June 26, 2025 • 17 mins
A cyber attack on UNFI, the main distributor for Whole Foods, reveals how single points of failure in interconnected business systems can cause widespread chaos. We explore the risks of fragile business models and how Integrated Risk Management (IRM) transforms vulnerabilities into strategic resilience.
• Modern business efficiency often creates "brittle by design" systems with dangerous hidden dependencies
• The UNFI cyber attack caused empty store shelves and $300 million in market value loss
• Concentration risk applies beyond food logistics to any business with critical single-vendor dependencies
• IRM provides an enterprise-wide lens connecting risk intelligence across previously siloed domains
• Key IRM implementation steps: asset visibility mapping, operational rehearsals, and executive accountability
• Companies with mature IRM recover 27% faster from disruptions with 42% lower earnings volatility
• Five-point actionable playbook: concentration risk census, specific contract requirements, scenario simulations
• Unified risk dashboards and board education elevate resilience from compliance to strategic priority
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ori Wellington (00:00):
So I was just unwinding recently, blue Ridge
Mountains in North Carolina,some kayaking, hiking, even
camped out in the wilderness fora bit, and being out there it
really drove home somethingimportant this critical need to
navigate unexpected terrain andbe ready for well, anything
which actually sets up our deepdive perfectly.
(00:21):
Today, because modern businessit's increasingly a landscape of
hidden weak spots, unexpecteddisruptions.
We're zeroing in on how justone single point of failure in
these interconnected systems werely on how that can cascade,
cause real widespread chaos.
In our case study today, it'spretty stark.
It's the recent cyber attack onUnited Natural Foods Inc.
(00:42):
Unfi, the main distributor forWhole Foods.
But look, don't think it's justsome grocery story.
It's really not.
It's more like a structuralparable, a kind of blueprint for
fragility that honestly appliesto almost every industry out
there.
So our mission for this deepdive we want to really unpack
the risks, the big risks, of thesingle point fragility and then
explore how integrated riskmanagement IRM can actually turn
(01:03):
these vulnerabilities into well, strategic resilience.
You'll get some crucialinsights, things you can act on
quickly and thoroughly.
That's the goal.
Okay, let's jump right inPicture.
The scene June 7th 2025,.
What basically happened was asort of silent node in the North
American supply chain justcollapsed.
We're talking UNFI.
(01:24):
This is a huge operation, likea $30-plus billion logistics
backbone supporting what over30,000 stores across the US and
Canada and this cyber attack hadforced them.
They had to take their systemsoffline, which just brought
deliveries to a screeching haltimmediately.
Sam Jones (01:37):
Yeah, instantly.
And the domino effect.
It was incredibly visible.
Very fast you saw shelves atWhole Foods.
Other grocers just startemptying out.
A real problem for shoppers andthe employees.
They were basically told to useone line.
We are experiencing temporarysupply challenges Kind of an
understatement you think.
Oh, yeah, because online you sawthese pictures going viral
(01:59):
right Empty refrigerators, bareshelves.
The reality was pretty starkand the financial hit just as
direct.
Unfi stock it tanked, lostnearly $300 million in market
value.
Wow, in just two tradingsessions and their systems Weeks
later they were still onlypartially back online.
What this whole thing reallyexposed, I think, is that a lot
(02:22):
of our modern supply chain it'soperating under this illusion of
resilience, illusion ofresilience, yeah.
It shows how this wholejust-in-time efficiency model
which everyone chases it's nowcolliding head-on with an era
where just one point of failurecan unravel well everything.
The core lesson here it'spretty undeniable Concentration
breeds collapse.
Ori Wellington (02:40):
Concentration breeds collapse.
That really hits home.
But okay, let's unpack this,because isn't concentration
often the goal?
I mean businesses try tocentralize, reduce redundancy
for efficiency's sake.
So what's the blind spot?
What does UMNFI show us aboutthat pursuit?
Sam Jones (02:57):
That's the fascinating part, isn't it?
It's a paradox For decadesoperational efficiency.
It's sort of masqueraded asstrategic foresight.
It looked smart.
Ori Wellington (03:06):
Streamlining.
Sam Jones (03:07):
Exactly Minimizing costs, maximizing output.
That led to single sourcedependencies.
Almost no inventory buffers,centralized logistics these
became like hallmarks of goodperformance.
Ori Wellington (03:18):
Okay.
Sam Jones (03:19):
But what got missed was the inherent brittleness
that introduces you asked aboutthe blind spot.
Ori Wellington (03:23):
Yeah.
Sam Jones (03:24):
It's failing to see how focusing only on efficiency
creates a system that's wellbrittle by design.
It makes companies lookintegrated, efficient on the
surface, but really they'reoften held together by just one
thread, one vulnerable thread.
Ori Wellington (03:37):
So the very things meant to make systems
strong in a way makes themfragile.
And you're saying this isn'tjust food logistics, right?
This brittle by design thing,where else is it playing out?
Sam Jones (03:48):
Oh, absolutely.
It's everywhere.
It's pervasive.
Just think about any businessthat relies heavily on one
single vendor for something.
Critical Could be claimsprocessing and insurance
customer onboarding for a bankcloud hosting, obviously.
Ori Wellington (04:02):
Sure.
Sam Jones (04:02):
Even third-party risk data providers or operational
analytics platforms.
The issue is, as we'vetransformed supply chains and
business processes, thattransformation has outpaced our
visibility into those chains.
So the interconnectedness hasgrown way faster than our
ability to actually map it, tounderstand the dependencies.
So, yeah, a company might lookreally slick and integrated, but
(04:23):
underneath, underneath, itscore functions might be silently
exposed by just one failurepoint somewhere, it to
understand the dependencies.
So yeah, a company might lookreally slick and integrated but
underneath Underneath its corefunctions might be silently
exposed by just one failurepoint somewhere out in their
network.
Could be a vendor, could be avendor's vendor.
Ori Wellington (04:32):
Okay, that paints a pretty clear picture
and, frankly, kind of aconcerning one widespread
fragility.
So, given that reality, what'sthe answer, what's the
fundamental solution here?
This is where integrated riskmanagement, irm, comes in, I
assume.
Sam Jones (04:46):
That's right.
Ori Wellington (04:46):
And how is it really different, how does it
change the game compared to, say, just having traditional GRC
software ticking boxes?
Sam Jones (04:54):
Yeah, good question.
It's a fundamental shift.
Irm isn't just another platformyou buy, it's really an
operating model.
The big difference is itprovides this enterprise-wide
lens.
It unifies risk intelligence.
So instead of having siloed GRCprograms, maybe flagging a
compliance issue over, here, ora tech team finding a
vulnerability over there.
(05:14):
IRM connects the dots.
It aligns your risk appetitewhat you're willing to risk
directly with your businessperformance goals.
It links cyber exposure like wesaw with UNFI to your core
operational processes and itintegrates policy assurance what
your contracts say, withreal-time data, real telemetry,
this unified view.
It helps companies dismantlethat illusion of safety you get
(05:35):
from over-optimized brittlesystems.
It's built around somethingcalled the IRM Navigator model.
It has four strategic goalsperformance, resilience,
assurance, compliance and fourkey integration points ERM, orm,
trm and GRC itself Enterprise,operational technology, risk and
governance.
Ori Wellington (05:52):
That sounds well comprehensive, a whole
operating model, and I like howyou put that, connecting cyber
exposure directly to operations.
That seems key.
Sam Jones (06:01):
Yeah.
Ori Wellington (06:02):
So for our listeners, how does this
translate into action?
Operations that seems key.
So, for our listeners, how doesthis translate into action?
Like, practically, what are thesteps a company takes to build
this kind of resilience usingIRM?
Okay, yeah, let's get practical.
Sam Jones (06:12):
It really starts with asset visibility, step one.
So take the UNFI case.
Imagine if Whole Foods had,like, proactively mapped its
critical product families everyimportant SKU.
Ori Wellington (06:24):
Okay.
Sam Jones (06:25):
Mapped them to the specific distribution centers,
the transport systems used andthe underlying warehouse
management software running itall.
If they'd had that level ofdetailed insight, they might
have flagged potential cyberrisks in that specific part of
their supply chain way beforeany shelves went empty.
That granular mapping it'sabsolutely crucial.
You have to see the componentsfirst.
Ori Wellington (06:45):
Got it.
See the moving parts.
Sam Jones (06:46):
Exactly.
Then step two is operationalrehearsal.
Now most companies they runcybersecurity drills for their
own IT systems.
That's pretty standard.
Ori Wellington (06:54):
Sure Fire drills for IT.
Sam Jones (06:55):
Right, but how many actively simulate what happens
if a critical third-party vendor, like your main distributor,
just goes dark, completelyoffline for, say, 48 hours or
longer?
Under an IRM approach, you'drun tabletop exercises,
simulations that rigorouslymodel these vendor failures as
core business risks, not just ITproblems.
Ori Wellington (07:16):
Okay, so you practice the failure.
Sam Jones (07:18):
You practice the failure.
You get cross-functional teamstogether ops, logistics, legal
comms and you figure outcontingency workflows.
You identify alternativesuppliers before you need them.
You figure out exactly whatyou'll tell stores, customers.
The whole point is to preparein advance, not scramble when
disaster strikes.
There's a great quote from JohnA Wheeler, the physicist.
Actually, that applies here.
(07:38):
You didn't lose control.
You never had it.
You outsourced it then stoppedlooking.
That's blunt, stop looking.
It is blunt, but it captures itperfectly.
You outsource criticalfunctions, then you stop paying
close enough attention.
But just rehearsing isn'tenough.
You need accountability, realteeth, and this is where
enterprise risk management ERMplays a vital role.
(08:00):
Within the IRM framework, theexecutive team, maybe even the
board, needs to define concreteconcentration thresholds as part
of their official risk appetiteMARK.
Ori Wellington (08:10):
MIRCHANDANI.
Sam Jones (08:11):
Meaning MELANIE WARRICK.
Meaning clear rules.
For example, a rule might be nosingle product category or no
customer segment that brings inmore than 30% of our revenue can
depend on just one singlevendor.
Ori Wellington (08:23):
Okay, setting limits.
Sam Jones (08:24):
Exactly Setting clear limits, and if you have to
deviate from that for somestrategic reason, it needs
explicit documented sign-offfrom the board.
That elevates this kind ofvendor concentration risk from
an operational detail to atop-level strategic concern.
Ori Wellington (08:37):
Right.
It forces the conversation atthe highest level.
Sam Jones (08:39):
Precisely.
And then the final piece ispolicy assurance, making sure
your contracts reflect theseriousness.
So, instead of just havingboilerplate SLAs, service level
agreements.
Ori Wellington (08:48):
Some standard stuff yeah.
Sam Jones (08:49):
Yeah, the standard stuff.
Irm-informed contracts embedreally specific things like
ransomware-specific securityattestations from the vendor,
minimum recovery time objectives, rtos saying how fast they must
recover and clear third-partyaudit rights so you can verify
their controls.
You can even require keyvendors to carry robust cyber
(09:09):
insurance that explicitlyincludes contingent business
interruption coverage.
Ori Wellington (09:14):
Ah, so that protects you, if their systems
go down.
Sam Jones (09:16):
Exactly it protects you not just from their outage,
but from the economic falloutthat hits your business
downstream.
It's about building protectionright into the partnership DNA.
Ori Wellington (09:26):
That focus on proactivity, the rehearsals, the
specific contract terms.
It sounds like a pretty bigshift from, maybe, how things
were done before.
What are the biggest hurdles,culturally, operationally,
especially with cyber threatsmoving so incredibly fast these
days?
Why is this becoming even morecritical now?
Sam Jones (09:43):
Yeah, you hit on a really critical point there.
Cyber events they uniquelyexpose just how frail these
modern business ecosystems are,and it's precisely because they
move faster than traditionalcompany response times, much
faster.
They often hit, you know, maybea smaller, lower tier vendor,
first, someone you don't evendirectly interact with much.
Then they cascade, oftenthrough shared software
(10:05):
platforms or interconnectedsystems and it all stays pretty
opaque, hidden, until the damageis already done, irreversible
sometimes.
Ori Wellington (10:14):
And this isn't just theory is it?
Sam Jones (10:15):
No, not at all.
We've seen it again and again.
Just think back JBS Foods,colonial Pipeline, kaseya,
solarwinds MoviEat.
Ori Wellington (10:22):
Yeah, that's quite a list just from the last
few years.
Sam Jones (10:24):
Exactly A whole litany of major third party
cyber events with huge rippleeffects, and the common thread
it's always these criticaldependencies hiding in plain
sight.
Now, what makes IRM differentfrom older risk management
approaches isn't just gettingvisibility, it's about achieving
true velocity speed.
Ori Wellington (10:42):
Velocity, how so ?
Sam Jones (10:44):
When you integrate risk data across all those
domains technical, operational,financial like IRM does you
don't just spot the dangerfaster, you can act on it almost
immediately.
Imagine automaticallytriggering fallback distributors
the moment an issue is detected.
Shifting safety stockpreemptively rerouting
deliveries in real time,alerting store managers before
(11:06):
customers even notice a problem.
Ori Wellington (11:08):
Wow OK.
Sam Jones (11:09):
And, crucially, reporting the potential earnings
exposure to the board within,say, a day, not weeks later
after forensic analysis.
Boards get answers in minutesor hours, not weeks.
That speed, that velocitytransforms risk from this
reactive fire drill intosomething you can actually
manage proactively.
It becomes a variable you cancontrol somewhat.
Ori Wellington (11:28):
So if a company really nails this, if they
master this IRM approach and getthat velocity, what does it
actually mean for them long term, Competitively speaking?
I mean, does being trulyresilient actually give you a
tangible edge in the marketplace?
Can people see it?
Sam Jones (11:41):
Oh, absolutely.
There is clear evidence forthis.
Research from wheelhouseadvisors, for instance, shows
that companies with mature IRMcapabilities they recover from
operational shocks like cyberattacks or supply disruptions
Get this 27% faster on averagethan their peers 27% faster.
(12:02):
That's significant it is.
And they also see 34% fewerdownstream customer complaints
after an incident and, maybemost importantly for the long
view, 42% lower earningsvolatility over a three-year
period.
Ori Wellington (12:13):
Wow, lower volatility.
The market likes that.
Sam Jones (12:15):
So, yes, resilience absolutely becomes a competitive
advantage, something the marketcan see, measure and ultimately
reward.
And it's not just the market.
Regulators are increasinglylooking for this.
Insurers are starting to demandmore mature IRM frameworks
before they'll underwrite.
Certain risks Makes sense.
Plus this broad IRMarchitecture, it's becoming
essential for managing systemicrisks.
(12:35):
In all the new stuff, too,think about third-party AI tools
, autonomous agents, cloudbrokers, data orchestrators all
these new layers ofinterdependence that are
constantly emerging.
Irm gives you a way to maintainstability and trust, even as
the technological landscape getsmore complex and, frankly, more
volatile.
Ori Wellington (13:00):
OK, this really underscores that.
It's a strategic imperative,not just a compliance thing.
And, like you said earlier,this is not a job for
procurement right.
This is a mandate for theexecutive suite.
Sam Jones (13:06):
Absolutely.
Ori Wellington (13:07):
So for the CEOs, the COOs, gfirst officers
listening, or maybe someonereporting directly to one of
them, what's the actionableplaybook?
What are the five key thingsthey should be doing, like right
now.
Sam Jones (13:18):
OK, yeah, let's boil it down to a five point
checklist for the leadershipteam.
First, conduct a comprehensiveconcentration risk census.
You need to map out, for everysingle revenue critical product
or service, how many activesuppliers you have, what
technologies they rely on andwhat your contractual
protections actually are.
And then this is key publishthose results internally.
(13:38):
Make it visible.
Ori Wellington (13:40):
Transparency Okay, number two.
Sam Jones (13:42):
Second mandate cyber scoring and recovery metrics in
every single supplier agreement.
No more vague security clauses.
You need to explicitly requirethings like ransomware, specific
controls and minimum recoverytime objectives.
Rtos with actual proof, actualevidence they can meet them.
Ori Wellington (13:59):
Get specific in the contracts, got it.
Sam Jones (14:01):
Third Third, run a scenario simulation every single
quarter and don't just dostandard IT outages.
You need to simulate majorvendor shutdowns like UNFI yeah,
maybe geopolitical embargoesaffecting a key region, even
simultaneous failures of a thirdparty and one of their critical
fourth party suppliers.
Really stress test the system.
Ori Wellington (14:20):
Okay, realistic, tough scenarios.
Sam Jones (14:22):
Number four Fourth, build a dashboard that unifies
risk exposure and management.
Whether you use dedicated IRMsoftware or build an internal
platform, you have to get thisinformation out of scattered
spreadsheets, legal binders,unstructured emails.
You need that single pane ofglass, that unified view, or the
risk stays fragmented andinvisible.
Ori Wellington (14:44):
Makes sense Centralize the view.
And last one, number five.
Sam Jones (14:48):
And finally, fifth, educate the board.
Make concentration risk, makecyber-induced supply chain
fragility a standing agenda item.
Don't let it be a footnote.
You have to link it directly toenterprise value, to brand
resilience, not just frame it asa compliance chore.
This is about protecting thecore business, the entire
enterprise.
Ori Wellington (15:07):
That's a powerful checklist, very clear
actions.
You know, looking back at theUNFI outage, it really does feel
like a massive warning shot,doesn't it?
Not just for grocery stores,obviously, but for any business
that relies on criticaldependencies, especially the
ones that are often hidden fromview.
It really hammers home thatidea.
The chain breaks where youcan't see it.
Sam Jones (15:24):
And IRM is what ensures you see it, hopefully,
before it breaks.
Look, in a world that's justgetting more and more
interdependent, resilience isn'tjust about bouncing back
anymore.
It's really about being able tobend without breaking in the
first place.
