ARL Logo
Risky Thinking
The Art of Risk Assessment and Business Continuity
 19 June, 2013

Taking BCP to the Next Level: Suppliers

Once you have your own business continuity plan in place, another way of taking business continuity to the next level is to seek to eliminate or reduce a major source of indirect risk: suppliers.

Previously I've written about increasing the assurance that your business continuity plan will work for yourselves, your senior management, and your customers. Another direction is to seek to reduce or eliminate a major indirect source of risk: suppliers!

Suppose the manufacture of your widgets depends upon 10 key suppliers. These suppliers may supply parts, or critical services. If you don't have any of these products or services, you can't make widgets.

Suppose that there is a one-in-a-hundred chance that the supplies from one of your suppliers suffers some disaster or catastrophe that affects supplies. With ten suppliers, you now have a scary one-in-ten chance that your manufacturing operations will be disrupted due to supply chain problems. That risk probably outweighs any risk that your operations will be disrupted due to an incident at your own facilities.

How do you protect against disruption of supply? There are a number of common strategies:

  1. Inventory levels. Going against the just-in-time philosophy is the idea of keeping sufficient items in inventory to guard against supply chain disruption. Inventory takes up space and costs money, but it does guard against short term supply disruption.
  2. Second Sourcing. At one time electrical components wouldn't even be considered for a design unless the component had a "second source", a second manufacturer who could supply the component. With the advent of custom chips, this is no longer a consideration. But when possible the availability of an alternative source, even a more expensive one, substantially reduces risk. A disaster would have to strike both suppliers at the same time for the product to be unavailable.
  3. Design Escrow agreements. Common in the software industry, an escrow agreement makes supplier design information available in the event that the supplier is not able to fulfill their supply agreement. This opens up the possibility of obtaining an alternative source of supply, although with manufacturing it may take a long time for more goods to become available.
  4. Keeping backup designs, custom jigs and molds off-site. Keeping backup copies of designs off-site is obvious. Keeping spare custom jigs and molds (which may take many weeks to reproduce) off site allows another manufacturer to be contracted at short notice to produce the items. As well as being slow to reproduce, jigs and molds may be expensive, so this isn't always a viable strategy. But if you own the jigs and molds used by your suppliers to supply custom products, this is a possibility.

There is, however, another strategy to consider:  can we decrease the risk that the supplier's operations are disrupted, or assure ourselves that the risk is in fact low enough to be disregarded?

This is a problem similar that faced by the quality assurance movement some time ago. If a product depended upon the quality of tens or hundreds of components, then the ultimate quality was determined not by the manufacturer, but by the manufacturer and all the component suppliers.

The solution? Push back the quality assurance requirement onto the suppliers to reduce the risk of receiving a faulty component. Hence the ISO 9000 movement.

For BCP a similar strategy can be used. If a supplier is critical to your operations and can't be second-sourced, then that supplier should (at the very least) have a business continuity plan in place, and that plan should be independently reviewed to ensure that not only is it practical, but that it will minimize the disruption to customers.* It's not as effective at reducing risk as second-sourcing or keeping stockpiles in inventory, but it may be the cheaper and thus more acceptable option.

*People often remark on my inclusion of this requirement. The reason is this: it's quite a rational risk management strategy to decide that, in the event of a major disaster, you will collect the insurance, cease operations, and shut up shop. With a product or operation that is only marginally profitable, it is probably a strategy that you yourself would adopt. However, while such a strategy is good for you it isn't good for your customers.

Michael Z. Bell
May, 2011

You can comment on this article at the Risky Thinking Blog.

Want to know when a new article is available? Subscribe to the Risky Thinking Newsletter and keep up to date. It's free for people working in business continuity, disaster recovery, or risk management.

[ Back To Top ]

Note. Where trademarks are mentioned, they belong to their respective owners.

© Albion Research Ltd. 2013