Acquisition Vs. Supply Chain Risk

Acquisition risk is a business administration level issue whereas supply chain risk is a process and technical implementation level issue.


The interdependence of the acquisition risk and supply chain risk can lead to confusion, “gray areas”, frustration, and risks. This post will attempt to assist in highlighting the major boundaries between acquisition’s risk and supply chain’s risk. As the minor boundaries will be subject to internal organizational business units, processes, politics, and maturity this post will attempt to avoid specific low-level responsibility assignments.



Acquisition is the process of procuring any asset through internal development, external purchase, obtaining and modifying external resources, or a mixture of any of these. An example would be an organization paying a third party to modify and install open source software for internal use.

Supply Chain

The supply chain is any source of assets, asset components, or subcomponents. This includes (but is not limited to) newly developed or purchased assets, personnel, software updates and parches, as well as electrical and restorative services.

Acquisition Vs. Supply Chain Risk Confusion

If every asset that is procured is an acquisition and everything that is any source of assets it seems like they might be the same thing so we must rely on nuances.

Acquisition Risk Nuances

The nuances of acquisitions (for the purposes of contracting acquisitions to supply chain) deal primarily with contractual, business, and service level agreements. Risks in acquisitions are responded to preemptively through binding documents that meet legal, regulatory, and business requirements.

Supply Chain Risk Nuances

The supply chain nuances deal primarily with the fine details and components of assets. Risks in supply chains are responded to through the execution of the binding agreements that are created in the acquisitions’ processes.

Acquisition Vs. Supply Chain Risk In Practice

An Example For Analysis

A new server with a cloud service provider proprietary operating system is purchased from a cloud service provider. The purchaser is responsible for updating and patching the operating system and the cloud service provider is responsible for maintaining all hardware and the server.

Identifying The Risks

There are numerous risks in this scenario so we will only focus on a few of the larger risks. We will consider the following risks:
• malicious patches
• broken hardware
• stolen hardware
• power outages

Addressing The Risks

The Acquisition Risk

In the acquisitions phase each of these risks can be addressed. The risk of malicious patches can be addressed contractually by requiring the cloud service provider to follow best practices such as regression testing, fuzzing, code reviews, code repositories, and version control to name a few. Broken hardware can be addressed through SLA downtime requirements. Stolen hardware can be mitigated through requirements for personnel screening and physical access controls. While power outages can be mitigated with SLAs as well.

The Supply Chain Risk

The supply chain mainly focuses on the actual implementation of the acquisition agreements. For instance, malicious patches may be mitigated through sandboxing, on-site regression testing, and patch integrity checking to name a few options. Cloud service provider systems can be checked for broken equipment (with this option being contractually agreed to during the acquisition phase) to help mitigate broken hardware risks. Similarly, cloud service provider hiring and personnel screening requirements can be verified as well as cloud service provider compliance with such requirements can be contractually permitted. Power outages can follow similar contractual permissions.


The delineation between acquisition and supply chain risks can seem murky but clear waters are possible. Acquisition risk mitigation is primarily an exercise in internal process control and contractual diligence. Supply chain risk may be similar but its focus is on preventing risks from being propagated into the environment even if they are obtained through the acquisition’s process. Acquisition risk is a business administration level issue whereas supply chain risk is a process and technical implementation level issue.