Supply Chain Resilience

In my experience, rarely do we consider the whole supply chain management picture, a complex system that we totally rely on.  In general, we’re only truly aware of the activities of the handful of organisations we deal with directly as individuals.  We believe in trusted procurement processes, confident that each vendor’s products and services will be delivered on time, and that supplier relationship management will ensure things run smoothly, no matter what.  But stringent tests are usually applied only at the beginning of a relationship and can’t easily pick up subsequent changes in markets, management or standards by our most critical vendors, nor can they see far down the supply chain.  As a result, we’re often left in the dark regarding this important segment of business continuity risk. 

Download the ISO 22317 in Context Whitepaper and put the BIA guide into  perspective for business continuity

Supply chains aren’t necessarily fragile, but neither are they bulletproof.  However, they are diverse, with a fan of inter-woven links connecting frequently dissimilar enterprises across the globe.  They scale exponentially, and by this I mean that each of our 20 most critical suppliers each has its own set of 20, and so-on down the chain, each of which we ultimately rely on.  We each sit within our own unique web, where just a few steps take us into territory where we have little or no direct control.   And because of the confidentiality agreements we and others impose, there is every chance that our twice-removed vendors have no idea we rely on them and do little to protect us.

This apparent stability is brought about by the reserves, stockpiles and insurances held by many organisations, absorbing shocks before they transmit and cause damage to theirs and others’ fragile reputations.  However, we can’t assume this will happen universally and the large number of critical components in a typical supplier network means that the likelihood of failure remains material.  And we can’t tell where and when a breakdown might occur since we don’t have the information.  We wouldn’t dream of flying blind in any other business situation, so why here? 

Numbers Game

We fight shy of managing supply chain resilience perhaps firstly because we lack evidence and secondly, because of the apparent scale of the task.  We have a multitude of direct and indirect suppliers, but limited time, funds and capacity with which to manage the risks they present.

To make the numbers manageable, we are obliged to prioritise and it makes sense to do this based on the risk and impact associated with individual supplier failure, resulting in a critical supplier list.  Taking this list as a whole, we must then ensure firstly, that the accumulated supply chain risk contributes acceptably to the organisation’s appetite.  Secondly, that the impact of failure of any supplier or cluster of suppliers falls within our available economic capital or impact tolerance. 

Business Impact Analysis (BIA) is a natural feed into this activity, providing us with source data.  It asks each business process owner which suppliers they rely on, recording how impacts would accumulate following a worst-case failure by each vendor, and after how long non-supply becomes intolerable for the organisation.  We can then profile all shortlisted suppliers, including those relied on by multiple processes, populating, updating and refining our list.

But what if we find that a clutch of sub-critical suppliers rely on the same provider of raw materials, or what if a cluster are for some reason co-located?  A remote upstream failure could give rise to an unacceptable cumulative hit, suggesting that the source provider may also need to appear in our list.  Taking this a step further, what if an entire market segment becomes destabilised and a vital commodity that we rely on such as transport, platinum or computer chips, becomes unavailable or in short supply?  Clearly we need to take into account concentration risks of all types, but to do this we need to have vision beyond our direct suppliers.  We need transparency.

In a similar vein, organisations can inflict altogether different impact patterns when they fail individually.  For example, the demise of Northern Rock and Lehman Brothers each triggered a widespread collapse, amplified by media coverage and speculation.  Shocks reverberated around the financial system as confidence evaporated, with impacts on markets, incomes and prices in all sectors.  Compare this to the failure of a small highly specialised firm with a handful of medium-sized customers;  the effects may be scarcely detected by dependents more than one or two links away, absorbed as the system seeks to heal and protect itself.  Yet one or two strategic dependents may be severely affected, finally closing as unique component stocks run dry.   We can’t assume stability.

Perversely, the stability sought during due diligence procedures can introduce unplanned-for competition and shortages.  This occurs in disruption affecting the supplier, where potentially many of their largest customers – referees who we looked to as a sign of integrity - unexpectedly become our competitors.  Where do we now stand in the pecking order?

From these illustrations, we can see that managing supply chain resilience requires insight, understanding and patience.  However, it is a natural extension of established business continuity methods, and this is indicative of a possible approach.

Facing Up

We need to gain clarity and certainty with a thorough risk assessment.  First, we need to know that internally, best practice steps are being taken to limit the impact of any supplier failure.  There are a range of instruments available to do this, including contract provisions, insurances, alternate vendors, stockpiles, self-sufficiency and so on.  These can be combined, forming strategies that may be applied to potentially multiple vendors with similar risk profiles.  Each has the effect of pushing suppliers back down the list and in some cases, below the critical threshold, reducing the scale of activity required. 

Second, we need to know that externally, each vendor has done all it can to minimise the likelihood of its failing to provide the service levels we need – building our confidence in its ability to recover in time.  In the simplest terms, the vendor must therefore:

  • Guarantee to restore the services we rely on to agreed levels and in acceptable timeframes
  • Take best practice steps to limit its continuity risk and become resilient
  • Apply these same requirements to all its critical suppliers

But can we do this without imposing an unacceptable workload?  One labour-saving approach might be to leverage the RFP we used to select each vendor, as it may well contain the business continuity capability parameters that we need.  However, we should remember that:

  • RFP is usually a self-contained one-time activity, whereas supplier risk changes continually
  • RFP scope rarely extends to the supplier’s own supply chain and may not review their BIA
  • Suppliers want your business and RFP commitments may not always be fulfilled as expected

An alternative might be to audit and benchmark each potentially critical supplier, assigning a rating based on demonstrable capability and alignment with a recognised standard, such as BS 25999.  However, this is potentially some days’ or weeks’ work for each vendor and may need to be repeated relatively frequently.  It is likely to be prohibitively expensive for all but super-critical vendors; particularly bearing in mind some may be located overseas. 

Supply Chain BIA

Perhaps the best way to manage supplier resilience uses a blend of the approaches discussed here, drawing on BIA, RFP and formal review.  Combine these with the evidenced self-assessment approach already used by some leading organisations, and it’s possible to gain clarity whilst sharing the workload.  This can be summarised in three steps:

  • Create a Supplier BIA that identifies the list of critical suppliers, and subsequently contains analysis of their collective responses. 
  • Encourage critical suppliers to Self-Assess their resilience, potentially sharing this data with other downstream entities in their supply chain.  This identifies vulnerabilities, promotes improvement and saves time.
  • Physically inspect a small percentage of vendors as part of a resource-managed supply chain continuity assurance programme.  This validates and acts as an incentive to comply.

It begs questions about exactly which information we collect, how we process the self-assessment returns, and the contractual or voluntary basis under which we operate the system.  However, it has some potentially worthwhile benefits:

  • Reduces the need for labour-intensive reviews of many suppliers
  • Increases our potential vision beyond direct or first tier suppliers
  • Systematic and repeatable, aligning with current best practice
  • Provides a single consistent view for customers, allowing useful comparisons to be made

Finally, if you’re tempted to ignore the supplier issue, remember that no organisation exists in isolation.  We rely inescapably on our suppliers to keep us fed continuously with information, components and services.  We owe it to ourselves to understand our supply chain and build certainty that vital links will always remain intact.