Integrating Business Continuity Criteria into Your Supply Chain

Developing business continuity strategies and embedding business continuity processes into an organization's procurement process can enhance the organization's ability to actively assess and monitor vendor capabilities

No one company can deliver end-to-end products and/or services in today's complex business environment. Therefore, most organizations have a supply chain that is a mix of competencies, from manufacturing to professional advisory services, and this has created critical supply chain interdependencies. Of paramount concern today is assuring supplier continuity capabilities. Simply having profiles of potential high-risk suppliers, while extremely important, is by itself not enough.

Developing business continuity strategies and embedding business continuity processes into an organization's procurement process can enhance the organization's ability to actively assess and monitor vendor capabilities. By creating a flexible framework for augmenting, retaining or shedding vendor competencies in order to assure supply chain integrity the organization can meet customer demand, customer expectations and generate consistent performance.

Four basic assumptions form the underlying premise for this article:

  • Complexity: Companies today are complex, and their procurement processes are complex management systems operating within multiple networks

  • Touchpoints: All of a company's touchpoints (downstream and upstream) within its networks must be considered to effectively evaluate risks, threats, hazards and vulnerabilities to determine the effects and consequences of degradation on the entire system

  • Responsiveness: Actions at any given level within the network may be inadequate unless the entire network responds in kind

  • Resource Constraints: Most levels and groups within the company, and the supply networks supporting the company, lack the resources and specialized skills to know what to do to maximize operational resilience within the network

The integration of vendor business continuity capability as part of the procurement process is becoming an integral part of company strategy. Effective business continuity strategies, like supply chain assurance, need to be designed. Integrating business continuity principles and concepts into a company's business portfolio planning process and at each stage of product/service lifecycle can provide opportunities to enhance the procurement process, allowing a company to deliver superior products and/or services solutions to its customers.

Touchpoints Internal and External

Identifying procurement touchpoints (internally and externally) needs to be one of the first steps in the process to assure that key continuity concerns are adequately addressed. Internal touchpoints may include any part of the organization that has direct and/or indirect interface with the procurement process, such as customer relationship/service touchpoints, strategic planning, quality assurance, operations, human resources, legal, audit, and, in some instances, the officers and board of directors of the enterprise.

Identifying external procurement touchpoints may seem simple, but when you begin to identify vendors you have to realize the components that allow the vendor to get its product or service to you are also touchpoints. Therefore, identifying external procurement touchpoints becomes more complex. In addition, due to the popularity of outsourcing today, vendors are also outsourcing, so a tiered approach to identifying external procurement touchpoints can facilitate organizing the process.

Vendor Continuity Capability

Developing a vendor continuity capabilities questionnaire is another way in which vendors and internal stakeholders can provide a basis for moving forward. However, it needs to be carefully thought through. You are, in essence, creating a legal document that could contain sensitive information and must be protected. Your organization could also be held liable for not taking action to mitigate potential losses because of the type of information that you will collect in order to assess vendor continuity capabilities.

The length of vendor questionnaires will vary with the industry group represented and the depth of initial analysis that the procurement group chooses to perform. Generally, the questionnaires contain questions that are designed to require the vendor to provide quantifiable answers. Should the procurement group assessing the adequacy of the answers determine there is need for further analysis, a formal audit team can then be assembled to determine how to resolve the concern over vendor continuity capability.

During the course of assessment, data will be collected, analyzed and developed into assessment findings and recommendations regarding vendor continuity capabilities. The data should be organized by essential element of analysis (EEA) criteria that the organization establishes and uses to conduct data collection, analysis and evaluation. Some examples of typical EEA criteria are:

  • Organization: refers to the current procurement process, vendor roles/responsibilities, and deliverables during the procurement process lifecycle and current criteria for the organization's business continuity programs and plans.

  • Vulnerability Identification and Control: refers to establishing minimum acceptable criteria for vendor vulnerability identification and control methodologies as these methodologies relate to vendor business continuity programs and plans and the ability of the vendor to integrate its methodologies on a sustainable basis with the client's business continuity management strategy.

  • Continuity Strategy and Approach: refers to the metrics developed and used to verify vendor integration of business continuity management program and plans with the client's business continuity management strategy.

  • Documentation: refers to the documentation of vendor business continuity management program and plan capabilities.

  • Resource Management and Development: refers to the metrics for vendor validation of staffing (business continuity staffing) and associated vendor integration of continuity planning, resource development and awareness of continuity.

  • Continuity Maintenance: refers to the procedures used to assure resilience of the vendor continuity process.

Maintaining the Objective

The overall objective of integrating business continuity criteria is to facilitate the ongoing development and implementation of enhancements to the procurement process, including the program management (normal operations and incident management operations), stakeholder communication and knowledge transfer associated with vendor business continuity management programs for vendors operating within a company's procurement system.