Ori Wellington (15:38):
Bend without breaking.
I like that.
So a final thought for you, ourlisteners.
You go about your week.
Where might your own hiddendependencies lie?
Maybe it's in your professionalsystems a single tool you rely
on, a specific team member whoholds all the keys.
Or maybe it's even in personalhabits, things you just never
question.
Think about anticipating thosepotential vulnerabilities,
(15:59):
because doing that it can leadto much greater strength, much
greater adaptability, really inall areas of your life.
So I was just unwinding recently, blue Ridge
Mountains in North Carolina,some kayaking, hiking, even
camped out in the wilderness fora bit, and being out there it
really drove home somethingimportant this critical need to
navigate unexpected terrain andbe ready for well, anything
which actually sets up our deepdive perfectly.
(00:21):
Today, because modern businessit's increasingly a landscape of
hidden weak spots, unexpecteddisruptions.
We're zeroing in on how justone single point of failure in
these interconnected systems werely on how that can cascade,
cause real widespread chaos.
In our case study today, it'spretty stark.
It's the recent cyber attack onUnited Natural Foods Inc.
(00:42):
Unfi, the main distributor forWhole Foods.
But look, don't think it's justsome grocery story.
It's really not.
It's more like a structuralparable, a kind of blueprint for
fragility that honestly appliesto almost every industry out
there.
So our mission for this deepdive we want to really unpack
the risks, the big risks, of thesingle point fragility and then
explore how integrated riskmanagement IRM can actually turn
(01:03):
these vulnerabilities into well, strategic resilience.
You'll get some crucialinsights, things you can act on
quickly and thoroughly.
That's the goal.
Okay, let's jump right inPicture.
The scene June 7th 2025,.
What basically happened was asort of silent node in the North
American supply chain justcollapsed.
We're talking UNFI.
(01:24):
This is a huge operation, likea $30-plus billion logistics
backbone supporting what over30,000 stores across the US and
Canada and this cyber attack hadforced them.
They had to take their systemsoffline, which just brought
deliveries to a screeching haltimmediately.
Sam Jones (01:37):
Yeah, instantly.
And the domino effect.
It was incredibly visible.
Very fast you saw shelves atWhole Foods.
Other grocers just startemptying out.
A real problem for shoppers andthe employees.
They were basically told to useone line.
We are experiencing temporarysupply challenges Kind of an
understatement you think.
Oh, yeah, because online you sawthese pictures going viral
(01:59):
right Empty refrigerators, bareshelves.
The reality was pretty starkand the financial hit just as
direct.
Unfi stock it tanked, lostnearly $300 million in market
value.
Wow, in just two tradingsessions and their systems Weeks
later they were still onlypartially back online.
What this whole thing reallyexposed, I think, is that a lot
(02:22):
of our modern supply chain it'soperating under this illusion of
resilience, illusion ofresilience, yeah.
It shows how this wholejust-in-time efficiency model
which everyone chases it's nowcolliding head-on with an era
where just one point of failurecan unravel well everything.
The core lesson here it'spretty undeniable Concentration
breeds collapse.
Ori Wellington (02:40):
Concentration breeds collapse.
That really hits home.
But okay, let's unpack this,because isn't concentration
often the goal?
I mean businesses try tocentralize, reduce redundancy
for efficiency's sake.
So what's the blind spot?
What does UMNFI show us aboutthat pursuit?
Sam Jones (02:57):
That's the fascinating part, isn't it?
It's a paradox For decadesoperational efficiency.
It's sort of masqueraded asstrategic foresight.
It looked smart.
Ori Wellington (03:06):
Streamlining.
Sam Jones (03:07):
Exactly Minimizing costs, maximizing output.
That led to single sourcedependencies.
Almost no inventory buffers,centralized logistics these
became like hallmarks of goodperformance.
Ori Wellington (03:18):
Okay.
Sam Jones (03:19):
But what got missed was the inherent brittleness
that introduces you asked aboutthe blind spot.
Ori Wellington (03:23):
Yeah.
Sam Jones (03:24):
It's failing to see how focusing only on efficiency
creates a system that's wellbrittle by design.
It makes companies lookintegrated, efficient on the
surface, but really they'reoften held together by just one
thread, one vulnerable thread.
Ori Wellington (03:37):
So the very things meant to make systems
strong in a way makes themfragile.
And you're saying this isn'tjust food logistics, right?
This brittle by design thing,where else is it playing out?
Sam Jones (03:48):
Oh, absolutely.
It's everywhere.
It's pervasive.
Just think about any businessthat relies heavily on one
single vendor for something.
