Across industries, organisations are investing heavily in third-party cyber risk management. Supplier questionnaires, certifications, and policy reviews have become standard practice. Yet despite this, supply chain breaches continue to rise.
The uncomfortable reality is this: we are managing cyber risk as a compliance exercise, not as an operational risk discipline.
If we are serious about securing supply chains, we need to look beyond cyber frameworks and learn from a sector that has already solved a similar problem at scale: health and safety.
The Current Cyber Model: Process Without Outcome
Today’s approach to cyber risk is heavily reliant on assurance mechanisms: supplier due diligence questionnaires, requests for certifications such as ISO 27001, and policy and procedure reviews.
But this model is inherently limited.
It creates duplication across the supply chain, where every organisation asks the same questions of its suppliers, who in turn do the same to theirs. The result is an administrative burden that measures intent, not effectiveness.
Meanwhile, attackers exploit the weakest link, often deep within that same supply chain.
Health & Safety: A Proven Model of Risk Management
Contrast this with how the UK manages health and safety risk.
The framework is not based on trust alone, it is built on accountability, visibility, and continuous learning.
At the centre of this is a culture of mandatory reporting and investigation.
Under RIDDOR, organisations are legally required to report certain workplace incidents. But reporting is only the first step.
Every serious incident triggers formal investigation, root cause analysis, and corrective and preventive actions.
The objective is not just to respond, but to prevent recurrence.
This creates a feedback loop where the entire system continuously improves.
Culture, Not Compliance
Health and safety is not treated as a tick-box exercise. It is embedded into daily operations.
On any UK construction site, the rules are unequivocal: no Risk Assessments and Method Statements (RAMS), no work; no Personal Protective Equipment (PPE), no work; no evidence of competence or training, no access.
Contractors are expected to demonstrate safe systems of work, maintained and compliant equipment, and trained and competent personnel.
Standards such as ISO 9001, ISO 14001, and ISO 45001 reinforce this structure, alongside schemes like CHAS and SafeContractor.
Crucially, this is underpinned by contractual enforcement and legal accountability.
The Result: World-Leading Performance
The outcome of this approach is clear.
The UK is widely recognised as a global leader in health and safety performance, consistently achieving some of the lowest workplace accident rates in the world.
This has not been achieved through paperwork alone, but through a strong reporting culture, mandatory investigation and learning, clear accountability at every level, and non-negotiable operational controls.
In short, the proof is in the pudding.
Applying the Same Discipline to Cyber Risk
Now consider cyber security.
Where is the equivalent of mandatory incident reporting across the supply chain, standardised root cause analysis following breaches, industry-wide learning to prevent recurrence, or operational “no compliance, no work” enforcement?
In most cases, it simply does not exist.
Cyber incidents are often underreported, inconsistently investigated, and rarely shared in a way that benefits the wider ecosystem. This must change.
From Cyber Assurance to Cyber Discipline
To align cyber risk management with the proven HSE model, organisations should adopt several key principles:
1. Mandatory Incident Reporting Culture – Cyber incidents, particularly those impacting supply chains, must be reported transparently and consistently, not buried for reputational reasons.
2. Root Cause Analysis as Standard – Every significant breach should trigger a structured investigation, identifying not just what happened, but why controls failed.
3. Preventive Action Across the Ecosystem – Findings should inform improvements not only within the affected organisation, but across the wider supply chain.
4. “No Controls, No Contract” Enforcement – Just as “no RAMS, no PPE, no work” applies in construction, cyber should adopt a similar stance: no baseline controls, no access to systems; no evidence of resilience, no contract award.
5. Contractual Accountability – Organisations must embed breach and liability clauses into contracts, ensuring that suppliers are held accountable where failures originate within their environment.
A Necessary Evolution
Cyber security is now as critical to operational resilience as physical safety.
Yet while health and safety has evolved into a mature, embedded discipline, cyber risk management remains fragmented and overly reliant on documentation.
The lesson is clear.
If we want secure supply chains, we must move beyond questionnaires, embed a culture of reporting and learning, enforce standards operationally rather than administratively, and hold organisations accountable for failures.
Final Thought
The UK did not become a global leader in health and safety by chance. It did so by treating risk as a shared responsibility, backed by clear rules, strong enforcement, and continuous improvement.
Cyber risk demands the same level of seriousness.
Because in today’s interconnected world, a failure in one part of the supply chain is no longer isolated, it is systemic.
And just like in health and safety: if the controls aren’t there, the work shouldn’t proceed
Book a Course
Send a booking request and the NDC team will follow up with availability and next steps.
