|
Reviewing Continuity in the Supply Chain |
Most organisations have a high dependency on external suppliers of goods and services in order to function efficiently and meet their objectives. However this dependency is often taken for granted and overlooked as a potential source of disruption to the organisation’s critical activities.
The new British standard for business continuity management, BS25999, advocates that loss of the supply chain be considered as part of your organisation’s business continuity management process. This article provides some guidance on how to conduct the supply chain review.
1. Determine Who Your Key Suppliers Are
Either as part of the business impact analysis interviews, or through separate discussions with relevant representatives from across the organisation, determine who your key suppliers of goods or services are. This is achieved through noting the suppliers each business area depends on to maintain continuity of its critical activities and agreeing the negative impacts, over a timeline, which would result should loss of supply actually occur. For each supplier the recovery time objective, i.e. the time at which the supply of goods or services must be resumed in order to keep impacts within acceptable limits, can then be plotted.
Suppliers which would have an unacceptable impact on continuity of the organisation’s critical activities should be highlighted as being key suppliers. It is also worth including suppliers which are either very small in size, so called “one man bands”, or which own exclusive rights to the supply of goods or services they provide as such suppliers tend to represent a higher risk by virtue either of being more exposed to a single incident which results in an outage of supply to you or there being no obvious alternative sources of supply to replace them.
2. Analyse Key Suppliers
Once you have created a list of those suppliers identified as key in step 1 above, you should now examine each one in turn to review the supplier’s continuity capability. This can be achieved through reviewing their business continuity plan and talking through with them how they would ensure continuity of supply should adverse situations arise. Examples of other questions to ask are: -
What contingencies do they have available to provide continuity of supply of goods or services should the primary site where they deliver their goods or services from be put out of use?
What resilience to failure measures do they have in place in order to reduce the potential for service or supply outages to occur?
What roles and responsibilities have they in place to respond to a major incident?
Do they have a business continuity management policy in place?
What response plans do they have in place to cover incident management, business continuity and IT service continuity?
How often do they test their response plans and what were the results of the most recent tests?
How often do they review their response plans and when was the last review undertaken?
Is there a history of business continuity incidents occurring or near misses? If so, how were these handled?
Do they operate from one location in respect of the goods or services they provide to you?
What is their strategy for coping with the loss of key people?
How would they cope with a loss of supply of goods or services from their own supply chain?
What is the maximum time that supply to you would be disrupted given the supplier’s continuity capability?
If you have a large number of key suppliers to review, an alternative way of asking the questions is to develop a questionnaire and send this out, following up with those suppliers where queries arise or there is doubt whether or not your organisation’s recovery time objectives cannot be met.
3. Determine Coping Strategies
The above analysis will highlight where there are gaps between the recovery time objectives of your organisation and the capability of suppliers to meet these objectives. The next stage is to find ways of eliminating the identified gaps. For each supplier where a gap has been identified, consider the following: -
Is there an alternative source of supply available at short notice? If there is, then firm up on, and document, the alternative source to ensure that this would be readily available following a loss of supply from the primary supplier.
If there isn’t an alternative source of supply available at short notice, consider the following: -
Can reliance on the supplier or the consequent negative impacts of a supply disruption be reduced, for example through changes to critical activities which depend on the supplier or through increasing internal stock holding of goods etc.?
Can a work around be developed to allow you to cope with the maximum downtime which the supplier’s continuity capability would dictate? For example, if it would take them one week to re-establish their supply to you following an incident, a one week workaround is required
Can the services provided be brought in house to eliminate the reliance on the supplier?
Ultimately, is your senior management team willing to accept the current risk exposure? If so, then there is little point in creating coping strategies which imply investment as these are unlikely to be approved. However you may still want to consider coping strategies, such as workarounds, which imply little financial outlay.
When negotiating the contractual agreement with new suppliers or novating existing agreements, care should be taken to state expectations clearly with regard to continuity of supply and service levels. It is also preferable to include a “right to audit” clause to enable periodic reviews to be conducted which will help ensure that the supplier is fulfilling its contractual obligations over time.
Through conducting a review as outlined above, you can help your organisation to align with BS25999 and ensure continuity of business should one of your key suppliers experience a disruptive event.
Brian Davey
Consultant, Teed Business Continuity
April 2008 |
BS25999 - What is it and is it relevant to my company? |
BS25999 is the British standard for Business Continuity Management and is likely to become an international (ISO) standard in due course. It lays claim to being the fastest selling British standard of all time and comes in two parts:- BS25999-1:2006 is the Code of Practice which lays out how you should implement business continuity management in your organisation. BS25999-2:2007 is the “Specification for Business Continuity Management” which lays out what you must do in order to show compliance with the standard.
Formal accreditation with the standard is available for organisations who wish to be able to demonstrate that they have in place a robust business continuity management system.
A copy of the two parts of the standard can be purchased via The_BSI
Is it relevant to my company?
