Supply chain insecurity has emerged as one of the leading threats to business, but most organizations continue to lag when it comes to protecting their access to critical goods and services. In today’s post, we’ll lay out the four steps every company should take to protect its supply chain and boost its resilience.
Most organizations continue to devote insufficient thought and resources to the task of assessing and managing risk in their supply chains. This leaves them vulnerable to disruptions in their supply chain and even completely unaware of the various risks that are lurking there.
In today’s post, I’ll sketch out the process your organization’s business continuity (BC) office should follow to assess and mitigate supply chain risk.
Related on BCMMETRICS: Let’s Get Critical: Identifying the Vendors You Truly Depend On
A System Under Strain
Recent events have subjected the modern corporate supply network to extraordinary strain.
The pandemic, geopolitical conflict and tension in Europe and the Far East, the rise in extreme weather, and even one-off events like the week-long blocking of the Suez Canal last year have made it abundantly clear that our current system of sourcing critical goods and services through far-flung global networks brings vulnerabilities as well as benefits.
What is the supply-chain situation at your organization? Is your company one of those that is dependent on third-party products and services whose interruption would bring its critical operations to a halt? If so, you have plenty of company.
Does your organization have a sound system in place for assessing and mitigating its supply chain vulnerabilities? If not, you have plenty of company there also.
Securing its supply chain is vital for any organization committed to protecting its revenue, reputation, and ability to continue performing its essential operations no matter what shocks affect its third-party vendors, whether these are around the globe or down the street.
Strengthening the Chain
Fortunately, assessing and managing supply chain risk is not rocket science. It can be accomplished by completing the following four steps.
Step 1: Put someone in charge.
The first step in assessing and managing supply chain risk is to put someone in charge of supply chain security—or, to put it in business school language, establish proper governance over the supply chain risk mitigation effort.
Senior management needs to set up some version of a Supply Chain Risk Management (SCRM) oversight group. This group should push to make evaluating suppliers from the BC perspective a regular part of the company’s way of doing business.
The SCRM effort should be sponsored by a senior executive who champions the effort and has primary responsibility for its success. This person will allocate resources and help eliminate roadblocks. The roles and responsibilities of the SCRM oversight team should be documented, reviewed with the members, and formally approved.
Step 2: Identify your critical vendors.
The second step in improving the security of your supply chain is to identify your critical vendors.
Before you can do this you’ll need to determine the relative criticality of all of your business processes. (This is typically done by conducting a business impact analysis.) Once you know which of your business processes are the most critically time sensitive, you can look back up the line and see which third-party products and services are required for carrying out those processes. This helps you get a bead on who your critical vendors are.
Many companies, when reminded of the importance of vetting their critical vendors, will say something like, “How can we vet our suppliers? We have hundreds of them.” The fact is, there are probably only a dozen or so you really depend on. You don’t have to vet all of them; only the ones on which you are critically dependent.
Here are three ways to determine which of your suppliers you truly depend on:
- Consult your BIA results. As mentioned above, your business impact analysis results are a great aid in helping you identify which vendors are critical to your organization.
- Use institutional knowledge. Consult the people who have been in your material control and procurement departments for a long time. Such people typically have a wealth of knowledge about your vendors and their relative importance to the organization. They might even have put together lists with the suppliers ranked by priority.
- Rank your vendors in order by how much you spend with them. This is another way of getting a quick handle on which vendors you depend on most. It’s not a perfect measure—you might spend a lot on a commodity you could easily source from another supplier—but looking at these figures can surface critical dependencies you might otherwise overlook.
Your goal is to take your hundreds of vendors and whittle them down to the relatively small number you really depend on.
Put together the best list you can without spending too much time on it. The process and your list will mature over time.
Step 3: Identify the risks to your critical vendors.
The third step, after you’ve set up your governance system and identified your critical vendors, is to examine the risks faced by those vendors and also their readiness to deal with them.
You’ll want to investigate things such as the following:
- The specific dangers and vulnerabilities that the supplier is exposed to.
- Their exposure to natural disasters. Are they in hurricane country? Tornado Alley? On an earthquake fault?
- Their facility security.
- Their cyber security.
- The stability of their workforce. More turnover for them means higher risk for you.
- Their financial situation.
- The outlook of their company and industry from the point of view of the larger economy.
- The strength (or lack thereof) of their business continuity program.
The best way to evaluate most of these threats and risks is to review the suppliers’ business continuity documentation and, for your truly critical vendors, to visit their facility. In this way you can determine for yourself the answer to such questions as whether their level of security is as good as they claim or their backup generator is really capable of supporting their whole operation.
When it comes to assessing their business recovery planning, you have to ask for their plans, review what they give you, and determine if the plans really add up.
And if the vendor won’t share their program documentation, never manages to schedule that site visit, or is not happy to see you, then the prudent thing is to assume they are not resilient and plan accordingly. For information on how to do that, read on.
Step 4: Mitigating the risks to your supply chain.
By now, your company has set up a supply chain risk governance sponsor and group, identified your critical vendors, and assessed the risks to those vendors. Now you have to mitigate the risks those vendors pose to your own operations. You need to prepare your organization in case things go wrong at theirs.
Here are some ways you can go about mitigating the risks your critical suppliers pose to your organization:
- If you have a critical supplier whose recovery plans you are unable to validate, line up alternate suppliers for that product or service. A good strategy for critical resources of all kinds is to have at least two active suppliers at all times.
- Develop workarounds that will enable your organization to complete its critical process in the event that the vendor is unable to supply the product or service in the usual manner.
- Seek to cultivate a positive, mutually beneficial relationship with the supplier that includes as a key thread their meeting your concerns about the robustness of their operation.
- Try to get strong business continuity language included in your purchasing agreements. Such language should say that you can review the supplier’s plans and tests whenever you want and that you are permitted to inspect their sites. It should also spell out the consequences to them for any disruption of theirs that impacts you.
- During an event at the vendor, keep in touch with them to see if they foresee any impacts on your supply chain.
- Propose countermeasures to significant vulnerabilities, single points of failure, and lack of continuity planning at critical suppliers
The oversight team should develop, evaluate, select, and document mitigating strategies for the risk at each critical supplier and get approval for those strategies from management. It should also conduct regular reviews of the chosen mitigating strategies, updating them as needed.
Protecting Your Access to Critical Goods and Services
The growth in reach and complexity of the global supply chain has brought many benefits but also significant vulnerabilities, a fact made abundantly clear by recent events in public health and geopolitics. In the current environment, no responsible organization can afford to take a casual attitude toward the security of the vendors supplying it with critical goods and services.
Every organization should take the following steps to protect its supply chain: 1) set up a supply chain governance structure, 2) identify the organization’s critical suppliers, 3) assess the risks to those suppliers, and 4) take steps to mitigate the identified risks. By taking these steps, your company can go a long way toward protecting its access to the products and services they need to carry out their mission-critical activities.
For more information on supply chain security and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Critical Vendors: The MHA Guide to Securing Your Supply Chain (free ebook)
- Let’s Get Critical: Identifying the Vendors You Truly Depend On
- 6 Tips to Help You Vet Your Third-party Vendors
- Fooling Yourself: When BC Professionals Confuse Effort with Results
- Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk