SOS Notes and More: Tackling the Invisible Enemy in Your Supply Chain

Invisible enemy MSI
4 min read


In 2019, 6-year-old Florence Widdicombe opened a box of charity Christmas cards her mother had purchased from the UK supermarket giant, Tesco. As she started to write her Christmas wishes, she opened a card that featured a kitten wearing a Santa hat, but to her surprise the card had already been written in. In block capitals was written:

"We are foreign prisoners in Shanghai Qingpu prison China. Forced to work against our will. Please help us and notify human rights organization."

When reports surfaced in the British media, there were the denials from the card supplier, with them stating that they had “never done such a thing”. The Chinese Foreign Ministry was also dismissive, with Shanghai’s Qingpu prison claiming that it has “no such foreign prisoners undergoing forced labor". For Tesco, it quickly turned into a case of damage limitation. Production was immediately halted, an investigation launched, and assertions were made to reassure the public that the supermarket chain operated a robust and comprehensive auditing process of their suppliers.

Sadly, these “SOS notes” are not exclusive to Tesco Christmas cards. Similar notes have been found in purses from Walmart, a shopping bag from Saks 5th Avenue, and items of Zara clothing. Supply chains now span the globe delivering complexity through various country-specific standards and regulations, or in many cases a lack thereof. Nevertheless, leading brands are intrinsically linked to their third-party suppliers and face continuous scrutiny of their business practices. Employing a robust risk framework is essential to protecting brands from high-risk third-party engagements.

In recent history, COVID-19 has accelerated the use of third-party vendors and suppliers to drive down costs and outsource key skills and experience with immediate impact. However—taking liberty with Newton’s third law—for every action, there is an equal and opposite reaction. The more organizations look to third parties to assist in the delivery of their products and services, the greater the potential risk that they will be exposed to—in all manner of delivery, conduct, and reputation—risks.

One key takeaway from the MetricStream-sponsored study, Third-Party Risk: A Turbulent Outlook Survey Report 2022 is that although most assurance groups have a tight grasp on their own enterprise and operational risks, a key area of concern is that of third parties. 60% of survey respondents reported having experienced an IT security incident in the past two years due to a third-party partner with access privileges, and a higher number—76%—stated that managing all third-party risk was a high or critical priority.

Pressure continues to build as the volume of suppliers increases, with an increasing number of them being classified as delivering high-risk services. This has highlighted the requirement for more frequent assessments, with the onboarding stage no longer sufficient for the organization to ensure risk awareness or operational resilience. The number and type of extensive questionnaires are also set to grow with the introduction of ESG disclosures designed to impede third party “Greenwashing” (more of that to come next month!).

There is no denying the advantages that an extended enterprise delivers, and it would appear as though for many, the “build versus buy paradox” has been solved. However, every new business endeavor creates both opportunity and risk. In a global supply chain with multiple risks and potential for operational and reputational damage, it is ever more important to know who you're doing business with and whether you can trust them. Can you afford to take risks without knowing?

Stay Resilient with MetricStream Third-Party Risk Management

Gain a real-time unified view of your IT vendors, suppliers, and third-party service providers with MetricStream Third-Party Risk Management (TPRM) software. Protect your organizations from existing third-party or even potential fourth-party risk exposures with:

  • End-to-end automated processes for information gathering, onboarding, real-time monitoring, risk, compliance and control assessments, and risk mitigation
  • An integrated and federated approach that helps you better manage third-party risks and strengthen operational resilience
  • Integration of trusted content sources, such as Dow Jones, D&B, BitSight, providing third party financial health data, anti-bribery and anti-corruption data that enables you to deepen visibility into your third-party risk
  • Intelligent dashboards and reports that help you capture, compare, and prioritize vendor assessment scores for each third party, along with the ability to track improvements in performance over time

Want to see how MetricStream can help protect against vendor and third-party risk? Request a personalized demo now.

Do check out our other resources on third-party risk management.

Product Overview: Third-Party Management Product Overview

eBook: Boosting Third-Party Risk Management in a Time of Uncertainty

Survey Report: Third-Party Risk: A Turbulent Outlook Survey Report 2022

Richard Rivett

Richard Rivett Market Development, MetricStream

Richard Rivett is a software and technology professional with over 24 years of experience in the technology space spanning vendors, client-side, and consultancy. For the past decade, Richard has focused on the GRC sector in a variety of customer facing roles including managing the relationships of 35 pan-European clients as well as leading a Services Team in EMEA.

Richard joined MetricStream in August 2021 in a Market Development role that sees him apply his experience and expertise in the initial stages of the customer engagements, focusing on successful client outcomes.