Critical Could be claimsprocessing and insurance
customer onboarding for a bankcloud hosting, obviously.
Ori Wellington (04:02):
Sure.
Sam Jones (04:02):
Even third-party risk data providers or operational
analytics platforms.
The issue is, as we'vetransformed supply chains and
business processes, thattransformation has outpaced our
visibility into those chains.
So the interconnectedness hasgrown way faster than our
ability to actually map it, tounderstand the dependencies.
So, yeah, a company might lookreally slick and integrated, but
(04:23):
underneath, underneath, itscore functions might be silently
exposed by just one failurepoint somewhere, it to
understand the dependencies.
So yeah, a company might lookreally slick and integrated but
underneath Underneath its corefunctions might be silently
exposed by just one failurepoint somewhere out in their
network.
Could be a vendor, could be avendor's vendor.
Ori Wellington (04:32):
Okay, that paints a pretty clear picture
and, frankly, kind of aconcerning one widespread
fragility.
So, given that reality, what'sthe answer, what's the
fundamental solution here?
This is where integrated riskmanagement, irm, comes in, I
assume.
Sam Jones (04:46):
That's right.
Ori Wellington (04:46):
And how is it really different, how does it
change the game compared to, say, just having traditional GRC
software ticking boxes?
Sam Jones (04:54):
Yeah, good question.
It's a fundamental shift.
Irm isn't just another platformyou buy, it's really an
operating model.
The big difference is itprovides this enterprise-wide
lens.
It unifies risk intelligence.
So instead of having siloed GRCprograms, maybe flagging a
compliance issue over, here, ora tech team finding a
vulnerability over there.
(05:14):
IRM connects the dots.
It aligns your risk appetitewhat you're willing to risk
directly with your businessperformance goals.
It links cyber exposure like wesaw with UNFI to your core
operational processes and itintegrates policy assurance what
your contracts say, withreal-time data, real telemetry,
this unified view.
It helps companies dismantlethat illusion of safety you get
(05:35):
from over-optimized brittlesystems.
It's built around somethingcalled the IRM Navigator model.
It has four strategic goalsperformance, resilience,
assurance, compliance and fourkey integration points ERM, orm,
trm and GRC itself Enterprise,operational technology, risk and
governance.
Ori Wellington (05:52):
That sounds well comprehensive, a whole
operating model, and I like howyou put that, connecting cyber
exposure directly to operations.
That seems key.
Sam Jones (06:01):
Yeah.
Ori Wellington (06:02):
So for our listeners, how does this
translate into action?
Operations that seems key.
So, for our listeners, how doesthis translate into action?
Like, practically, what are thesteps a company takes to build
this kind of resilience usingIRM?
Okay, yeah, let's get practical.
Sam Jones (06:12):
It really starts with asset visibility, step one.
So take the UNFI case.
Imagine if Whole Foods had,like, proactively mapped its
critical product families everyimportant SKU.
Ori Wellington (06:24):
Okay.
Sam Jones (06:25):
Mapped them to the specific distribution centers,
the transport systems used andthe underlying warehouse
management software running itall.
If they'd had that level ofdetailed insight, they might
have flagged potential cyberrisks in that specific part of
their supply chain way beforeany shelves went empty.
That granular mapping it'sabsolutely crucial.
You have to see the componentsfirst.
Ori Wellington (06:45):
Got it.
See the moving parts.
Sam Jones (06:46):
Exactly.
Then step two is operationalrehearsal.
Now most companies they runcybersecurity drills for their
own IT systems.
That's pretty standard.
Ori Wellington (06:54):
Sure Fire drills for IT.
Sam Jones (06:55):
Right, but how many actively simulate what happens
if a critical third-party vendor, like your main distributor,
just goes dark, completelyoffline for, say, 48 hours or
longer?
Under an IRM approach, you'drun tabletop exercises,
simulations that rigorouslymodel these vendor failures as
core business risks, not just ITproblems.
Ori Wellington (07:16):
Okay, so you practice the failure.
Sam Jones (07:18):
You practice the failure.
You get cross-functional teamstogether ops, logistics, legal
comms and you figure outcontingency workflows.
You identify alternativesuppliers before you need them.
You figure out exactly whatyou'll tell stores, customers.
The whole point is to preparein advance, not scramble when
disaster strikes.
There's a great quote from JohnA Wheeler, the physicist.
Actually, that applies here.
(07:38):
You didn't lose control.
You never had it.
You outsourced it then stoppedlooking.
That's blunt, stop looking.
It is blunt, but it captures itperfectly.
