Most organizations continue to devote insufficient thought and resources to the task of assessing and managing risk in their supply chains. This leaves them vulnerable to disruptions in their supply chain and even completely unaware of the various risks that are lurking there.
In today’s post, I’ll sketch out the process your organization’s business continuity (BC) office should follow to assess and mitigate supply chain risk.
Supply chain risk management is an area where there are still significant exposures and risks in business today. This has been a really difficult area for many BC offices to get their arms around.
For those who want to get on top of this issue, today’s post will be an overview of what needs to be done.
Basically, assessing and managing supply chain risk comes down to four things:
- Establishing the proper governance for the process
- Identifying who your critical suppliers are
- Assessing risk at your critical suppliers
- Mitigating risk from your critical suppliers
We’ll talk a little about each one below.
WHO’S IN CHARGE?
The first thing an organization has to do in order to assess and manage supply chain risk is establish a governance process.
Everything starts with senior management.
The responsibility can be placed with a separate risk management office or be part of business continuity. But how ever things are set up, the responsible group needs to push to make evaluating suppliers from the BC perspective a regular part of the company’s way of doing business.
Some key points about the governance of your supply-chain risk assessment effort:
- A Supply Chain Risk Management (SCRM) oversight group should be set up. This group is responsible for vetting the supply chain.
- The existence of the SCRM oversight group will make it easier to get your procurement people to go to the vendors and say you have to evaluate them on a BC basis.
- The sponsor of the SCRM effort should be a senior executive. This person should be champion of the effort and have primary responsibility for its success. They allocate resources and help eliminate roadblocks.
- The management should regularly review the resiliency of the supply chain.
- The roles and responsibilities of the SCRM oversight team should be documented, reviewed with the members, and formally approved.
Companies say, “How can we vet our suppliers? We have hundreds of them.” There are probably only a dozen or so you really depend on. You have to figure out which those are.
Which of your third-party suppliers are critical to your organization’s ability to carry out its core mission? Which ones, if they went dark, would bring one or more of your company’s critical processes to a standstill by their absence?
You have to rate your vendors for criticality. Here are four ways to do it:
- Use tribal knowledge. Consult the people who have been in your material control and procurement departments for a long time. Such people typically have a wealth of knowledge about your vendors and their relative importance to the organization. They might even have put together lists with the suppliers ranked by priority.
- Consult your BIA results. Recent business impact analyses are another great aid in helping you identify which vendors are critical to your organization.
- Rank your vendors in order by how much you spend with them. This is another way of getting a quick handle on which vendors you depend on most. It’s not a perfect measure—you might spend a lot on a commodity you could easily source from another supplier—but looking at these figures can surface critical dependencies you might otherwise overlook.
- Ask how critical the vendor’s part or service is to the business. This is what it all comes down to.
Put together the best list you can without spending too much time on it. The process and your list will mature over time.
To identify your critical vendors, you first need to prioritize your business processes.
The important thing is to take your hundreds of vendors and whittle them down to the relatively small number that you truly depend on.
WEAK LINKS IN THE CHAIN
Now that you know who your critical suppliers are, you can start assessing the risk residing in the business operations of each one.
Here are some things to investigate:
- The specific dangers and vulnerabilities that the supplier is exposed to.
- Their exposure to natural disasters. Are they in hurricane country? Tornado Alley? On an earthquake fault?
- Their facility security.
- Their cyber security.
- The stability of their workforce. More turnover for them means higher risk for you.
- Their financial situation.
- The outlook of their company and industry from the point of view of the larger economy.
The best way to evaluate most of the threats and risks mentioned above is to visit their facility and review their business continuity documentation.
Is their level of security as good as they claim? Is their backup generator really capable of supporting their whole operation? Are their recovery plans robust? The best way to find out is to see for yourself.
You can tell a lot just by how happy they are to see you.
MANAGING SUPPLIER RISK
The next step is to manage the risks you’ve identified at each of your critical vendors.
You need to prepare your organization in case things go wrong at theirs.
Your team should evaluate, select, document, and get approval for mitigating strategies for the risks at your critical suppliers.
The oversight team should conduct regular reviews of the chosen mitigating strategies for your critical suppliers, updating them as needed.
Here are a few more things to bear in mind:
- The purchasing agreements you sign with your critical suppliers should require them to address continuity planning and service levels.
- A good vendor agreement says that the vendor must have a business continuity plan, that you have a right to inspect the plan, and that you have a right to on-site visits. It also spells out the consequences to the vendor for any disruption of theirs that impacts you.
- Critical suppliers should be legally bound to ensure continuity of their supply chain and the delivery of services and materials to the organization.
- Provisions for communication with the supplier should be put in place.
- Purchasing agreements should contain specific wording defining BCM requirements, service-level expectations, and penalties for interruptions and incidents.
- Gaps between the priorities of the critical supplier and expectations of the organization should be identified and documented for management review and action.
- During an event at the vendor, you should keep in touch with them to see if they foresee any impacts on your supply chain.
- Critical supplier exposures should be documented for management review and action.
- Management should propose countermeasures to significant vulnerabilities, single points of failure, and lack of continuity planning at critical suppliers.
- Management should revise critical supplier agreements to minimize impact to delivery of services, goods, and/or materials to the supply chain.
It’s time to get smart about critical supplier risk.
Out of sight is usually out of mind, but your organization can’t afford that attitude when it comes to your critical suppliers. Their vulnerabilities are your vulnerabilities. A chain is only as strong as its weakest link, and that includes a supply chain.
The above information is only a brief introduction to this important topic. Read around, talk to people, educate yourself—and then take the steps necessary so your organization can start assessing and managing risk at the suppliers it depends on most.
For more information on this and other hot topics in business continuity management, check out these recent posts from BCMMETRICS and MHA Consulting:
- 6 Tips to Help You Vet Your Third-Party Vendors
- You Have to Kick the Tires: Protecting Yourself Against Supply-Chain Catastrophes
- Let’s Get Critical: Identifying the Vendors You Truly Depend On
- How to Stop Third-Party Vendors from Becoming Your Achilles’ Heel
- Hanging by a Thread: Protecting Yourself from Single Points of Failure
- Critical Supplier Continuity: Believe It or Not (webinar)