Brian Davey, Teed Business Continuity Ltd: Reviewing Business Continuity in Your Organisation’s Supply Chain
Most organisations have a high dependency on external suppliers of goods and services in order to function efficiently and meet their objectives. However this dependency is often taken for granted and overlooked as a potential source of disruption to the organisation’s critical activities.
The new British standard for business continuity management, BS25999, advocates that loss of the supply chain be considered as part of your organisation’s business continuity management process. This article provides some guidance on how to conduct the supply chain review.
1. Determine Who Your Key Suppliers Are
Either as part of the business impact analysis interviews, or through separate discussions with relevant representatives from across the organisation, determine who your key suppliers of goods or services are. This is achieved through noting the suppliers each business area depends on to maintain continuity of its critical activities and agreeing the negative impacts, over a timeline, which would result should loss of supply actually occur. For each supplier the recovery time objective, i.e. the time at which the supply of goods or services must be resumed in order to keep impacts within acceptable limits, can then be plotted.
Suppliers which would have an unacceptable impact on continuity of the organisation’s critical activities should be highlighted as being key suppliers. It is also worth including suppliers which are either very small in size, so called “one man bands”, or which own exclusive rights to the supply of goods or services they provide as such suppliers tend to represent a higher risk by virtue either of being more exposed to a single incident which results in an outage of supply to you or there being no obvious alternative sources of supply to replace them.
2. Analyse Key Suppliers
Once you have created a list of those suppliers identified as key in step 1 above, you should now examine each one in turn to review the supplier’s continuity capability. This can be achieved through reviewing their business continuity plan and talking through with them how they would ensure continuity of supply should adverse situations arise. Examples of other questions to ask are: -
o What contingencies do they have available to provide continuity of supply of goods or services should the primary site where they deliver their goods or services from be put out of use?
o What resilience to failure measures do they have in place in order to reduce the potential for service or supply outages to occur?
o What roles and responsibilities have they in place to respond to a major incident?
o Do they have a business continuity management policy in place?
o What response plans do they have in place to cover incident management, business continuity and IT service continuity?
o How often do they test their response plans and what were the results of the most recent tests?
o How often do they review their response plans and when was the last review undertaken?
o Is there a history of business continuity incidents occurring or near misses? If so, how were these handled?
o Do they operate from one location in respect of the goods or services they provide to you?
o What is their strategy for coping with the loss of key people?
o How would they cope with a loss of supply of goods or services from their own supply chain?
o What is the maximum time that supply to you would be disrupted given the supplier’s continuity capability?
If you have a large number of key suppliers to review, an alternative way of asking the questions is to develop a questionnaire and send this out, following up with those suppliers where queries arise or there is doubt whether or not your organisation’s recovery time objectives cannot be met.
3. Determine Coping Strategies
The above analysis will highlight where there are gaps between the recovery time objectives of your organisation and the capability of suppliers to meet these objectives. The next stage is to find ways of eliminating the identified gaps. For each supplier where a gap has been identified, consider the following:
o Is there an alternative source of supply available at short notice? If there is, then firm up on, and document, the alternative source to ensure that this would be readily available following a loss of supply from the primary supplier.
o If there isn’t an alternative source of supply available at short notice, consider the following:
o Can reliance on the supplier or the consequent negative impacts of a supply disruption be reduced, for example through changes to critical activities which depend on the supplier or through increasing internal stock holding of goods etc.?
o Can a work around be developed to allow you to cope with the maximum downtime which the supplier’s continuity capability would dictate? For example, if it would take them one week to re-establish their supply to you following an incident, a one week workaround is required.
o Can the services provided be brought in house to eliminate the reliance on the supplier?
o Ultimately, is your senior management team willing to accept the current risk exposure? If so, then there is little point in creating coping strategies which imply investment as these are unlikely to be approved. However you may still want to consider coping strategies, such as workarounds, which imply little financial outlay.
When negotiating the contractual agreement with new suppliers or novating existing agreements, care should be taken to state expectations clearly with regard to continuity of supply and service levels. It is also preferable to include a “right to audit” clause to enable periodic reviews to be conducted which will help ensure that the supplier is fulfilling its contractual obligations over time.
Through conducting a review as outlined above, you can help your organisation to align with BS25999 and ensure continuity of business should one of your key suppliers experience a disruptive event.