The Art of Risk Assessment and Business Continuity
|19 June, 2013|
Previously I've written about increasing the assurance that your business continuity plan will work for yourselves, your senior management, and your customers. Another direction is to seek to reduce or eliminate a major indirect source of risk: suppliers!
Suppose the manufacture of your widgets depends upon 10 key suppliers. These suppliers may supply parts, or critical services. If you don't have any of these products or services, you can't make widgets.
Suppose that there is a one-in-a-hundred chance that the supplies from one of your suppliers suffers some disaster or catastrophe that affects supplies. With ten suppliers, you now have a scary one-in-ten chance that your manufacturing operations will be disrupted due to supply chain problems. That risk probably outweighs any risk that your operations will be disrupted due to an incident at your own facilities.
How do you protect against disruption of supply? There are a number of common strategies:
There is, however, another strategy to consider: can we decrease the risk that the supplier's operations are disrupted, or assure ourselves that the risk is in fact low enough to be disregarded?
This is a problem similar that faced by the quality assurance movement some time ago. If a product depended upon the quality of tens or hundreds of components, then the ultimate quality was determined not by the manufacturer, but by the manufacturer and all the component suppliers.
The solution? Push back the quality assurance requirement onto the suppliers to reduce the risk of receiving a faulty component. Hence the ISO 9000 movement.
For BCP a similar strategy can be used. If a supplier is critical to your operations and can't be second-sourced, then that supplier should (at the very least) have a business continuity plan in place, and that plan should be independently reviewed to ensure that not only is it practical, but that it will minimize the disruption to customers.* It's not as effective at reducing risk as second-sourcing or keeping stockpiles in inventory, but it may be the cheaper and thus more acceptable option.
*People often remark on my inclusion of this requirement. The reason is this: it's quite a rational risk management strategy to decide that, in the event of a major disaster, you will collect the insurance, cease operations, and shut up shop. With a product or operation that is only marginally profitable, it is probably a strategy that you yourself would adopt. However, while such a strategy is good for you it isn't good for your customers.
Michael Z. Bell
You can comment on this article at the Risky Thinking Blog.
[ Back To Top ]
Note. Where trademarks are mentioned, they belong to their respective owners.
© Albion Research Ltd. 2013