You Have to Kick the Tires: Protecting Yourself Against Supply-Chain Catastrophes
One of the biggest areas of unmitigated risk we see across all industries is supply-chain risk. Most organizations are not adequately protected against the loss of critical third-party suppliers
In today’s post, I’ll share some thoughts about the pervasive supply-chain risk problem, as well as some ideas on what you can do about it.
Related on BCMMETRICS: 6 Tips to Help You Vet Your Third-party Vendors
PANIC MODE
Are you one of those laid back people who think worrying about the resilience of your organization’s third-party vendors is a waste of time?
Unfortunately, that attitude was prevalent at a hospital I had for a client this year. They were great people, but for whatever reason, validating their third-party suppliers’ recovery plans was not one of the items high on their to-do list.
You can guess what happened next. One of their critical suppliers—a dictation transcription company—was knocked out, leaving them badly in the lurch.
As you might know, this service is one of the vital functions at a hospital. The supplier was hit by a cyber attack, putting them completely out of commission.
The organization then went into panic mode.
Unfortunately, before the problem occurred, the hospital had taken only the most superficial look at the supplier’s (inadequate) recovery plan, and no backup supplier was lined up.
The hospital scrambled to find another supplier, but the new company was not nearly as good as the old one. Costs were higher and there were many problems. The hospital had to limp along for 60 days until their original transcription vendor was back online.
AS STRONG AS ROCKY BALBOA
This story points up one of the biggest vulnerabilities of organizations in all fields: The failure to adequately vet the recovery plans of their critical third-party suppliers. The client organizations almost always take the supplier’s word for it when they say they have a good business continuity (BC) plan. Unfortunately, these claims are almost always overstated. In fact, it’s not uncommon for suppliers to portray their plans as the Rocky Balboa of continuity plans when the reality is very different.
What usually happens is, the supplier gives the client a two- or three-page overview of their BC plan and the client accepts it without comment and files it away, not giving it another thought until and unless there’s a problem. By then, it’s too late to do anything about it.
And the supplier’s problem can have a significant impact on your organization’s production, revenue, and reputation.
KICKING THE TIRES
The moral of the story is, when it comes to your critical suppliers’ recovery plans you have to kick the tires.
You have to ask for their plans, review what they give you, and determine if there’s any substance there and if the plans really add up.
Then you need to seek more information until you can truly validate that the plans will work.
And if it’s a really critical supplier, then, ideally, you should go to their site, take a tour, and participate in their recovery exercises. This is the only way to make sure they can really do what they say they can when it comes to business recovery.
Without having done all this, you have as much basis for feeling secure in your dependence on that supplier as someone flying in an uninspected plane flown by an unlicensed pilot.
RED FLAGS
Am I saying that all of your critical vendors will welcome your questions and visits with open arms?
Absolutely not. Probably many of them won’t. And if they don’t, you would be wise to consider that a red flag. For what to do in these cases, see below.
Turning it around, plenty of suppliers do take a responsible approach to business continuity. Those companies are typically happy to answer your questions, provide added information, and host you for a visit.
WITH FRIENDS LIKE THESE
If your vendors can be difficult, at least you can always count on your own management to back you up when it comes to validating your critical suppliers’ recovery plans, right?
Wrong, unfortunately.
I’ve seen it happen a lot where some good BC person realizes the need to go vet a critical supplier’s recovery capability and management tells them, “Are you kidding me? I can’t afford that. And you don’t have the time.”
They might then say the supplier is so big, they could certainly recover quickly if something happened to them, or alternatively that they could just write a check to cover any losses you suffer because of them.
This is what the Institute for Crisis Management calls a “smoldering problem,” meaning problems that someone has pointed out, but which management won’t do anything about. It happens a lot when it comes to supply-chain risk.
It also reminds me of the expression that to ASSUME is to make an ASS of U and ME.
WHAT CAN BE DONE
As I said above, the moral of the story is, you have to kick the tires and look under the hood when it comes to your critical suppliers’ recovery plans.
Here are a few other things you can do:
- If you have a critical supplier whose recovery plans you are unable to validate, line up some alternate suppliers. That way if something happens to your primary vendor, you won’t have to start from scratch in finding a replacement. A good strategy for critical resources of all kinds is to have at least two active suppliers at all times.
- Try to get strong business continuity language included in your purchasing agreements.
Ideally, such language would say that you can review the supplier’s plans and tests whenever you want and that you are permitted to inspect their sites. - Be strong! As the business continuity person, you are frequently going to find yourself being the voice of caution and responsibility among people whose priorities are very different. What they are doing is important, but so is what you are doing. The role of BC professional puts a premium on being prudent, adult, and mature. Be proud of your role. Your company depends on you.
SUPPLY-CHAIN RISK IS AN ONGOING PROCESS
Over time, hopefully, all of the parties discussed above—BC professionals, management, and suppliers—will become more educated and mature about the need to validate the recovery plans of the enterprise’s key suppliers.
Supply-chain risk management is likely to be an ongoing process, to say the least!
Educate yourself and the people you work with, try some of the strategies suggested above and don’t be afraid to kick the tires of your critical suppliers’ BC plans.
FURTHER READING
For more on this and other hot topics in supply-chain risk and business continuity, check out these recent posts from BCMMETRICS and MHA Consulting:
- Let’s Get Critical: Identifying the Vendors You Truly Depend On
- 6 Tips to Help You Vet Your Third-party Vendors
- A Pocket Guide to Business Continuity Management Now
- The 5 Most Important Risk Mitigation Controls
- The 4-3-3 Rule for Writing Business Recovery Checklists
- Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