We need to start with a formal definition of business continuity management (BCM). According to BS25999, BCM is “an holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”.
In other words, BCM aims to create a resilient organisation which is able to avoid unplanned downtime and, should a serious incident occur, can recover from it through keeping negative impacts within acceptable levels. Implementing BCM is not just about recovering from disasters. Rather it tries to keep operational outages at a minimum, thus saving the rework, missed deadlines, upset customers, direct financial loss, reputational damage etc. which can result from outages.
BS25999 aims to move BCM forward from previous guidance on the subject, for example PAS56, through also incorporating continuity for key resources on which the organisation depends to keep its critical activities going, such as employees and suppliers of goods and services.
Although there do not appear to be any obvious moves afoot at present, the existence of the standard may in time lead to organisations having an expectation, or even formal contractual agreement, that suppliers and business partners are able to demonstrate alignment with the standard, if not formal certification.
So BCM should be an essential process within every organisation. Unless that is your organisation never experiences operational interruptions and you can guarantee that you will never experience a serious incident…
If you want to review your BCM process in the context of BS25999, whether or not you wish to pursue accreditation, please feel free to contact us.
Brian Davey
Senior Consultant
12/12/07
|
Bird Flu – should we still be worried? |
So much has been said, written and watched about avian influenza or bird flu that it is difficult to work out what is actually going on. Is this just another flash-in-the-pan media scare story that will disappear without trace or is it really likely that a disease could wipe out significant numbers of the world’s population?
The answer is that this is not going to go away anytime soon. It is a very real threat; to all of us, of all ages, in all walks of life, all around the world.
Influenza pandemics have affected the global population on three occasions over the last one hundred years. The most devastating was in 1918 when the ‘Spanish Flu’ outbreak killed up to 40 million people throughout the world. This pandemic and all previous pandemics were caused by the type A flu virus and is also the usual source of ‘ordinary’ flu epidemics.
Flu viruses have the ability to change which is why they can become so deadly. Mutations of a virus that has originally only occurred in birds can acquire genes from viruses that only infect other species. This unique ability to jump the species barrier enables the type A virus to cause pandemics as a new sub type virus emerges with sufficient human genes to be easily transmitted from person to person.
We will have little or no immunity to a totally new strain of virus and hence the virus will be able to spread easily and quickly without discrimination. An incubation period of 1 to 3 days will mean that people can pass on the disease without being aware that they are infectious. An effective vaccine can only be produced once the strain has emerged which takes around 6 months to manufacture and even then it is unlikely that quantities will be sufficient.
The lethal strain of bird flu that we have heard so much about is fast becoming a major killer of birds throughout the world. Millions of birds have either died or been destroyed as a result of outbreaks in dozens of countries since the A/H5N1 strain emerged in South East Asia in 2003, before spreading to Europe and Africa. It is not only chickens who have the disease, but ducks, geese, swans and other wildfowl have been infected and can be carriers of the virus. There are also reports of a cat and a dog having died from the disease in 2006.
Until January 2006, the only reported cases of humans dying from the virus were in Asia where they had been in close contact with infected poultry. Since then, cases have occurred in Europe and Africa although experts say H5N1 has been largely “dormant” in recent months. This does not mean the virus has gone away, but that more vigilance has kept the situation at bay. As Dr Alan Hay at the WHO influenza centre said “We don’t know what’s smouldering away in some part of the world we can’t keep our eye on.”
The major concern now is that with each reported new human case there is an increased chance of the feared human mutation emerging. In November 2006, scientists in the US and Japan found that samples taken from patients in Thailand and Vietnam were genetically different to strains in chickens. Although the virus was still unable to move freely from person to person, the mutations were steps towards a pandemic strain. To quote Yoshihiro Kawaoka who led the study, “We are watching this virus turn itself into a human pathogen.”
Should the worst case scenario happen and a pandemic outbreak occurs somewhere in the world, it would only be a matter of time before it reaches the UK and then only weeks before the disease spreads through the country. By which time it will be too late to take mitigating actions. Far better to plan now by identifying the critical processes that have to continue and assessing the impacts of up to 50% less staff being available to carry out these functions, possibly over 6 months or more.
The impacts will not just be due to the unavailability of your own staff; a globally reduced workforce would inevitably cause disruption to transport, supplies, utilities, schooling, medical facilities, etc.; basically the entire infrastructure could be affected. The financial implications of reduced trading could be disastrous for some companies who may simply be unable to recover.
So yes, we should still be worried about a pandemic and should continue to be so. Every effort should be made now to combat the potentially devastating effects to the business community. Planning to mitigate the impacts of a pandemic is absolutely imperative to give organisations the ability to maintain business continuity, protect their staff and safeguard assets in the event of a pandemic outbreak.
|
|
 | |  | |
Reviewing Continuity in the Supply Chain |
| Most organisations have a high dependency on external suppliers of goods and services in order to function efficiently and meet their objectives. However this dependency is often taken for ... |
| |  | |  |
|
