believes companies will have to continue to push down responsibilities to that wider supply chain ecosystem. Companies are starting with their highly critical supply chain partnerships and ecosystem vendors. This has led to a “quite a collective dialogue, which is beneficial for the industry. If you go back to the point, we made earlier, one successfully compromised entity can have a ripple effect across the supply chain. It is better equipped for a successful defense if the industry can move their standards and best practices forward together.”
We then turned specifically to Russia sanctions. Here Henderson returned to transparency; companies need to understand the networks of parties they are dealing with. But it is more than simply understanding the company; and it also understands the owners of that company, the ultimate beneficiary, the key management personnel, so you can make sure that none of the individuals associated with the company are sanctioned individuals or on a Specially Designated National (SDN) list. This level of transparency and screening should be maintained on an ongoing basis to ensure that you stay up to date with all new sanctions. This is a fast-paced environment and ensuring that you have controls in place and the transparency in the companies you deal with is very important. The second component is ensuring you have proper supply channels. Russia and Russian companies are large exporters of energy products. This will impact the supply chain for several energy companies and has already caused supply shortages in many cases.
We concluded by looking at Environmental, Social, and Governance (ESG) and how ESG regulatory risk management has evolved within the energy industry. While most compliance and supply chain professionals understand that the ‘E’ has traditionally been the most letter within the ESG acronym, the ‘S’ within ESG, the social issues, is rapidly becoming as important a focus area as the ‘E’ has traditionally been. Banes noted a “huge commercial incentive for companies to move forward in this space; appropriately and effectively.” It could be based on legislation, such as the UK Modern Slavery Act or its German equivalent, but it could also be pressure from key stakeholders such as customers or employees. He noted this “will require companies to identify, assess, prevent, and remedy human rights, risks, and impacts across their supply chains.”
The recently proposed Securities and Exchange Commission (SEC) rules on reporting material climate change risk point to many concepts we touched on herein. Henderson noted that initially, these proposed rules were “meaningful accountability.” But Scope 3 adds “the transparency component as you are also moving down the supply chain and leading to perhaps commercial opportunities that were not present before because of collaboration.” Banes noted, “it does come with an opportunity to have a more meaningful relationship across your supply chain and find those efficiencies even that we were discussing across the control environment but finding those efficiencies when it comes to environmental risk and emissions. To obtain the data required for Scope 3 requires that partnership and the industry come together to find those efficiencies within the supply chain.”