Organizations are experiencing rapid supply chain expansion with decentralized supplier base. Supply chain and manufacturing methodologies such as lean, Just-in-time and outsourced supplier network have provided major benefit in the value chain but are causing serious concerns too. Businesses can face multiple risks across its entire supply chain such as supplier, process, regulatory, intellectual property, political and economic risks. Organizations should adopt a risk framework for its supply chain processes to identify key risks, manage, mitigate and minimize the impact on business performance. Risk Analysis and Risk Self-Assessment - Document and evaluate risk framework for entire supply chain processes. Supply chain management decisions have started overlapping with corporate financial strategy and CFOs are working on ways to reduce cash-to-cash cycle times, achieving profitable growth, delivering predictable revenue and reducing the company's risk profile. Natural catastrophes, such as earthquakes, tsunamis, hurricanes, volcanic eruptions and floods, and man-made disasters, such as wars and terrorist attacks, or just plain human error, can have major impacts on supply chains.
Looking at various types of software, software development and acquisition life cycles, and risk and exposure to and from software, vulnerabilities are shown to facilitate the disruption of the supply chain and provide those with bad intentions opportunities to steal and manipulate software and otherwise diminish its value. To ensure that incidents are quickly recognized and their impact minimized, organizations must have a good understanding of the intricacies of particular software supply chains and the potential effects of disruptions. Furthermore, transaction-level simulation models of software supply chains can be effective in identifying weaknesses and formulating mitigating strategies. Most of the literature on supply chain risk management addresses the manufacture and distribution of physical products and further focuses on disruption of the supply chain and on counterfeit products, particularly in the pharmaceutical and luxury goods industries. This definition covers the chance that an organization is able to satisfy customer demand adequately and can avoid substitution for the real products, such as counterfeit drugs or other products, that could cause physical harm to customers and financial loss for businesses.
While there are many discussions about supply chain risk management as it pertains to software and software-intensive systems, there is no comprehensive definition of software supply risk. For the purposes of this article, risk factors relating to supply chains for embedded software are considered mostly the same as risk factors affecting physical products, to the extent that embedded software is considered part of an overall product. Software that is used to manage supply chains also needs to be considered, since effective supply chain management can mitigate many of the risk factors normally encountered. The effectiveness of managing supply chains depends on how comprehensive, accurate and timely such supply chain command-and-control systems are. It is important to differentiate between the software (or system) development life cycle (SDLC) and the software supply chain life cycle.
Figure 1 compares the characteristics of software products to those of physical products throughout the supply chain life cycle. Although supply chain risk usually dominates the manufacturing and distribution phases, more emphasis should be placed on the early phases of the product development process.8 This is particularly relevant to software supply chains, in which development efforts are often greater than those for distribution, because the electronic distribution of software is relatively simple and inexpensive compared to distributing and selling physical products. For example, with respect to confidentiality, one must consider the potential risk of someone stealing intellectual property or trade secrets, for example, as well as the consequences of compromise of customer and employee personal data, particularly that which is considered by lawmakers and regulators not to be in the public domain, and of business data, such as planning strategies, intent to merge with or acquire other entities, and so on. When it comes to integrity, one can imagine the supply chain processes, as well as the modification of software products and related data, being exploited by criminals.
Not only must one aim to mitigate supply chain risk, one must also be able to demonstrate that the mitigation efforts have been effective. A report by the US Department of Defense Information Assurance Technology Analysis Center (IATAC) suggests that constituents are subjected to various supply chain threats.11 Figure 2 assigns threats to constituents. The potential effects of the supply chain threats of figure 2 become much more complicated as systems are combined with other systems and products in various ways, as described in a Software Engineering Institute (SEI) report.12 The SEI report points to the similarities and differences between product suppliers and system development contractors and notes that acquirers’ assessments of products takes place after the product development is completed. The report suggests, however, that more work is needed to provide acquirers with useful tools.
Figure 3 illustrates four ways in which software systems may be combined and the characteristics of the combined systems. Activities for the management of risk vary with the various phases of the supply chain or acquisition life cycle. It is particularly difficult to get a full picture of all the complexities and nuances of global supply chains as they consist of so many constituents and components.


For custom-built software, a major differentiator, with respect to those risk factors related to software design and development, is the location of those efforts and the culture of those doing the work.
Risk is markedly different with respect to the degree of outsourcing and geographic dispersion. Figure 5 illustrates factors affecting supply chain risk throughout the development life cycle. There have been several research efforts related to resolving issues around global software development (GSD) and risk of software supply chains. To make decisions with respect to any particular supply chain it is necessary to understand each phase and the interaction among phases. Most of the attention and concern about the supply chain relates to the manufacturing of software systems by third parties—either custom or OTS. The risk relating to the software supply chain largely depends on the nature and origin of the software.
Examination of risk related to software supply chains demonstrates that in addition to factors, such as disruption due to natural disasters, that are common to all supply chains, software supply chains are subjected to risk that is specific to software, such as the insertion of malware. The initial challenges that have been addressed in this article are to identify and understand software-specific supply chain threats and vulnerabilities and protect against them. A great deal has already been accomplished in various industries, such as financial services, to gain better understanding of software supply chains and their inherent risk. Although expanded supplier based in supply chain have helped organizations in gaining major cost advantage and market share but it has resulted in more unstable supply chain.
For an example supplier’s failure to deliver raw material can result in market share loss and revenue loss. Companies without centralized supply chain governance can negatively impact procurement, manufacturing and time to market processes in supply chain, which can impact company's financial strategy.
Organizations also need the ability to monitor supply chains, identify attacks and failures, and respond quickly to any aberrant behavior.
Software supply risk is a combination of factors that relate to adverse events affecting software throughout its supply chain life cycle and the probability of those events occurring.
However, even though embedded software may not be top of mind for manufacturers and distributors of physical products, particular risk factors, to which software is generally subject, must be considered for embedded software. Frequently, organizations are surprised to discover the interrelationships and common points of failure that exist within their supply chains—discovering them only when there are disrupting events, in which case it often takes days and weeks of investigation to get a full understanding of where interdependencies exist and how they might be reduced. The former applies to the phases inherent in the manufacturing and deployment of all software, and the latter relates to processes that involve suppliers and customers of software products. Similarly, one needs to consider the range of impact for the other risk elements listed here. To evaluate supply chain risk factors of such combined systems, it is necessary to examine the origins and functionality of each component as well as the interactions among them.
The SEI report enumerates those activities as they relate specifically to security risk.14 Figure 4 assigns such activities to the phases of figure 1. As can be seen from the diagram, there are general types of events, such as natural and man-made disasters, that can affect all supply chains including the software supply chain. Figure 5 does not assign particular SDLC phases to supply chains since that assignment varies with the distribution of activities among onshore, offshore and in-house facilities and resources. The US financial services sector has worked on supply chain issues and surveyed industry members with respect to various aspects of supply chain risk mitigation. Among these important areas are functional security testing, which is testing performed to ensure that the software does not do that which it is not supposed to do,17 and activities relating to the disposal of the software and any sensitive information that it might contain.
However, it is important to include internally developed software when discussing the software supply chain, since, even when the manufacturing takes place in-house, there is usually significant reliance on outside services, and of course, virtually all custom-built application software relies on third-party software products, such as operating systems. Figure 7 shows the levels of risk that may be expected with respect to software from different sources and whether or not technical support is available.
Since software supply chains are so complex, risk was considered at each stage of the software development and software supply chain life cycles and activities were suggested to mitigate some of the risk factors.


However, much remains to be done in the public and private sectors in order to achieve an acceptable level of understanding of related risk and how to mitigate it, and then use that understanding to implement effective methods and approaches to improve the security and integrity of these supply chains. Supply chains are vulnerable to various types of disruptions caused by uncertain economic cycles, consumer demands, and natural and man-made disasters. The manufactured has realized great saving potential but has risk of disruption in operation due to political instability in neighboring countries. Supply chain risk management is an essential part of the supply chain governance system to ensure risks are identified in the entire value chain and mitigated to deliver financial goals. This article defines supply risk factors as they pertain to various forms of software, examines their impact and offers suggestions for identification and mitigation. While disruptions to manufacturing from catastrophic events can be highly visible, events that affect the software supply chain are usually less observable, but can be just as devastating. These help participants understand the intricacies and interactions of components of software supply chains and how failure of any component affects the overall system.
It is highly desirable, therefore, to build a custom system or implement a commercial supply chain management system that is complete and up to date in its understanding of the complexities and relationships among supply chain components and that provides close to real-time, accurate information about disruptions and their impact. However, there are also a number of compromises, such as the insertion of malware, that are prevalent with or unique to software. However, there does not appear to be much in the way of modeling the impact of adverse natural and human-invoked events on software supply chains. Each aspect may proceed along its own path, but, ultimately, it is the combination of all three that makes for a resilient, high-integrity software supply chain. Consequence of an unstable supply chain has increased risks in conducting business operations and raises concerns on continuity of manufacturing or service delivery operations. Similarly a leading automobile manufacturer uses Just-in-Time process model for assembling its car from its preferred vendor but runs a high risk of business loss if the vendor violates a regulatory requirement.
Furthermore, there are piracy issues that arise from phony software.3 Software differs from physical products in a number of important ways and the various types of software affect supply chain risk in different ways. Few researchers appear to even consider the risk of compromise of supply chain management software.
Others, such as the theft of intellectual property and other sensitive data, are common across many products, but are facilitated by the ability to copy software and data without changing the original or having to be onsite.
The models should be developed using subject matter experts from the software supply chain field and refined and honed to realistic representations by means of closed-loop exercises—where experiences and lessons learned are ploughed back into model development in order to arrive at more realistic models. Supply chain risk management needs to be adopted as best practice for supply chain governance to minimize impact on financial strategy and profitability.
Software supply chains are also subjected to a host of risk factors that are particular to the characteristics of specific unique software.
However, such software may be compromised, even to the extent that it may be made to report that everything is in order when it is not,7 and, therefore, may represent a significant risk.
For example, there is no supply chain for software that is built totally in-house, using in-house engineers.
The usual definition of risk includes both the probability of the event and some measure of the consequences or impact of the event if it were to occur.
On the other hand, for COTS software, the early stages of the SDLC, along with maintenance and technical support, are considered to be within the supply chain, while the operations phase is not part of the supply chain if the software system is operated in-house.
By multiplying the probability of an event by its impact, one arrives at the expected value of the event (usually an expected loss), which is generally accepted as a definition of risk.
Further discussions of various approaches to risk can be obtained from many sources, such as: Axelrod, C.



Pandemic plan testing
Getting involved in community dental health


Comments

  1. 17.07.2014 at 23:47:48


    The State evacuation is not a reliable determination.

    Author: Sevda
  2. 17.07.2014 at 21:52:13


    Feldspars and muscovite is a phyllosilicate and place the cover.

    Author: Rocklover_X
  3. 17.07.2014 at 12:38:35


    Imperative to hold this list up to date and to do monthly tests of this list factors 1 ought to know about survival.

    Author: shekerim
  4. 17.07.2014 at 13:18:18


    Function in the back space, stocking and effects of an EMP on our contemporary.

    Author: EFIR_BOY