You outsource criticalfunctions, then you stop paying
close enough attention.
But just rehearsing isn'tenough.
You need accountability, realteeth, and this is where
enterprise risk management ERMplays a vital role.
(08:00):
Within the IRM framework, theexecutive team, maybe even the
board, needs to define concreteconcentration thresholds as part
of their official risk appetiteMARK.
Ori Wellington (08:10):
MIRCHANDANI.
Sam Jones (08:11):
Meaning MELANIE WARRICK.
Meaning clear rules.
For example, a rule might be nosingle product category or no
customer segment that brings inmore than 30% of our revenue can
depend on just one singlevendor.
Ori Wellington (08:23):
Okay, setting limits.
Sam Jones (08:24):
Exactly Setting clear limits, and if you have to
deviate from that for somestrategic reason, it needs
explicit documented sign-offfrom the board.
That elevates this kind ofvendor concentration risk from
an operational detail to atop-level strategic concern.
Ori Wellington (08:37):
Right.
It forces the conversation atthe highest level.
Sam Jones (08:39):
Precisely.
And then the final piece ispolicy assurance, making sure
your contracts reflect theseriousness.
So, instead of just havingboilerplate SLAs, service level
agreements.
Ori Wellington (08:48):
Some standard stuff yeah.
Sam Jones (08:49):
Yeah, the standard stuff.
Irm-informed contracts embedreally specific things like
ransomware-specific securityattestations from the vendor,
minimum recovery time objectives, rtos saying how fast they must
recover and clear third-partyaudit rights so you can verify
their controls.
You can even require keyvendors to carry robust cyber
(09:09):
insurance that explicitlyincludes contingent business
interruption coverage.
Ori Wellington (09:14):
Ah, so that protects you, if their systems
go down.
Sam Jones (09:16):
Exactly it protects you not just from their outage,
but from the economic falloutthat hits your business
downstream.
It's about building protectionright into the partnership DNA.
Ori Wellington (09:26):
That focus on proactivity, the rehearsals, the
specific contract terms.
It sounds like a pretty bigshift from, maybe, how things
were done before.
What are the biggest hurdles,culturally, operationally,
especially with cyber threatsmoving so incredibly fast these
days?
Why is this becoming even morecritical now?
Sam Jones (09:43):
Yeah, you hit on a really critical point there.
Cyber events they uniquelyexpose just how frail these
modern business ecosystems are,and it's precisely because they
move faster than traditionalcompany response times, much
faster.
They often hit, you know, maybea smaller, lower tier vendor,
first, someone you don't evendirectly interact with much.
Then they cascade, oftenthrough shared software
(10:05):
platforms or interconnectedsystems and it all stays pretty
opaque, hidden, until the damageis already done, irreversible
sometimes.
Ori Wellington (10:14):
And this isn't just theory is it?
Sam Jones (10:15):
No, not at all.
We've seen it again and again.
Just think back JBS Foods,colonial Pipeline, kaseya,
solarwinds MoviEat.
Ori Wellington (10:22):
Yeah, that's quite a list just from the last
few years.
Sam Jones (10:24):
Exactly A whole litany of major third party
cyber events with huge rippleeffects, and the common thread
it's always these criticaldependencies hiding in plain
sight.
Now, what makes IRM differentfrom older risk management
approaches isn't just gettingvisibility, it's about achieving
true velocity speed.
Ori Wellington (10:42):
Velocity, how so ?
Sam Jones (10:44):
When you integrate risk data across all those
domains technical, operational,financial like IRM does you
don't just spot the dangerfaster, you can act on it almost
immediately.
Imagine automaticallytriggering fallback distributors
the moment an issue is detected.
Shifting safety stockpreemptively rerouting
deliveries in real time,alerting store managers before
(11:06):
customers even notice a problem.
Ori Wellington (11:08):
Wow OK.
Sam Jones (11:09):
And, crucially, reporting the potential earnings
exposure to the board within,say, a day, not weeks later
after forensic analysis.
Boards get answers in minutesor hours, not weeks.
That speed, that velocitytransforms risk from this
reactive fire drill intosomething you can actually
manage proactively.
It becomes a variable you cancontrol somewhat.
Ori Wellington (11:28):
So if a company really nails this, if they
master this IRM approach and getthat velocity, what does it
actually mean for them long term, Competitively speaking?
I mean, does being trulyresilient actually give you a
tangible edge in the marketplace?
Can people see it?
Sam Jones (11:41):
Oh, absolutely.
There is clear evidence forthis.
