By MICHAEL HERRERA
Our supply chains have come under pressure like never before during the coronavirus pandemic. In today’s post, I’m going to look at vulnerabilities in the supply chain as revealed by the pandemic, the proper way to vet a third-party supplier, and what the future might hold in terms of companies’ use of third-party vendors.
The coronavirus pandemic has shown more than ever how important it is for companies to have a sound process for evaluating third-party vendors.
Unfortunately, the process for assessing outside suppliers has long been an afterthought at many organizations.
This attitude has come back to bite many organizations in recent months as one company after another discovered that their suppliers were not prepared to have people work from home and/or were incapable of providing goods and services at the necessary levels.
The pandemic has shown that for many organizations the weakest link is a critical but unvetted third-party supplier.
Over the past few months, the shortcomings of such suppliers have hindered the operations of many otherwise well-prepared organizations.
These companies have learned that chain pain—as in, supply-chain pain—is all too real and can be devastating.
UNDERSTAND YOUR SUPPLIERS
The message to business continuity planners is: it’s critical that you understand your suppliers, how important their products or services are to your operations, and how capable they are of recovering in the event of a disruption.
The pandemic will definitely put more pressure on BC people in terms of evaluating third-party vendors.
Moving forward, BC staff will have to master a whole new skill, that of assessing third-party suppliers.
Evaluating vendors has a lot in common with buying used cars. The evaluator has to be savvy, skeptical, and not afraid to look under the hood. The BC planner of tomorrow—and by tomorrow I mean today—will need to be good at evaluating documents, assessing capabilities, and spotting deficiencies.
HOW TO VET A THIRD-PARTY VENDOR
So how do you properly vet a third-party vendor? I’ve previously covered the subject in my posts on identifying your critical vendors and how to vet vendors. The topic is more urgent than ever in the COVID-19 environment, but the basics are unchanged.
Here’s a quick primer on how to evaluate an outside company that provides goods or services to your company:
- Determine how critical each vendor is to your organization. See this post for details on what this means and how to do it.
- Figure out what business units and processes the vendor supports.
- Determine the recovery time objective (RTO) the vendor needs to meet based on the business units and processes supported. (See this post for an explanation of RTOs.)
- Categorize your vendors as Critical, Important, or Other. Depending on how the vendor is categorized it must meet certain criteria:
- Critical. Vendor must provide current business impact analysis (BIA), recovery plan, and annual live disaster recovery exercise results to prove ability to meet or exceed RTO requirements.
- Important. Vendor must provide current business impact analysis (BIA), recovery plan, and live disaster recovery exercise results every other year, to prove ability to meet or exceed RTO requirements.
- Other. Vendor must provide current BIA and recovery plan and results of annual desktop disaster recovery exercise.
- Devise a regular maintenance schedule based on criticality.
- Incorporate language setting out your business continuity expectations for the vendor in your contract with them based on criticality (e.g., higher criticality requires stricter requirements for planning, testing, and maintenance).
SUPPLY CHAIN CRYSTAL BALL
Here are a few changes that I think will be coming to the world of vendor evaluation in the not-too-distant future, courtesy of the COVID-19 pandemic:
- Companies will start getting more serious about assessing their suppliers in terms of their business continuity planning.
- Business continuity language will increasingly appear in contracts with third-party vendors.
- There will be an even greater need for tools to help assess and report on third party suppliers’ business continuity programs (such as our own BCMMETRICS Compliance Confidence tool).
- More companies will hire third-party business continuity consultants solely to provide comprehensive assessments of vendors’ resiliency.
- There will eventually be business continuity certification programs for vendors that will validate that their BC programs are built on a solid framework and aligned with industry standards.
- Supply chains will become a lot tighter so that organizations have more control over what goes on in them.
This last one might seem optimistic at the moment, but I believe it’s true: in the end this crisis and the adjustments we make in response to it will make us a more resilient nation.
STRENGTHENING THE WEAKEST LINK
The COVID-19 pandemic has highlighted how lax many organizations have been in vetting their third-party suppliers. Any company committed to its own resiliency should ensure the companies in their supply chain are sufficiently resilient.
The steps for doing this are well-known. It’s a matter of assessing how important the supplier is to the organization, setting expectations for the supplier based on that assessment, and communicating those expectations to the supplier and verifying that they can meet them. Third-party suppliers are frequently the weakest link in a company’s operations. By strengthening the weakest link, the organization overall will become stronger and more resilient.
For more information on supply chain problems, vetting third-party vendors and other hot topics in BC and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Key Players: The 7 Most Important Roles on Your Return-to-Work Team
- Learning from COVID-19: 7 Lessons for Business from the Pandemic
- Let’s Get Critical: Identifying the Vendors You Truly Depend On
- 6 Tips to Help You Vet Your Third-party Vendors
- How to Stop Third-Party Vendors from Becoming Your Achilles’ Heel
Michael Herrera is the Chief Executive Officer (CEO) of BCMMETRICS and its sister company, MHA Consulting. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.