In developing the overall design objectives, careful consideration should be given to ease of use by procurement staff, other personnel and external parties (as appropriate). Three elements associated with enterprise assurance apply:

  • Strategic Element, consisting of support for compliance efforts, communications to stakeholders and strategic active analysis processes

  • Grand Tactical Element, consisting of support for implementation efforts, sustaining business operations, internally focused communication and grand tactical active analysis processes

  • Tactical Element, consisting of specific implementation steps, internally focused communication, external communications, mitigation of noncompliance/nonconformance and tactical active analysis processes (scorecards, vendor continuity questionnaire, etc.).

As with any process negotiating, continuity commitments may need to be addressed on a case-by-case basis. Once the evaluation process has been completed it must be managed, enforced and monitored to assure continuity of operations compliance.

Procurement Planning Considerations

Procurement planning considerations will generally consist of the normal day-to-day functioning of the procurement process. Supply chain business continuity integration elements should consist of a tiered evaluation structure focused on four aspects:

  • Comprehending and describing supply chain continuity requirements

  • Conducting business continuity capability assessments

  • Evaluating business continuity capabilities

  • Identifying actions to be taken

Each phase of the procurement process can be designated an EEA, as previously defined. Each EEA should incorporate in the scorecard process a tiered analysis structure consisting of measures of effectiveness (MOE) and measures of performance (MOP) to provide metrics for facilitating the scoring of vendor and potential vendor business continuity capabilities. Measures of performance, which provide a quantitative basis for evaluation of a specific area, are grouped to form measures of effectiveness (see Figure 1).

Your company also faces a variety of risks, both internal and external, that have a potential impact on its supply chain assurance. The ability to manage them often is interconnected, so understanding this potential interconnectedness is a key factor in assessing vendor business continuity capabilities.

Internal and external vulnerability drivers can materialize in a variety of ways. Making vertical, horizontal and diagonal connections between drivers can provide a conceptual understanding and potentially reduce unexpected outcomes as you identify how risk is uniquely embedded in your company's supply chain.

Risk can be context sensitive, as risk elements interact in different ways, depending on the situation. Understanding the potential interaction of risk factors facilitates the ability to measure business continuity capabilities and plan for offsets that can be implemented should a disruptive event occur.

As depicted in Figure 2, Typical Procurement Process, the integration of recommended business continuity metrics in the procurement process should be related to the key elements of the procurement process. Incorporating the recommended business continuity capability assessment at each phase of the procurement process can help identify vulnerabilities, develop consequence management strategies, plans and implement mitigation strategies.

Upon conclusion of assessment at each phase of the procurement process you can evaluate vendor business continuity capabilities allowing a go/no go decision based on measurable criteria. Prior to proceeding to the next stage in the procurement process, the vendor will have been vetted, and the next stage evaluation can allow you to continue to refine the vetting requirements and gather more detail on vendor continuity capabilities. Having an in-depth understanding of vendor capabilities at each phase of the procurement process can allow critical decision-making at earlier stages of procurement, thus enhancing communications between a company and its vendors regarding business continuity issues.

Embedding into the procurement process specific business continuity objectives, guidelines and assessment metrics can enhance decision-making, communications (vertical/horizontal) and resource management. In addition to the vendor continuity questionnaire, a company can develop worksheets that can be incorporated into each phase of the procurement process to further facilitate the assessment of vendor business continuity capabilities.

The benefit of having vendor continuity capabilities catalogued and indexed is threefold: First, the company can begin to assess and quantify the risk impact of an event. Second, a determination of how long the risk exposure will last before the event is mitigated and/or the exposure is rectified. Third, a determination of potential recovery costs in terms of emergency actions can be estimated.

It is also recommended that a company and its vendors negotiate periodic assessments of sub-tier vendors (vendor's suppliers) to further assure business continuity capabilities. This can be accomplished through contractual requirements executed at the initial stages of vendor engagement.

Procurement Incident Management Considerations

The second part of the procurement process relating to vendor continuity should address incident management considerations. A vendor can complete the vetting process and still experience a disruption that could affect a company's ability to meet customer requirements (i.e., Philips, Ericcson and Nokia). Having an incident management system as a component of the procurement process can allow a company to respond, recover and restore supply chain operations with less potential for massive disruption. Incident management can range from the assessment and classification of a vendor incident to implementation of response actions, such as sending personnel to vendor facilities to assist in incident mitigation processes.

Contingency alternatives can range from having backup response plans to alternative sources of supply. Once the connected risk themes are identified and evaluated, actions to address consistent themes throughout the procurement process can be taken. Identification of consistent risk themes across a number of risk dimensions can help to determine where a company should place significant effort to mitigate the risk exposure.

Disruptive events need to be classified by their level of severity in order to determine the potential impact they may have. A classification system can provide a consistent framework for evaluation; enhance the communication process, allowing ease of communication between internal and external groups; and can facilitate response, management, recovery and restoration efforts.

In addition to the event classification system, a company should incorporate an event assessment form to determine the event classification level and facilitate discussion within a company and with the affected vendor(s). The less prepared an organization is for service disruption the longer it takes the organization to recover its operations and restore service levels; therefore, having a classification system can enhance the ability to identify potentially disruptive situations early and determine how to respond effectively to minimize the level of service impacts.

