Let’s Get Critical: Identifying the Vendors You Truly Depend On

Do you know how, in your non-business life, there is a difference between “friends” and “Facebook friends”?

There is something similar in business continuity when it comes to third-party vendors.

Your organization might purchase goods and services from 500 outside companies, but how many of these do you really depend on? How many are vital to your company’s ability to carry out its core mission?

If your organization is like most I work with, the answer might be about a dozen.

Can you guess why I’m mentioning this, or why it matters?

Of the main business continuity dimensions, one is by far the most neglected. Do you know which one?

If you answered Program Administration, Crisis Management, IT Disaster Recovery, Business Recovery, or Fire and Life Safety, you’re wrong, I’m sorry to say.

If you answered Supply Chain Risk Management, you got it exactly right. Supply chain risk management is the area where there are still significant exposures for many if not most of the organizations we work with and talk to.

In a recent blog post, MHA senior advisory consultant Richard Long aptly refers to third-party vendors as the potential Achilles’ heel of many organizations’ business continuity programs.

Far too many organizations are critically dependent on outside companies whose resilience they know little to nothing about.

For many reasons, supply chain risk management has been a difficult area for many BC offices to get their arms around. For an overview of the broader problem and suggestions for mitigating it, have a look at a webinar I produced last year called, “Critical Supplier Continuity—Believe It Or Not” (free, slide deck included, 33 minutes long).

In today’s post, I want to focus on one small but significant part of the puzzle: the challenge of identifying exactly who your critical suppliers are.

Any BC consultant can tell you that the first step in bringing down the amount of risk in your supply chain is to identify your critical suppliers. What often gets left out is, how do you go about identifying them?

Many of the companies we work with have hundreds of suppliers. Obviously, in such cases, the BC office can’t execute the full risk mitigation package on every one. It would take forever and be a waste of resources. You have to perform triage if your organization is in this situation.

You have to determine which of your third-party vendors are absolutely critical to your organization’s ability to carry out its core mission.

Which suppliers, if they were to go dark for whatever reason, would by their absence bring one or more of your organization’s critical processes to a standstill?

There are many ways to go about rating your vendors for criticality. Here are four:

1. Use tribal knowledge. If your organization is like most, there are people in your material control and procurement departments who have been there for years. Such people typically have a wealth of knowledge about your vendors and their relative importance to the organization. They might even have put together lists with the suppliers ranked by priority. The tribal knowledge of these employees is one of the best resources to help you in your ranking suppliers for business continuity purposes.
2. Consult your BIA results. Recent business impact analyses are another great aid in helping you identify which vendors are critical to your organization.
3. Rank your vendors in order by how much you spend with them. This is another way of getting a quick handle on which vendors you depend on most. This is not the end of the story, however. You might spend a lot on a commodity you could easily source from another supplier, and it could be there is a specialty machine part available only from a vendor you rarely buy from, but which you can’t operate without. But looking at these figures can surface critical dependencies that might otherwise get overlooked.
4. Ask how critical the vendor’s part or service is to the business. This is what it all comes down to. When in doubt, this is the question to pose.

If you’re just getting started, I would suggest you do the following to figure out who your critical suppliers are: Go to sources 1 and 2—tribal knowledge and BIA results—and put together the best list without spending too much time on it. The process and your list will mature over time.

Selecting a new vendor? Concerned about the risk? Here are our 6 Tips to Help You Vet Your Third-party Vendors.

Three final points:

1. To identify your critical vendors, you first need to have prioritized your business processes. But that’s a subject for another post.
2. Your critical supplier list should be updated regularly (and don’t forget that Master Vendor List described in detail by Richard Long in his blog).
3. The final list should be reviewed and approved by management. (Unfortunately, few companies get to this step, but it is a best practice in supply chain risk management.)

The important thing is to take your hundreds of vendors and whittle them down to the relatively small number that you truly depend on. Those are the suppliers that you then submit to full scrutiny in terms of business continuity, by evaluating their preparedness, visiting them onsite, and having them demonstrate recoverability.

Are your third-party vendors a potential vulnerability in your organization’s business continuity planning? If so, take the first step toward plugging the gap by figuring out which of your many suppliers are truly critical to your organization’s ability to execute its core mission.