Many organizations today aim to make operations as lean as possible. But, in doing so, are these organizations unknowingly increasing the risk of operational downtime and excess cost? Due to streamlining operations and eliminating redundant activities or suppliers, one misstep or disruption (either internally or externally), can result in time-consuming and costly operational delays, or much worse, impact market positioning or even threaten the survival of the organization.
This perspective is part two of a supply chain risk management-focused series called “Risky Business”. In part one, Managing Third-Party and Supplier Risk, we discussed the importance of protecting your organization from risks associated with a dependence on suppliers (and service providers), as well as how to analyze potential impacts and prioritize these risks.
In this perspective we’ll discuss the specific business continuity strategies and risk treatment options available to mitigate the risk associated with supplier dependencies to an acceptable level.
Even though this perspective summarizes proven examples of third-party risk mitigation strategies, it is important to remember that there is no “one size fits all” approach for mitigating risk while appropriately managing supply chain costs. The process of remediating risk while simultaneously reducing cost and complexity is a balance that requires a customized approach to align risk management and organizational strategy.
KEY SUPPLIERS AND RISK MITIGATION STRATEGIES
Who are your key suppliers? For purposes of this article, key suppliers represent external product and service providers that, if unavailable for any reason, would disrupt your organization’s ability to perform operations and meet stakeholder obligations. Utilizing a business impact analysis (BIA) and risk assessment, identify your organization’s key suppliers and provide risk ratings based on measurable impact and likelihood ratings.
Once you have a clear understanding of your critical suppliers, consider whether each supplier is sole-sourced, single-sourced, or multi-sourced in order to identify the remediation strategies available to your organization. Although not specifically outlined as a strategy option below, your organization always has the option of simply accepting the risk. For suppliers outside of your organization’s risk tolerance, choose remediation strategies to reduce risk to an appropriate level.
A sole-source supplier is the only supplier capable of providing a specific product or service to your organization. The following list provides strategies that can be used to remediate the risk associated with the loss of a sole-source supplier:
**Note: Strategies 1-3 can also be applied to single-source and multi-source suppliers.
- Safety Stock (Product Suppliers Only)
If the identified supplier provides a physical product (rather than a service), a potential risk mitigation strategy is to hold safety stock. Holding safety stock is a cost-risk decision, meaning, the more stock held, typically the more cost (storage, management, sorting, etc.); however, in the event of a supplier loss, an appropriate safety stock enables your organization to continue using the product and sustain operations for a longer period of time.
- Service Level Agreements – Downtime Allowance
Defining downtime tolerance within service level agreements (SLAs) incentivizes the supplier to recover and provide the product or service within a defined period of time. Having downtime tolerances (and even performance levels) defined in an SLA typically encourages the supplier to invest in business continuity planning and provides compensation if a supplier does not perform. However, in the event a supplier is not able to (or elects not to) meet service level agreements and simply accepts the penalty, the penalty may only insure against losses for the specific supplier’s product or service. This strategy may not mitigate or compensate for downstream impacts to processes or products/services reliant upon the supplier.
- Ensure Supplier Business Continuity Capabilities
Coordinate with your supplier to review their business continuity program to ensure that their capabilities meet your organization’s requirements. If possible, this is best to do before contracting with a supplier. Ensuring your supplier’s business continuity capabilities are in line with service level agreements increases the likelihood of your supplier recovering within your business requirements. For more information, read: The Top Five Questions to Ask Your Critical Suppliers.
- Bring It In-House
Based on the dependence to the supplier and your organization’s risk tolerance, the above strategies may not mitigate the risk to a tolerable amount. If this is the case, consider the ability of your organization to move production of the supplied product within your organization. Often, this is a costly and complex option to mitigate risk; however, when absolutely necessary, it provides control of both the product and recovery capabilities.
- Redesign the Process or Product/Service (last resort)
If any of the previously mentioned strategies are either not feasible or do not remediate the risk to a tolerable amount and your organization cannot accept the risk, consider redesigning the process or even the product or service that your organization provides so that it is not dependent on the supplier.
A single-source supplier is the only supplier chosen by your organization to provide a specific product or service, although alternate suppliers are available and can be used. The following list provides strategies that can be used to remediate the risk associated with the loss of a single-source supplier:
**Reminder: Strategies 1-3 noted in the sole-source suppliers section above can also be applied to single-source supplier relationships.
- Plan – Supplier Replacement
Time is money. Depending on the criticality or time-sensitivity of the product or service provided, every minute counts when it comes to recovering operations. Documenting a plan detailing recovery strategies that contain approved alternate suppliers prior to a supplier disruption greatly reduces downtime. Typically, the process of identifying, approving, and contracting with a new supplier is a lengthy process that prolongs downtime. So, thinking ahead is key.
- Consider a Multi-Source Structure
Consider how quickly and effectively the supplier can be replaced. Even with proactive planning, replacing a supplier may still require an intolerable amount of time to shift to the alternate supplier and resume normal operations. If this is the case, consider the cost-risk tradeoff of becoming multi-sourced for that specific product or service. If your organization decides against multi-sourcing, treat the supplier as a sole-source supplier and apply the sole-source strategies noted in the prior section.
A multi-source supplier is one of several suppliers used for a specific product or service. The following list provides strategies that can be used to remediate the risk associated with the loss of a multi-source supplier:
**Reminder: Strategies 1-3 noted in the sole-source suppliers section above can also be applied to multi-source suppliers.
- Geographical Location
Multi-source suppliers can provide redundancy in the event one is unavailable; however, if the disruption is due to a natural disaster or inclement weather, it is likely that any suppliers in the same area would be affected. By ensuring suppliers are geographically disbursed (and inventory is appropriately geographically dispersed as well), your organization decreases the risk of multiple supplier outages at the same time.
- Contract Language – Volume Shift
In theory, if one multi-source supplier is unavailable, service or product volume could be shifted to an alternate supplier already in use; however suppliers may not have the capacity or capability to take on the excess volume. Due to little lead time, suppliers may also charge a higher rate. To mitigate these risks, coordinate with the supplier to understand their capabilities and define volume shift strategies in your supplier contracts to ensure your suppliers are aware of your strategies and a price can be agreed upon prior to a disruption. If suppliers are unable to take on excess volume immediately, consider treating this supplier as a single-source supplier and see strategies in the above section. Additionally, consider asking suppliers to produce and store product and make it available in the event of a disruption.
- Plan – Supplier Shift
Assuming volume shift strategies have been defined in supplier contracts or alternate suppliers can quickly take on excess volume, develop a plan for shifting volume to approved suppliers to ensure a quick recovery at time of disruption. Again, the process of identifying, approving, and contracting with suppliers can slow the recovery process, so a proactive approach and defining strategies in a documented plan decreases the recovery time.
Being reactive to supplier disruptions can lead to extended downtime and an inability to meet required service or production levels. Proactively identifying suppliers requiring further risk mitigation and defining strategies ahead of time allows your organization to recover faster and with less impact in the event of a disruption.
And, even though this perspective summarizes proven examples of third-party risk mitigation strategies, it is important to remember that there is no “one size fits all” approach for mitigating risk. You must evaluate and customize the strategies described in this perspective to align to your organization’s risk tolerance and supplier relationships.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!
ISO Technical Specification Release:
On September 16, 2015, The International Organization for Standardization (ISO) published a technical specification (aligned to ISO 22301) addressing the topic of supply chain continuity. You can learn more here:
Societal security — Business continuity management systems — Guidelines for supply chain continuity