1. Business Continuity and the Supply Chain
We all know that Business Continuity is not the highest of priorities for business departments, although it is
becoming more so in certain industries, and it is likely that your organisations Business Continuity manager
has been through the business continuity lifecycle for your department. When the BC manager went through
the lifecycle he asked for your requirements in the event of an incident affecting your normal operations, the
things that you do on a day to day basis, in your normal place of work.
Well that’s business continuity covered for the year then…..or is it?
To my mind, as a BC practitioner for over twenty five years, there are two other aspects that a BC manager
should be talking to Procurement departments about, namely protecting the supply chain and
Procurement’s role in the event of an incident which might be over and above what is currently in the plan.
Intrigued, read on….
So, before we talk about the above points in more detail I’d like to consider some of the basics. Firstly how
do you define the scope of goods / services that you need to ensure that supply chain continuity is in place
for? A good number of organisations remove the utility purchases, no I’m not talking electricity, gas, water
supply, more likely the equipment that you can buy off the shelf easily. Most Procurement Managers will
remove stationery suppliers, and other easily purchasable items, but I’d include the major of IT spend here
as well. This will sound contentious, especially as the majority of organisations are deemed in scope by the
amount of money that the organisation spends, but the truth is that the majority of IT equipment can be
brought from a good number of places although these won’t be your preferred supplier I bet that they will
deliver what you need in a very short time period especially if there is the chance of repeat business ahead
and you might even get it for less money!
Let’s continue to consider the selection process from a Procurement perspective. It’s likely that the scope
will be defined by the amount of money each supplier spends each year because the more they spend the
more important they are! Well, not necessarily, have you tried to engage your BC manager on what he
thinks are most important. If the BC manager is worth his salary he undertakes a Business Impact Analysis
with every department, or at least the important ones, and some of the questions he poses relate to
external goods/services and how necessary they are to that departments business process. He might even
be able to identify who uses those goods/services downstream within the organisation as the goods/services
might not be very important to one department but “key” to someone down the line. The key point here is
to engage your BC manager, ask him what goods/services he thinks are important, on behalf of the rest of
the organisation. He might not give you all the answers you need but you might have enough leverage to
make him get them for you. This is a worthwhile exercise if nothing else it shows a joined up approach (and
thinking) but it will inevitably highlight some extremely interesting suppliers, who might have been out of
scope from a monetary perspective but are, for a business operability sense, actually key.
Having identified what goods/services that are in scope from a BC perspective the next consideration is to
confirm what you are trying to protect against – this can range from the suppliers occasional inability to
deliver, through to repeated late delivery, or to cover sub-standard quality and finally if the supplier fails.
There are different strategies to mitigate the impacts of all of these and this white paper will not indicate
what they should be, if nothing else as they will be specific to your organisation, each supplier and the
relative importance of the goods/services.
We can now loop back into the protecting the supply chain now that we know what types of impacts were
trying to mitigate, the goods/services that are important and who supplies them.
2. During the procurement process it is likely that some basic BC questions have been asked about the
organisations who are looking to supply those services but have the right questions been asked. Typically
procurement questions cover - do you have a BC plan, can we have a copy, has it been tested, if so, when
and can we have a copy of the results. Firstly not many organisations will share their BC plan – it’s generally
a confidential document and covers lots of information that the supplier is not going to share- for example,
that most organisations will not recover all their services immediately, and certainly won’t be generating the
same amounts of goods or services. So the right questions need to be focussed on the goods/services that
you are trying to procure so what is the BC plan for the stuff that your organisation is interested in, and the
test results that provide evidence that goods/services will be available when needed. You could also ask
observe their next BC exercise to get some re-assurance that the plan actually works, and more importantly
that the supplier cares about you.
It’s time for the killer question – which no one really ever asks – we have established that the supplier will
continue to offer goods/services to you in the event of an incident, but we also know that most
organisations will not resume full delivery of goods/services in the direct aftermath of that incident. So what
happens if you’re expecting these goods/services at the time that the incident occurs – you might get them
or you might not. You need to find out if you will or won’t because your business is depending on them! This
will come down to your relative priority at the time of the suppliers incident. That’s a scary place to be
in………
Onto another point, having found out about the goods/services that you are contracting for you’ll need to
decide how far back up the supply chain that you want to investigate, for example if you are buying a
dealership you can investigate them, but the car is made of thousands of parts. Let’s look at one part - the
bumper, this is made of plastic from one supplier (if you’re lucky), but is painted. This is purchased from a
supplier as a complete item however they only make the plastic part - the undercoat comes from one
supplier, the top coat from another and the polish over the top comes from a third. You can see how this
widens the scope out from just buying the car from the dealership.
The penultimate point I’d like to make is, once you’ve signed on the dotted line with the selected supplier,
who has the ongoing responsibility to ensure that the BC capability that you’ve investigated is still in place in
6 months, a year or two – every organisation re-organises and changes regularly, and inherent with that is
the BC capability. If you think that it is the BC managers responsibility you might just want to ask him if its
within his scope and if so how far up his priority list is this activity because I can imagine that he will always
have a lot on his plate.
My final point loops right back to the Procurement BC plan and what happens if an incident stops you from
doing your role. If your place of work is the same place that goods/services are delivered to and used who is
going to engage with each business unit to check that they have the right goods/services available to them,
to check with each supplier to check that deliveries are still coming, to tell them to deliver elsewhere or to
stop, to find other suppliers because they are also affected by the same incident…..
May be another chat with the BC manager is in order…..
Ian Ross FBCI, CITP, MBCS, CISA
Strategic Account Manager
AIControlPoint