.png)
Blog
Are you ready for the next supply chain crisis?
In most organisations, no single function owns supplier risk. Procurement assesses suppliers at onboarding from a business angle, security runs its own security reviews, legal handles the contract and compliance keeps its own records. The work is split across multiple departments, each in its own system, creating overlapping and often redundant data. The entire process is highly inefficient.
That fragmentation gets treated as the security team's problem, but the cost spreads across the entire organisation. Fragmented supply chain security is a business operations problem as much as a resilience one.
The answer is to operationalise supply chain security through continuous, connected supplier assurance, where every function works from a single, continuously updated supplier profile. That shift is what this article sets out.
Fragmented supply chain security multiplies operational costs across the organisation, in duplicated effort, inconsistent supplier information and slower decision-making. A single supplier passing through procurement, security, legal and compliance answers, in effect, four overlapping questionnaires for one customer. Each new supplier compounds the load, so fragmentation scales poorly as the supplier base grows.
Take a supplier onboarding to deliver a new service. Procurement collects company details, financials and references. Security asks for the supplier's certifications, policies and control evidence. Legal asks for the same ISO and SOC certificates again for the contract file. The supplier completes each request separately, because the requests arrive separately.
It is the same work several times over, and answers come back slower each round. The organisation is left with several versions of the supplier's security posture in different systems, none agreed as definitive.
At 50 suppliers, the repeated reviews are an overhead the team absorbs. At 2,000, it needs far more analysts to do the same duplicated work. Onboarding takes longer because the queue is longer. A supplier selling into 50 regulated customers, each running its own procurement, security, legal and compliance review, can face 200 near-identical requests a year and begins deprioritising them. And because every team is clearing its own backlog, nobody notices when a supplier takes on a new subcontractor or lets a certificate lapse.
Approving a supplier means waiting for several teams to sign off in turn. Security flags a finding. Procurement has already approved the commercial terms. Legal will not complete the contract until the finding is resolved. Each team waits on the others, and the supplier waits on all of them. The same finding is escalated more than once as it moves between teams, and because no one owns the final decision, accountability for it is unclear. When teams read the finding differently, the supplier is asked to clarify it again.
A supplier held up in review holds up whatever depended on it. The product launch that needed the new payment provider slips. The migration that needed the new hosting partner waits. These delays are rarely counted as a security cost. They show up as missed dates and stalled projects elsewhere in the business.
A fast decision needs one view of the supplier. When the security finding sits in one tool, the remediation status in an email thread and the contract position in a third system, the person deciding has to assemble the picture first. So they hesitate. The review is reopened, the decision slips to the next meeting, and the supplier is asked again for information it has already given.
Separate processes produce separate records, and the records disagree. Procurement's file says the supplier is approved. Security's assessment says remediation is outstanding. The contract legal signed predates both. No version is complete on its own.
So the basic questions are hard to answer. Which suppliers carry the highest risk. Which share the same critical subcontractor. Which still have open remediation. The answer changes with the team and the system asked.
Each signal sits where it was created. The penetration test result stays in the security team's tooling. The supplier's late-payment record stays with procurement. The fact that two critical suppliers run on the same cloud region is recorded nowhere.
External rating tools do not close the gap, and can widen it, as set out in this analysis of why external scanning alone misses internal risk. A good external score reflects what is visible from outside, not the controls the supplier runs. Without a single source of third-party risk visibility, the first sign of a problem is often the incident itself.
The longer a supplier breach goes undetected, the more it costs. IBM's 2025 Cost of a Data Breach report found breaches contained within 200 days cost around $3.87 million on average, against $5.01 million for those that ran longer, and named third parties as the second most common way in.
The route in is increasingly a supplier. Verizon's 2025 Data Breach Investigations Report found the share of breaches involving a third party doubled to 30%. When the signals that would catch a supplier compromise are split across teams, detection is slower and the breach often goes undetected longer.
The duplicated work is the cost most organisations notice. The bigger problem is what fragmentation leaves uncovered. The UK government's Cyber Security Breaches Survey 2025/2026 found only 15% of businesses formally review the risks posed by their immediate suppliers, and 6% review the wider supply chain. Most do not look past their direct suppliers, and split ownership is much of the reason.
Procurement knows the commercial relationship. Security knows the control assessment. Legal knows the contract. None of them is asked what those suppliers depend on. The shared subcontractor, the common cloud provider and the fourth-party dependency fall between the teams, because reviewing them is no one's job.
The gap is becoming a regulatory one. The UK Cyber Security and Resilience Bill, now going through Parliament, lets regulators designate critical suppliers and brings managed service providers under direct supervision. Boards will need to produce evidence of supplier oversight for their regulator.
An annual questionnaire describes a supplier on the day it was completed. By the next quarter the supplier may have changed hosting provider, taken on a new subcontractor or had a certificate lapse. The file no longer matches the supplier. Oversight has to update when the supplier changes, not 12 months later.
Active Supply Chain Security Management (ASCS) replaces the separate, repeated reviews with one supplier profile that every team uses and that stays current. It turns supplier assurance into a continuous activity rather than an annual one.
In a network-based model of supply chain security, a supplier completes one profile and shares it with every customer that needs it, rather than answering each separately. Procurement, security, legal and compliance read the same profile, which gives the whole organisation the same third-party risk visibility, and when the supplier updates it, every customer sees the change.
Working from one profile ends the repeat requests. Security stops re-asking for certificates procurement already holds, and the supplier answers once instead of four times. When a question comes up, every team sees the same answer, so the decision is faster.
A live profile changes what the team can act on. The analyst sees the supplier's current position instead of last year's snapshot, and prioritises the suppliers that need attention now. A flag raised against a shared supplier reaches every organisation that uses it, and board reporting draws on one current dataset rather than a manual roll-up. Supplier oversight runs as a continuous operation, and it holds up as the supplier count rises.
Fragmented cybersecurity supply chain risk management costs more than the security team's time. It lengthens onboarding, multiplies admin across procurement, legal and compliance, leaves shared dependencies unwatched and lets supplier breaches run longer before anyone notices.
Connecting the work removes the duplication and closes the gaps at the same time. Active Supply Chain Security Management, the model Risk Ledger built around shared supplier profiles and continuous supplier assurance, gives procurement, security, legal and compliance one current view of every supplier. The organisations that move first will onboard faster and find problems sooner than those still sending four questionnaires to the same supplier.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
.svg)
