Resilience by design: Why supply chain resilience begins with the contract
Foreword: In this three-part series David Window FBCI explores the concept that supply chain resilience begins with the competitive process that leads to an agreement. This article explores the essential role that contracts play in supply chains, from procurement processes and service level agreements to supplier performance and outsourcing and associated risks. By examining industry best practices and international standards, David highlights the need for a cohesive approach that integrates procurement, business continuity, and legal expertise. Understanding these elements is key to building a resilient supply chain that can withstand challenges and ensure sustainable operations.
The second article in the series examines how business impact assessments and service level agreements can support supply chain resilience, and the final instalment provides practical guidance for practitioners on strengthening supply chain resilience through effective contractual processes.
What constitutes a supply chain?
A meaningful debate on this topic should begin by establishing a shared understanding of what we mean by a ‘supply chain.’ I would argue that procurement and supply include not only the responsibilities of the procurement professional but also the logistical and warehousing components of supply and distribution. Together, these elements form what we commonly refer to as ‘supply chain’.
Often discussions around supply chain focus on the physical flow of goods. This approach concentrates on mapping supply chain risks across geographical and geopolitical landscapes. While this perspective is important, I believe it overlooks a vital starting point: the procurement process. Here is where the supply chain begins—and should be recognised as an integral part of the supply chain process.
Supply chain resilience: the missing link to procurement collaboration
The activities leading up to a contractual agreement—whether through quotations, formal tenders, or the specific requirements of public sector procurement such as transparency, probity, and propriety—are vital components of any supply chain.
This perspective is reinforced by best practice frameworks such as the BCI Good Practice Guidelines (GPG) Edition 7[1] and international standards such as ISO/TS 22318:2021 – Security and Resilience: Business Continuity Management Systems – Guidelines for Supply Chain Continuity Management[2]. As the title suggests, this standard focuses on resilience rather than risk, and explicitly includes contractual elements related to sourcing and supply. Resilience guidelines and regulations emphasise that contractual risk must be addressed, not simply the geographic location of a supplier.
Enhancing supply chain understanding via category management
Category management is a key procurement technique used by some procurement professionals to analyse spending patterns and understand market dynamics. Procurement professionals often think in terms of supply chain ‘tiers’, and the BCI Supply Chain Report 2024[3] highlights that incidents most frequently occur within these layered tiers of a chain.
This makes a category manager an important figure in supply chain mapping—capable of identifying the number of tiers, discovering weaknesses, and recognising single points of failure within the chain. This approach shifts the focus from traditional risk and geopolitical mapping to a more granular understanding of the true architecture of supply.
Important questions arise here:
- How many suppliers operate in each tier?
- Is the Tier 1 (direct) supplier overly reliant on limited products or resources in lower tiers (Tier 2 and beyond)?
- Do suppliers in the lower tiers carry elevated risk profiles, including geopolitical vulnerability?
Although not all organizations benefit from a formal category management framework, ISO/TS 22318:2021 advises that risk should be assessed across at least three tiers—and beyond, where feasible. Organizations aligned with this technical standard are therefore encouraged to pursue a deeper understanding of their extended supply networks.
GPG Edition 7 echoes this need for collaboration and cohesion between procurement and business continuity professionals, emphasising that resilience is achieved when both disciplines are embedded in the procurement process.
The GPG V7 offers clear terminology to support this approach. For instance:
- Priority suppliers are defined as “those who support prioritised activities and are identified as having the greatest impact if they fail to deliver resources, thereby impacting the organization’s ability to deliver its own products or services”.
Notably, the GPG cautions against using the term “critical suppliers,” though the distinction between “priority” and “critical” remains blurred in practice. I would argue that “priority” implies a focus on time sensitivity rather than overall criticality.