Research from wheelhouseadvisors, for instance, shows
that companies with mature IRMcapabilities they recover from
operational shocks like cyberattacks or supply disruptions
Get this 27% faster on averagethan their peers 27% faster.
(12:02):
That's significant it is.
And they also see 34% fewerdownstream customer complaints
after an incident and, maybemost importantly for the long
view, 42% lower earningsvolatility over a three-year
period.
Ori Wellington (12:13):
Wow, lower volatility.
The market likes that.
Sam Jones (12:15):
So, yes, resilience absolutely becomes a competitive
advantage, something the marketcan see, measure and ultimately
reward.
And it's not just the market.
Regulators are increasinglylooking for this.
Insurers are starting to demandmore mature IRM frameworks
before they'll underwrite.
Certain risks Makes sense.
Plus this broad IRMarchitecture, it's becoming
essential for managing systemicrisks.
(12:35):
In all the new stuff, too,think about third-party AI tools
, autonomous agents, cloudbrokers, data orchestrators all
these new layers ofinterdependence that are
constantly emerging.
Irm gives you a way to maintainstability and trust, even as
the technological landscape getsmore complex and, frankly, more
volatile.
Ori Wellington (13:00):
OK, this really underscores that.
It's a strategic imperative,not just a compliance thing.
And, like you said earlier,this is not a job for
procurement right.
This is a mandate for theexecutive suite.
Sam Jones (13:06):
Absolutely.
Ori Wellington (13:07):
So for the CEOs, the COOs, gfirst officers
listening, or maybe someonereporting directly to one of
them, what's the actionableplaybook?
What are the five key thingsthey should be doing, like right
now.
Sam Jones (13:18):
OK, yeah, let's boil it down to a five point
checklist for the leadershipteam.
First, conduct a comprehensiveconcentration risk census.
You need to map out, for everysingle revenue critical product
or service, how many activesuppliers you have, what
technologies they rely on andwhat your contractual
protections actually are.
And then this is key publishthose results internally.
(13:38):
Make it visible.
Ori Wellington (13:40):
Transparency Okay, number two.
Sam Jones (13:42):
Second mandate cyber scoring and recovery metrics in
every single supplier agreement.
No more vague security clauses.
You need to explicitly requirethings like ransomware, specific
controls and minimum recoverytime objectives.
Rtos with actual proof, actualevidence they can meet them.
Ori Wellington (13:59):
Get specific in the contracts, got it.
Sam Jones (14:01):
Third Third, run a scenario simulation every single
quarter and don't just dostandard IT outages.
You need to simulate majorvendor shutdowns like UNFI yeah,
maybe geopolitical embargoesaffecting a key region, even
simultaneous failures of a thirdparty and one of their critical
fourth party suppliers.
Really stress test the system.
Ori Wellington (14:20):
Okay, realistic, tough scenarios.
Sam Jones (14:22):
Number four Fourth, build a dashboard that unifies
risk exposure and management.
Whether you use dedicated IRMsoftware or build an internal
platform, you have to get thisinformation out of scattered
spreadsheets, legal binders,unstructured emails.
You need that single pane ofglass, that unified view, or the
risk stays fragmented andinvisible.
Ori Wellington (14:44):
Makes sense Centralize the view.
And last one, number five.
Sam Jones (14:48):
And finally, fifth, educate the board.
Make concentration risk, makecyber-induced supply chain
fragility a standing agenda item.
Don't let it be a footnote.
You have to link it directly toenterprise value, to brand
resilience, not just frame it asa compliance chore.
This is about protecting thecore business, the entire
enterprise.
Ori Wellington (15:07):
That's a powerful checklist, very clear
actions.
You know, looking back at theUNFI outage, it really does feel
like a massive warning shot,doesn't it?
Not just for grocery stores,obviously, but for any business
that relies on criticaldependencies, especially the
ones that are often hidden fromview.
It really hammers home thatidea.
The chain breaks where youcan't see it.
Sam Jones (15:24):
And IRM is what ensures you see it, hopefully,
before it breaks.
Look, in a world that's justgetting more and more
interdependent, resilience isn'tjust about bouncing back
anymore.
It's really about being able tobend without breaking in the
first place.
Ori Wellington (15:38):
Bend without breaking.
I like that.
So a final thought for you, ourlisteners.
You go about your week.
Where might your own hiddendependencies lie?
Maybe it's in your professionalsystems a single tool you rely
on, a specific team member whoholds all the keys.
Or maybe it's even in personalhabits, things you just never
question.
Think about anticipating thosepotential vulnerabilities,
(15:59):
because doing that it can leadto much greater strength, much
greater adaptability, really inall areas of your life.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!