“No man is an island,” as the saying goes, and no company is either. Every organization depends to a greater or lesser degree on materials or services provided by third-party vendors.
Here’s another old saying for you: “It’s 10 PM. Do you know where your children are?” In today’s post, I’d like to give that old public service announcement a small twist: “It’s 10 PM. Do you know where your vendors are?”
The fact is, your company can have the best business continuity program in the world, but if your critical vendors are vulnerable, you are vulnerable. A chain is only as strong as its weakest link, and an enterprise is only as robust as its least disaster-proof critical supplier. It’s an unnerving thought but also a fact of life in an interdependent economy.
Does your organization have any important suppliers that were impacted by the recent flooding in Houston or the hurricanes in Florida and Puerto Rico? Were the impacts mild, moderate, more severe?
I don’t mean to pick on suppliers in those three areas; bad things can happen to vendors anywhere at any time. But the wide extent of the recent weather-related disasters got me thinking about the issue of third-party suppliers, and specifically the issue of vetting third-party suppliers from a business continuity perspective.
Unfortunately I can’t wave a magic wand and instantly make every one of your vendors 100% compliant with your preferred business continuity standard. However I can share a few ideas to help you come to grips with this important but tricky issue in your business continuity planning.
In that spirit, here are my six tips to help you vet your third-party vendors from a business continuity perspective:
1) Establish a governance process.
In other words, do what you can to get your organization to require you to evaluate your suppliers from a business continuity perspective. Everything starts with senior management. If there’s not an oversight group responsible for vetting the supply chain, it will be hard to get your procurement people to go to the vendors and say you have to evaluate them on a business continuity basis.
2) Identify your critical vendors.
You might have 50 vendors, or you might have 500. You have to start somewhere, and obviously you want to invest your limited resources where it will do the most good. Rank your vendors by importance. Identify the 5 or 6 that are most vital to your enterprise. In evaluating the relative importance of each supplier ask questions such as the following: How important is the vendor’s product to the processes of your company? Does the vendor supply a commodity which you can easily find elsewhere or a specialized product with few or no other potential suppliers? One of the best tools for helping you work through these questions is a Business Impact Analysis.
If you need assistance identifying your critical vendors, MHA Consulting can help. Schedule a consultation with one of our experts today.
3) Assess the threats and risks facing the vendor.
Are they in hurricane country? Tornado Alley? On an earthquake fault? Is their facility located across the street from a chemical plant? How is their plant security? Their cyber security? Do they have a stable workforce or high turnover? What is their financial situation? Get a handle on the specific dangers and vulnerabilities to which that company is exposed. If you depend on them to provide business critical products or services, their problems are your problems.
4) Pay them a visit.
Missouri is known as the “show me” state, of course, and when it comes to assessing third-party vendors, we should all act like we are from Missouri. The best way to evaluate most of the threats and risks mentioned above is to go to the vendor’s facility and look around. Yes, it’s expensive, but for your critical vendors it’s well worth it. There is no better way to find out whether their level of security is as good as they claim or if that backup generator they told you about on the phone is really capable of supporting their whole operation. On-site visits are revealing in so many ways. You can tell a lot just by how happy they are to see you. If they are welcoming, prepared, and open, then great. Those are all reasons for confidence. If they seem annoyed or nervous over your being there, maybe you should be nervous about depending on them for a key part of your business.
5) Get it in writing.
The ideal situation is for the vendor to agree to your business continuity requirements and for the terms to be included in your supply agreement with the vendor. A good agreement will say that the vendor must have a plan, that you have a right to inspect the plan, and that you have a right to on-site visits. The agreement should also set forth the consequences to the vendor for any disruption of theirs that impacts you. If a problem at their plant forces the shutdown of your production line, they should cover your losses. What if the vendor is reluctant to make such an agreement? Try pointing out to them how having a strong business continuity program doesn’t protect only your company, it also strengthens theirs. Even so, some vendors might not be willing to come to terms with you, because you are too small of a customer or for some other reason. This is why we have Tip No. 6.
6) Be proactive.
There are two ways to be proactive in this context. First, there’s keeping in touch with vendors that are dealing with problems such as storms or fires. An example – when you see on the news that a storm is headed their way, reach out to them and see if they foresee any impacts. Keep the lines of communication open. Diplomatically remind them that you are depending on them. Ask what they are going to do to prevent or fix the disruption. The second kind of proactivity is more strategic. It involves finding alternate suppliers you can turn to if your original supplier falters. It also includes finding vendors who take business continuity as seriously as you do and are willing to enter into responsible agreements with you to ensure that everyone’s needs are protected. If a vendor gives you the brushoff when you ask about their business continuity plan or try to set up an on-site visit, be proactive: start looking for a vendor who can provide the same product as the unresponsive vendor but is also willing to partner with you to safeguard your supply chain.
A Third-Party Vendor Risk Assessment Tool That Works
Don’t reinvent the wheel—use the Compliance Confidence (C2) assessment tool as a questionnaire for third-party risk evaluation. Part of the BCMMetrics™ suite of online business continuity software, Compliance Confidence can be used with all your third party vendors as a way of evaluating their business continuity programs. It’s simple to give your third-party vendors access, easy to fill out, and presents a straightforward “FICO”-like score measuring how well a program stands up to the most current standards and guidelines. It also highlights areas for improvement, making it easy for you to work with third parties on business continuity goals.
Interested in seeing the tool in action? Schedule a free demo today.