Radian Compliance Management Services

Business continuity’s role in supply chain resilience

By Charlie Maclean-Bristol. for ContinuityCentral.com

Until relatively recently, business continuity management for most companies focused primarily on the risks associated with IT failure or the loss of a building. The increasing reliance upon outsourcing in a more global business environment, however, has pushed supply chain risks firmly onto the business continuity agenda.

For many organisations, the supply of raw materials, manufacturing processes, and product storage are now regularly outsourced. Even those functions that were traditionally considered in-house activities, such as finance, purchasing, internal auditing, HR and occupational health are now considered outsourceable activities. In this supply chain-reliant environment, the loss of just a single critical supplier can have a devastating impact on a company.

The nature of the supplier
Suppliers by their very nature can be more susceptible to incidents than the organisations which they supply. Often smaller, leaner, providing ‘just in time’ services and in many cases supplying only a single product, these factors amplify the impact which a disruption can have.

It is often the case, particularly with niche suppliers, that their services are being used by a number of different companies. As such, any disruption can have a much more pronounced ripple effect, impacting on multiple organisations. A good example of this occurred during the fuel stoppages of 2001 in the UK, when the water industry suddenly became aware of how over-reliant it was on ICI at Runcorn which produced 70 percent of the chlorine used in water treatment.

An organisation should also be fully aware of the risk posed by disruption to 2nd or 3rd tier suppliers in the supply chain to their ability to continue operating.

In the firing line
The threats to the supply chain are many and varied, as can be seen in the following diagram. The risks can vary from a natural disaster to political instability, to getting caught up in a company dispute.

BS 25999 does not effectively deal with supply chain risk. The Standard states that accountability for business continuity remains vested within the organisation, that the organisation’s dependency on suppliers should be understood, suppliers should have effective business continuity arrangement in place, awareness programmes may extend to suppliers, and that the suppliers’ business continuity arrangements should be audited. Part 1 section 7.7 provides some information on developing a supplier strategy but it is limited.

Managing the risks
To effectively manage supply chain risks a business continuity manager needs three key pieces of information:

1. He/she should identify the organisation’s critical activities so that critical suppliers can be ascertained;

2. He/she should ascertain the potential impact of the loss of a supplier by conducting a BIA;

3. He/she should undertake a full risk assessment to understand the potential risks which could affect the supplier.

Only once this information has been gathered can the business continuity manager start to mitigate the supplier’s risks.

A three-pronged approach
The strategy for dealing with supply chain risks should be in three parts. Firstly, the business continuity manager must educate purchasers in how to make ‘risk aware’ purchasing decisions. To do this they must make sure that buyers are aware of which suppliers are critical to the organisation and which are not. Purchasing of non-critical services can be made on a pure commercial basis, but decisions relating to critical suppliers should be risk-based. Buyers should be aware of the consequence of the loss of a supplier so they can weigh this against the commercial element of the deal.

A supplier strategy should then be drawn-up detailing buying strategies that can be used to mitigate supplier risk. These could include: diversification (buying from more than one supplier); asking suppliers to stockpile stock; ensuring that the supplier has excess capacity; and establishing stringent failure to perform clauses.

The business continuity manager should also educate buyers in how to examine the supplier itself and not just the product being supplied. This is usually carried out as part of the tender process, but often without sufficient rigour. In reviewing the supplier, the buyer should consider: the quality of all of the organisation’s products - not just those being supplied; their incident history; key personnel dependencies (is the person who deals with the product liable to move to another organisation, for example?), financial stability, volume flexibility and the quality of the business continuity plans that are in place.

The business continuity manager is key to reviewing the supplier’s level of business continuity planning as they are best placed to assess it validity and its quality. According to research conducted recently by the Business Continuity Institute: “Where organisations insist on the supplier having a business continuity management plan … 18 percent are happy to rely on no more than a statement from the supplier. 27 percent ask only to read the supplier’s business continuity plans and a further 27 percent don’t know how the supplier’s plans are verified.”

Secondly, the business continuity manager should ensure that operational staff are fully aware of which suppliers are critical to the organisation, and the potential impact of their failure. All operational personnel should also be trained in incident management so that if there is a failure they can respond quickly and effectively.

The business continuity manager should also encourage staff to closely monitor suppliers to ensure any problems are detected early. ‘Near misses’, or any drop in quality should be investigated as they may suggest a more serious problem which can then be dealt with. The business continuity manager should also monitor the media for any negative press relating to the company. A key part of supply chain risk mitigation is recognising the signs early and dealing with them in the proper manner.

Thirdly, the business continuity manager can also play a key role in helping the suppliers themselves improve their business continuity planning. As mentioned previously, suppliers are often much smaller than the organisations which they supply, and may not have a dedicated business continuity management resource or the necessary skills to implement an effective business continuity strategy. The business continuity manager should therefore work in partnership with their firm’s suppliers to help them develop their business continuity plans and should then involve them in any exercises or awareness sessions.

Loss of a supplier is major risk, and one which will only increase as organisations continue to extend their outsourcing networks. The business continuity manager can play a vital role in reducing this risk by educating buyers in how to adopt a risk-based approach to selecting critical suppliers, educating operational staff on the risks posed by suppliers, and helping suppliers themselves improve their business continuity strategy.

Author: Charlie Maclean-Bristol MBCI FEPS is a director of PlanB Consulting
www.planbconsulting.co.uk
T: 0790 844 8555

Note
The author recommends the book ‘The resilient enterprise’ by Yossi Sheffi for further insights into supply chain management.

Posted in BS 25999, Business Continuity Management | No Comments »

BS25999 - Is it Right for your Organization?

Posted in BS 25999, Business Continuity Management, General | No Comments »

Continuity Corner #12

PL 110 – 53 Title IX

On Aug 3, 2007, President Bush signed into law ‘PL110 – 53 Implementing Recommendations of the 9/11 Commission Act of 2007’. One of the provisions of the law – Title IX - was to call for businesses of all sizes to voluntarily plan for and be prepared for a disaster or emergency.

A key provision to Title IX, directs the Department of Homeland Security (DHS) to create a voluntary certification program for private sector preparedness. This program should be developed with mutual cooperation between DHS and qualified private sector entities.

 To this end a number of initiatives have begun including a national forum sponsored by the Sloan Foundation. Their findings were published in the last couple of weeks and can be found at http://www.nyu.edu/intercep.

Having recently participated in BSI’s October launch of BS25999- Business Continuity Management System, I whole-heartedly agree that a standard is needed that is developed by knowledgeable parties and allows for accreditation of the company, and not the continuity professional who developed a company’s plan. It is through this type of company accreditation that businesses large and small can build plans based on a common framework. This consistency of framework, then allows companies to speak a consistent language and address continuity issues throughout the supple chain.

BS25999 which places emphasis on the creation of a management system which provides for continuous improvement and also provides an auditable standard for a companies Business Continuity Management effort, is a good example of a standard that allows companies flexibility to develop their plans and yet provides a common guide to those plans. Another benefit of the standard is that it provides a company focus to move the plan from a project to an integrated part of the companies overall management system.

 Its an exciting time to be part of the Business Continuity Community with the legislative and private sectors moving closer to an understanding that businesses need BC Management in order ‘Expect the Unexpected’ and respond appropriately.

Posted in BS 25999, Business Continuity Management, General | No Comments »