In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses supply chain resiliency.
What lessons do we need to mind in order to avert the next supply chain crisis?
Related Episodes & Blog Posts
- Blog Post: Your Supply Chain May Not Be As Resilient as You Think
- Blog Posts: Evaluating Business Continuity Programs: Is your Business Continuity Program ready for the next Disruption?
- Episode #106: Rethinking Business Continuity in the age of COVID-19
- Episode #108: Trends in the Post-COVID New Normal
- Episode #128: A conversation with Steve Raffe of StarLeaf
Episode Transcript
Hello and Welcome to the Managing Uncertainty podcast. This is Bryan Strawser, Principal and Chief Executive here at Bryghtpath. And in this week’s episode, I want to talk about how your supply chain may not be as resilient as you think it is.
“Companies routinely exaggerate the attractiveness of foreign markets, and that can lead to expensive mistakes.” That’s a quote from Pankaj Ghemawat, Global Professor of Management and Strategy at NYU’s Stern School of Business. His statement makes it sound like a roundup of recent supply chain woes during the height, at the hands rather of the COVID pandemic. But it comes from his prescient warning to industries sounded almost 20 years ago in his landmark article in Harvard Business Review, Distance Still Matters: The Hard Reality of Global Expansion.
Now, we’ve all learned the hard truth behind Pankaj’s prediction, and we’re asking ourselves what other lessons we need to mind to avert the next supply chain crisis. A critical one, in our humble opinion as business continuity and crisis management professionals, is that your business is only as resilient as your third parties. And if you’re leaving them out of your business continuity and crisis management planning process, your business might not be as resilient as you think. Here’s what you need to know.
The first is the hidden supply chain risks of working with third parties. The question I often ask companies as we’re talking about this is if they outsource their IT work. It’s cost-effective and it gets you the expertise you need when your bench may not be particularly deep. But what happens when your IT vendor’s operations come to a halt during a global cloud outage? Or a blizzard or a tornado or a flood shuts down a data center? Or perhaps you rely upon a third-party logistics firm to get your products from manufacturer to the shelf. When their distribution center comes to a standstill because truck drivers are scarce or a government shutdown frustrates custom clearances, does your logistics firm have a backup plan? Or will your shelves just be empty as a retailer?
Businesses today can’t escape the reality of working with third parties, whether suppliers, vendors, service providers, or otherwise. These can help you scale cost-effectively, expand important capabilities and expertise, and ease the path of entry into new markets. But working with third parties comes with its own share of risks. As the COVID supply chain crunch has taught us, many businesses overlook the need to account for the resilience of their entire supply chain ecosystem when they think about their business continuity and resiliency planning process. Here are some practical steps you can take to better understand the resilience of your third parties and in doing so improve your ability to navigate the next crisis.
The first is to shore up supply chain risk at the program level. The first step to supply chain resilience is making sure everyone in your organization is on the same page. At the very least, you should have a strong partnership between procurement or vendor management, or whatever you might call it in your company, maybe it’s called sourcing, and your business continuity team in establishing minimum continuity requirements and assessing and monitoring vendors.
Part of this collaborative process should include establishing minimum requirements of your vendors. Here are four things to think about there. Providing crisis and continuity plans applicable to the services they provide to the organization or at least a certification statement if they won’t share their plan. Documenting and describing their crisis management approach and how they will escalate and coordinate with your organization. If you find that they’re relatively immature in their resiliency planning, they should minimally provide a continuity statement or program summary along with a commitment to annually review and discuss their process and steps for improvement. Third, a summary of recent resiliency exercises or tests, including the scope results, after-action report, and specific action items. And lastly, a commitment to participate in annual resiliency exercises with your organization, including the after-action process and carrying out action items to address observations or findings, especially for new, what I would think of as tier-one vendors, your big service providers.
Don’t forget to involve your legal team in this planning process. You will want to have contractual clauses that ensure compliance with the above minimum requirements and a way out if they’re unable to meet your requirements in the long run.
Two, you should identify vendors that have a high-disruption impact. Now, I often see businesses make this mistake. As they’re focusing their resiliency diligent efforts, they focus on the top vendors by volume or spend. But most big vendors are large and complex enough to have a good business continuity program in place. They’re not typically the vendors that you’re going to need to be the most concerned about. If you focus your diligence efforts on mere business volume, you may end up wasting time and resources on relatively low-risk vendors while letting more risky but lower-volume vendors slip through the crosshairs of your resiliency planning efforts. A better strategy is to identify particular third-party providers whose disruption would have the most impact on your company’s operations. I call those your tier-one vendors. When working with our clients, that’s how I describe them. Those are the ones that you want to focus your attention on.
In assessing the potential impact of your vendors and providers in terms of your resiliency efforts, you should think about four things. Which vendors or providers are intricately involved in your critical business processes? Do they have the ability to sustain services in the event of a disruption? If they don’t have a good business continuity or disaster recovery capability, are they willing to invest in making improvements? And if they aren’t, are there alternate providers that you can partner with instead? Once you’ve identified and assessed the resiliency of these tier-one vendors, you should layer on additional vendor requirements to mitigate those risks and shore up your plans. That might include requiring them to produce additional plans for review and discussion or requiring them to consult with your vendor management team about their resiliency planning and the escalation path to your organization.
Third, conduct joint exercises with your vendors and providers. Exercising your business continuity and crisis management plans is the only way to truly know if they’re going to work. Exercising your plans can help reveal gaps that need to be addressed and build the muscle memory that your team needs to respond smoothly when a disruption occurs. Including your key vendors and providers in your business continuity and crisis management exercises is often overlooked by most businesses, but conducting these exercises together with your third parties is critical to bringing alignment to your collective crisis response and resilience capabilities. Conducting joint business continuity and crisis management exercises with your key vendors and providers can also facilitate new insights and channels of communication that improve your working relationship and your effectiveness even outside of a crisis.
At an internal level, we recommend that you conduct these exercises on a monthly or quarterly basis. When including external parties, coordinating that many exercises might just be impractical. But we suggest that you do conduct joint exercises with them at least on an annual basis. Failing to include key vendors and providers in your resiliency planning is a lot like locking your front door but leaving the garage door wide open. When disaster strikes, you may quickly find out the hard way that your business is only as resilient as your third parties if you have not included them in your planning process.
Effective business continuity planning requires a holistic approach to assessing your dependencies, risks, and business continuity and crisis response. Here at Bryghtpath, we can help you assess the supply chain risks of your key vendors and create a holistic plan for resiliency. Learn more about our capabilities and contact us at bryghtpath.com.
That’s it for this edition of the Managing Uncertainty podcast. We’ll be back next week with another new episode. Be well.
