Does your organization have a documented process for escalating material cybersecurity risks identified in your supply chain to senior management and addressing them within your enterprise risk management framework?

This question assesses whether the organization has formalized procedures to ensure supply chain cybersecurity risks receive appropriate visibility and treatment at executive levels. Material cybersecurity risks in the supply chain (such as critical vulnerabilities in third-party components, security breaches at key vendors, or compliance issues with suppliers) must be communicated upward to decision-makers who can allocate resources and authorize mitigation strategies. Evidence of fulfillment could include a documented escalation procedure specific to supply chain risks, meeting minutes from executive risk committee discussions of supply chain security issues, a supply chain risk register that includes escalation thresholds, or integration documentation showing how supply chain cybersecurity risks feed into the enterprise risk management system.