Who should own supply chain risk management when disruptions hit?

Why This Matters for Security Teams

Supply chain disruption is not owned cleanly by any one function because the failure surface spans suppliers, contracts, inventory, transport, systems, and cash flow. The practical mistake is assuming procurement can “own” the problem while operations or finance only support it. In reality, response decisions change rapidly: substitute vendors, reroute shipments, trigger emergency purchasing, or pause production. That is why shared ownership and a central risk view are essential.

This is the same pattern seen in software and identity supply chains, where fragmented control creates delayed detection and weak recovery. NHIMG’s The State of Secrets in AppSec shows how fragmented secret handling and slow remediation can leave exploitable exposure in place long after teams believe it is contained. The lesson transfers directly to physical and digital supply chains: once disruption lands, the organisation needs a single decision model, not a handoff chain. Current guidance from NIST Cybersecurity Framework 2.0 also reinforces that resilience depends on coordinated governance, not isolated departmental action.

In practice, many organisations discover ownership gaps only after a supplier failure has already forced emergency buying, delayed fulfilment, or created conflicting recovery decisions.

How It Works in Practice

Effective supply chain risk management uses a shared operating model with clear decision rights. Procurement typically manages supplier qualification, terms, and commercial leverage. Operations owns service continuity, production priorities, and workarounds. Logistics handles routing, warehousing, and delivery constraints. Finance determines cost tolerance, liquidity impact, and approval thresholds. Executive leadership arbitrates tradeoffs when the disruption affects revenue, customer commitments, or strategic risk.

The key is not a committee that meets too slowly, but a pre-agreed escalation path that can act in hours, not days. Best practice is evolving toward a central risk function or resilience office that maintains the live risk picture, while the business functions retain execution authority in their lanes. That central view should include supplier concentration, single points of failure, contractual escape clauses, alternate sourcing options, and recovery time objectives.

Practitioners should also avoid treating supplier risk as a static annual review. NHIMG’s Top 10 NHI Issues and 52 NHI Breaches Analysis both show how hidden dependencies and poor lifecycle control create blind spots that only become visible under pressure. The same operational pattern applies to third-party logistics, critical component vendors, and outsourced services. For that reason, current guidance from the OWASP Non-Human Identity Top 10 is relevant as an analogy: identify dependencies, constrain access, and validate what can fail before it does.

• Assign one named coordinator for incident response, but keep function-specific decision authority intact.
• Maintain a ranked list of critical suppliers and substitute paths for each one.
• Pre-approve spend thresholds for emergency sourcing and logistics rerouting.
• Use a live dashboard for supplier status, inventory coverage, and recovery options.

These controls tend to break down when supplier data is stale and no function is authorised to override normal approval chains during a fast-moving disruption.

Common Variations and Edge Cases

Tighter ownership often increases coordination overhead, requiring organisations to balance fast response against approval discipline. That tradeoff becomes especially visible in regulated industries, where finance may demand strict spending control while operations needs immediate substitution to avoid downtime. The right model depends on disruption type, but the principle stays the same: one source of truth, multiple execution owners.

There is no universal standard for this yet, but current guidance suggests distinguishing between strategic ownership and operational execution. Strategic ownership sits with executive leadership or enterprise risk, while operational execution sits with the function closest to the affected asset or supplier. In highly globalised supply chains, this often means regional decision-making authority is necessary because customs, transport, and local regulation can block a central team from acting quickly enough.

Edge cases matter. For cyber-enabled supply chain events, the response may need closer alignment with technology and security teams, especially when third-party access, secrets, or vendor integrations are involved. NHIMG’s LiteLLM PyPI package breach and Reviewdog GitHub Action supply chain attack illustrate how disruptions can begin in software dependency chains and quickly become enterprise-wide incidents. In those cases, procurement alone cannot contain the event, and neither can operations without security-led containment. The response model breaks down when supplier compromise, contractual escalation, and technical containment are treated as separate problems instead of one coordinated incident.

Related resources from NHI Mgmt Group

• Who should own non-human identity risk in an IAM programme?
• Who should own PKI risk inside an identity programme?
• Who should own governance when IGA, PAM, and access management overlap?
• Cyber Risk Management