Early detection, classification and response can lead to less of a drop in service, a potential reduction in the chaos associated with a disruptive event, and shorter recovery and restoration timeframes. Figure 3 depicts the typical functions performed at various levels within an organization as it moves from response to restoration. The figure also depicts the focus for an organization at the tactical, grand tactical and strategic levels.

At the tactical level the focus is generally on event response and mitigation. The focus at the tactical level should be on response and mitigation while the need at the tactical level is for support from the next level (grand tactical). At the grand tactical level, the focus should be on support for the tactical response.

Additionally, at the grand tactical level the focus should be on the prevention of cascade and containment of cascade effects on the organization. At the strategic level the focus should be on management oversight, coordination and facilitation of restoration of services. It is important to note that a key element in this vertical and horizontal process of detection, classification, response, management, recovery and restoration is seamless communications. Seamless communication is based on the adoption of common terminology and in the functions represented at each level.

Phased Development and Integration

With any large-scale project, such as the integration of vendor business continuity criteria into the procurement process, attempting to implement on a grand scale can lead to chaotic results. A phased approach to implementation and integration can eliminate confusion and generally consists of five phases:

  • Phase 1: Assessment & Vendor Continuity Questionnaire deliverable: letter report with executive summary that will include discussion and recommendations based on the results of the review of essential elements of analysis (report)

  • Phase 2: Procurement Integration (vertical/horizontal) deliverables: procurement management system, vendor business continuity management program and plan integration criteria guide (tools); and procurement management system, vendor business continuity management program and plan integration criteria guide training program materials (knowledge transfer)

  • Phase 3: Monitoring & Enforcement deliverable: procurement management system, vendor business continuity management program and continuity plan integration criteria guide maintenance criteria (sustainability)

  • Phase 4: Sustainability deliverable: periodic metrics, event response reports

  • Phase 5: Maturity Model Evaluation deliverable: metrics for maintaining the process, change management procedures

Conclusion

Today, business leaders have the responsibility to protect their organizations by facilitating continuity planning and preparedness efforts. Using their status as leaders, senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis.

Many people feel that the world has changed as a result of the events that took place on September 11, 2001; that we need to rethink our concepts of continuity and crisis management. Today we cannot merely think about what can be planned or plan for the unthinkable, but we must learn to think about that which cannot be planned.

Market research indicates that only a small portion (5 percent) of businesses today have a viable plan, but virtually 100 percent now realize they are at risk. Seizing the initiative and getting involved in all the phases of crisis management can mitigate or prevent major losses. Just being able to identify the legal pitfalls for the organization by conducting a crisis management audit can have positive results.

About the Author: Geary W. Sikich is the author of It Can't Happen Here: All Hazards Crisis Management Planning. Sikich, founder and a principal with Logical Management Systems, Corp. (www.logicalmanagement.com), based in Munster, Ind., consults on a regular basis with companies worldwide on business-continuity and crisis management issues.

References and Endnotes:

Key developments in the Firestone tire case. (www.accidentreconstruction.com).

Levene, Lord, "Changing Risk Environment for Global Business. Union League Club of Chicago, April 8, 2003.

Meyer, Gerald C., When it Hits the Fan: Managing the Nine Crises of Business. (1986).

Mitroff, Ian, I., Avoid "E3" Thinking, Management General. (1998).

Mitroff, Ian, I., Smart Thinking for Crazy Times: The Art of Solving the Right Problems. (1998).

Palmer, Pamela, When Is It Safe To Shred Unwanted Documents After Sarbanes-Oxley? Wall Street Lawyer, Vol. 6, No. 8, Pgs. 15-19.

Perera, Valerie C. and Sikich, Geary W., Controlling Crisis Will Determine Corporate Survival. The Corporate Lawyer, Illinois State Bar Association, November, 2002.

Sikich, Geary W., Managing Crisis at the Speed of Light. Disaster Recovery Journal Conference (1999).

Sikich, Geary W., Business Continuity & Crisis Management in the Internet/E-Business Era. Teltech (2000).

Sikich, Geary W., What is there to know about a crisis. John Liner Review, Volume 14, No. 4 (2001).

Sikich, Geary W., The World We Live in: Are You Prepared for Disaster? Crisis Communication Series, Placeware and ConferZone web-based conference series Part I, January 24, 2002.

Sikich, Geary W., September 11 Aftermath: Ten Things Your Organization Can Do Now. John Liner Review, Winter 2002, Volume 15, Number 4.

Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis. Disaster Resource Guide (2002).

Sikich, Geary W., Aftermath September 11th, Can Your Organization Afford to Wait. New York State Bar Association, Federal and Commercial Litigation, Spring Conference, May 2002.

Sikich, Geary W., "September 11th, Can Your Organization Afford to Wait?" GlobalContinuity.com, May 2002.

Sikich, Geary W., Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty. PennWell Publishing, (2003).

Understanding Supply Chain Risk; prepared by LCP Consulting in conjunction with the Centre for Logistics and Supply Chain Management, Cranfield School of Management, Cranfield University, United Kingdom, 2003.

Loading