The length of vendor questionnaires will vary with the industry group represented and the depth of initial analysis that the procurement group chooses to perform. Generally, the questionnaires contain questions that are designed to require the vendor to provide quantifiable answers. Should the procurement group assessing the adequacy of the answers determine there is need for further analysis, a formal audit team can then be assembled to determine how to resolve the concern over vendor continuity capability.
During the course of assessment, data will be collected, analyzed and developed into assessment findings and recommendations regarding vendor continuity capabilities. The data should be organized by essential element of analysis (EEA) criteria that the organization establishes and uses to conduct data collection, analysis and evaluation. Some examples of typical EEA criteria are:
- Organization: refers to the current procurement process, vendor roles/responsibilities, and deliverables during the procurement process lifecycle and current criteria for the organization's business continuity programs and plans.
- Vulnerability Identification and Control: refers to establishing minimum acceptable criteria for vendor vulnerability identification and control methodologies as these methodologies relate to vendor business continuity programs and plans and the ability of the vendor to integrate its methodologies on a sustainable basis with the client's business continuity management strategy.
- Continuity Strategy and Approach: refers to the metrics developed and used to verify vendor integration of business continuity management program and plans with the client's business continuity management strategy.
- Documentation: refers to the documentation of vendor business continuity management program and plan capabilities.
- Resource Management and Development: refers to the metrics for vendor validation of staffing (business continuity staffing) and associated vendor integration of continuity planning, resource development and awareness of continuity.
- Continuity Maintenance: refers to the procedures used to assure resilience of the vendor continuity process.
Maintaining the Objective
The overall objective of integrating business continuity criteria is to facilitate the ongoing development and implementation of enhancements to the procurement process, including the program management (normal operations and incident management operations), stakeholder communication and knowledge transfer associated with vendor business continuity management programs for vendors operating within a company's procurement system.
In developing the overall design objectives, careful consideration should be given to ease of use by procurement staff, other personnel and external parties (as appropriate). Three elements associated with enterprise assurance apply:
- Strategic Element, consisting of support for compliance efforts, communications to stakeholders and strategic active analysis processes
- Grand Tactical Element, consisting of support for implementation efforts, sustaining business operations, internally focused communication and grand tactical active analysis processes
- Tactical Element, consisting of specific implementation steps, internally focused communication, external communications, mitigation of noncompliance/nonconformance and tactical active analysis processes (scorecards, vendor continuity questionnaire, etc.).
As with any process negotiating, continuity commitments may need to be addressed on a case-by-case basis. Once the evaluation process has been completed it must be managed, enforced and monitored to assure continuity of operations compliance.
Procurement Planning Considerations
Procurement planning considerations will generally consist of the normal day-to-day functioning of the procurement process. Supply chain business continuity integration elements should consist of a tiered evaluation structure focused on four aspects:
- Comprehending and describing supply chain continuity requirements
- Conducting business continuity capability assessments
- Evaluating business continuity capabilities
- Identifying actions to be taken
Each phase of the procurement process can be designated an EEA, as previously defined. Each EEA should incorporate in the scorecard process a tiered analysis structure consisting of measures of effectiveness (MOE) and measures of performance (MOP) to provide metrics for facilitating the scoring of vendor and potential vendor business continuity capabilities. Measures of performance, which provide a quantitative basis for evaluation of a specific area, are grouped to form measures of effectiveness (see Figure 1).