- A Service Level Agreement (SLA) is defined as “a product or service provider and a client organization, aspects of which would include, quality, availability, responsibilities, and continuity capabilities, which are agreed upon between the two parties”[4]
It is worth noting that I consider that GPG V7 relies heavily on the term “third-party suppliers,” which can obscure the contractual nuances and risks that begin at the procurement stage. This reinforces the earlier point that contractual risk—not just geographic or operational risk—must be fully considered in resilience planning
Not everyone is a third party (but some are)…
The concept of “third-party suppliers” presents an inherent conflict when examined through the lens of contract law. If a Service Level Agreement (SLA) is, by definition, an agreement between two parties, then the question naturally arises: who exactly are the ‘third parties’?
This question opens the door to a broader legal and operational debate, but for now, let’s focus on why this distinction is important. At the heart of any contract lies the principle of ‘privity of contract’—meaning that only those who are party to the contract can enforce its terms or be held accountable for its obligations.
If an SLA is indeed a bilateral agreement, then any so-called ‘third party’ cannot arbitrarily be included. Instead, to be recognised legally, a third party must meet the conditions outlined in the rights of third parties—typically requiring a two-branch test within the terms of the contract itself. That is, they must either be explicitly named, or the contract must clearly intend to confer a benefit upon them.
While I must clarify that I am not legally trained, I would encourage readers to seek advice from qualified legal professionals to confirm the implications. Why does this matter? The reason is clear: this is a form of contractual risk and therefore, must be considered a core element of supply chain resilience.
Risks of labelling everyone as a third party in contracts
I have been asked many times why the use of the term ‘third party’ matters. It matters because most agreements are between two parties[5] and there are potentially legal consequences when entities are said to be third parties. For example, in the UK the ‘Contracts (Rights of Third Parties) Act 1999’ is an Act of Parliament ‘to make provision for the enforcement of contractual terms by third parties’. Put simply, a third party prior to this Act had few, if any rights, within the contractual arrangement. Since the creation of the Act those in the agreement stated to be third parties now have rights. This legislation is mirrored globally. Check your organization’s standard terms and conditions and you may find there is a specific term and definition to limit third party risk.
Let’s take an example: You have a contract with a bank which makes two parties. The bank promotes the use of a credit card provider which is utilised by both parties. Here’s the credit card provider is the third party. It’s worth noting that in the finance sector they also use third party, and recently ‘Critical Third Party’ which is defined as a party that could create a material breach of contract (of course then you need to decide what is considered ‘material’).
However, the Prudential Regulation Authority and the Australian Prudential Supervisor (APRA) use the terminology differently. If only the world could agree on terminology! However, the point is that risk and resilience is the common denominator. Regulators want supply chains to minimise risk, be able to prevent, adapt and respond by having a greater clarity on risk and resilience in supply chains. Therefore, legal entities matter contractually as they are part of the risk landscape.
If you are in the finance sector, you will also hear and see ‘fourth party’ and ‘fifth party’. These are ‘tiers’ of supply that may present a risk in themselves, not necessarily in terms of legal risk, but rather as concentrations of risk or single points of failure.
Concluding thoughts
We often focus on the visible aspects of the supply chain—logistics, geography, and supplier location—yet the foundations of resilience are laid much earlier, within the contractual and procurement processes that shape the chain itself.
By recognising the importance of contractual risk, privity, and supplier engagement at every tier, practitioners not only strengthen our ability to respond to disruption but also move toward a more strategic, integrated model of resilience by design. Collaboration between procurement and continuity professionals is not just helpful—it is essential. If we want to build truly resilient supply chains, we must begin by contracting for resilience.
[2] ISO/TS 22318:2021 - Security and resilience — Business continuity management systems — Guidelines for supply chain continuity management
[4] Good Practice Guidelines (GPG) Edition 7.0 | BCI / ISO 22318:2021
[5] Good Practice Guidelines (GPG) Edition 7.0 | BCI (as defined in regards to service level agreements)
More on
About the author
David Window
Director, Numlock Limited. t/a Continuity Shop
