Let’s talk about resilient suppliers
For many years now we have been living in a hyperconnected and globalised environment, where we can consume resources that are created far away from our "borders" or physical limits. Therefore, disruptions in places that we may have previously considered remote, can now directly affect us.
In the same way, we can apply this reality to the supply chain/outsourcing of services, where we collaborate with a multitude of companies, some even "delocalised", and generate dependencies that must be managed if we want to be resilient. Without saying the hackneyed phrase — "we are only as strong as the weakest link in the chain" — we must consider that we will be as resilient as the links (or alternatives) of our external dependencies.
Regulatory bodies, control entities, and other institutions with the capacity to legislate or propose new standards have also focused their attention on the supply chain and the imperative to carry out serious management of the same. As a result, and although it is not really a new topic, the requirements on the governance and control of suppliers are constantly being incorporated in a much clearer manner, resulting in, at last, the management of this type of risk.
“We will be as resilient as our suppliers are”
Few organizations today can boast of being self-sufficient. In one way or another, there is always some dependence on a third party (communications, power supply, infrastructure, cybersecurity, etc). Although many years have passed since Business Continuity (BC) dealt with the different scenarios that this implies, we cannot continue any longer without taking action and applying the appropriate measures to be more resilient, despite being dependent.
Without pretending to be exhaustive, some of the measures that could be implemented to improve our supply chain resilience are:
Having a catalogue:
Not just a simple inventory, but a categorised list of suppliers that allows us to have and know precise information about the suppliers, which indicates their criticality for the business, beyond the typical information that we can keep in an inventory.
This catalogue of providers should help in managing the risk involved in subcontracting with each of them. Suppliers can be categorised in several different ways or a set of ways (turnover, access to sensitive data/information, essential service, etc) but a criticality/sensitivity must always be assigned to enable risk management to be carried out throughout the outsourcing life cycle. This indicator may vary during the supplier-customer relationship, even depending on the service provided, but it is a simple source of information to unequivocally identify the impact that this supplier could cause.
Risk management – prior to hiring
Once you know the type of service being requested, the sensitivity of the service for the organization, and the needs that the supplier will have to carry out the service/project (access to data, facilities, etc), you can begin to manage the risk prior to contracting.
This prior knowledge, alongside information supplied by the product/service provider about its current situation in terms of information security, BC, cybersecurity, privacy, etc, (information beyond its financial statements), will allow us to include certain requirements in the contracting conditions. This includes risk mitigation measures and dependencies assumed with subcontracting, while being able to customise them according to the impact that an incident involving the supplier would cause and being able to agree on joint action plans.
Risk management – during the project/service
Sometimes we commit the sin of considering that, once a contract has been signed, the full responsibility for everything to go well belongs to the supplier. We forget the risk management needs that the acquired dependency entails.
During the life cycle of the project/service, it is necessary to monitor the supplier to keep the risk assumed up to date.
Some examples of this activity can be: periodic follow-ups where the risks detected in the initial phase are dealt with, supplier audits, status of possible action plans, etc. It is important to prioritise the idea of collaboration over supervision, as it is not about being judges but about working together in greater resilience.
Risk management – upon completion
Although it seems obvious, sometimes this phase is largely forgotten both at the level of information transfer or service transition when it comes to a change of provider. This stage may involve a request for deletion and/or even the return of devices, as appropriate. It is therefore necessary to carry out the accompaniment for the correct management of this final phase of the service/project.
In addition, it is always highly recommended to have an exit strategy, especially with regards to the most sensitive providers.
None of the above is really new, and there are different standards and regulations that ‘require’ or ‘advise’ how to deploy a methodology that allows for both managing the supply chain and the relationship with suppliers. The key is to apply it and stop thinking: "that's the provider's problem."
In short, and based on the fact that no one is exempt from being the next to suffer a disruption that affects our customers, it is essential to lay the foundations in the management and relationship with the suppliers that make up the entire supply chain. It is necessary to be aware of the responsibility shared and work as true partners for the common good of having a safer and more resilient environment.
Get involved in BCAW 2023 - Follow the link below: