gv-sc-3 high Govern / Cybersecurity Supply Chain Risk Management

Supply chain risk management is integrated into enterprise risk management processes

Vendor risks that live in a separate silo never get prioritized against business risks. When a critical SaaS tool has a breach, that risk belongs in the same register as your other critical risks, not in a spreadsheet that only the IT team sees. Integration ensures that supply chain risks are visible to leadership, resourced appropriately, and addressed with the same urgency as internal risks.

Estimated effort: 4h

supply-chainrisk-managemententerprise-riskgovernanceintegration

Complete first: gv-sc-1 , gv-rm-3

Implementation steps

1

Add a vendor risk category to the enterprise risk register

Ensure your main risk register includes a category for third-party and supply chain risks. When a vendor assessment identifies a significant risk, that risk should be logged in the enterprise register with an owner, likelihood, impact, and response plan, not just noted in a vendor-specific spreadsheet.

jiraservicenowarcherconfluence
2

Include vendor risk in risk reporting to leadership

When reporting risk to executive leadership or the board, include supply chain risks alongside internal risks. Highlight the top three to five vendor-related risks and their status. This ensures resource allocation decisions account for third-party exposure.

google-slidesnotionconfluence
3

Trigger vendor risk assessments from the change management process

When a significant change is proposed (adopting a new vendor, expanding an existing vendor's access, or retiring a vendor), the change management process should automatically trigger a vendor risk assessment. This keeps the risk register current as the vendor landscape evolves.

jiraservicenow

Evidence required

Risk register with vendor risk entries

An enterprise risk register that includes entries for third-party and supply chain risks with owners and response plans.

· Risk register spreadsheet or GRC tool with vendor risk category
· Executive risk report that includes supply chain risk section
· Board or audit committee presentation showing top vendor risks

Evidence of integration with change management

Records showing that vendor security reviews are triggered by procurement or change management processes.

· Change request template with vendor security review checkbox
· Procurement workflow showing security review step for new vendors
· Ticket history showing security assessment triggered by a vendor change

Related controls

gv-sc-1 high

A cybersecurity supply chain risk management program is established

Cybersecurity Supply Chain Risk Management

gv-sc-2 high

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Cybersecurity Supply Chain Risk Management

gv-rm-3 high

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Risk Management Strategy

gv-sc-10 medium

Supply chain risk management plans include provisions for activities after a supplier relationship ends

Cybersecurity Supply Chain Risk Management