Supply Chain Resilience: You may not be as resilient as you think

“Companies routinely exaggerate the attractiveness of foreign markets, and that can lead to expensive mistakes.” -Pankaj Ghemawat, Global Professor of Management and Strategy at New York University’s Stern School of Business.

Ghemawat’s statement sounds like a round-up of recent supply chain resilience woes at the hands of the COVID pandemic crisis.

Yet it comes from his prescient warning to industry sounded nearly two decades earlier in his landmark article, “Distance Still Matters: The Hard Reality of Global Expansion.”

Now we’ve all learned the hard truth behind his prediction.  And we’re asking ourselves what other lessons we need to mind to avert the next supply chain crisis.

A critical one (in our humble opinion as business continuity & crisis management professionals) is that your business is only as resilient as your third parties.  And if you’re leaving them out of your business continuity and crisis management planning process, your business might not be as resilient as you think.

Here’s what you need to know.

The Hidden Supply Chain Risks of Working With Third Parties

Do you outsource the bulk of your IT work?

It’s cost-effective right now and gets you the expertise that you need when your bench isn’t particularly deep.

But what happens when that IT vendor’s operations come to a halt in a global cloud outage? Or a blizzard, tornado, or flood shuts down a regional hub?

Or perhaps you rely on a third-party logistics firm to get your products to shelf.

When their distribution center comes to a standstill because truck drivers are scarce or a government shut-down frustrates customs clearance, does your logistics firm have a backup plan? Or will your shelves just sit empty?

Businesses today can’t escape the reality of working with third parties, whether suppliers, vendors, service providers, or otherwise. They can help you scale cost-effectively, expand important capabilities and expertise, and ease the path of entry into new markets.

But working with third parties comes with its share of risks.

And as the COVID supply chain crunch taught us, many businesses often overlook the need to account for the resilience of their entire supply chain ecosystem in the business continuity and resiliency planning process.

Here are some practical steps you can take to better understand the resilience of your third parties and in doing so, improve your ability to navigate the next crisis.

3 Ways to Improve Your Supply Chain Resilience

1.   Shore up supply chain risk at the program level

The first step to supply chain resilience is making sure everyone in your organization is on the same page. At the very least, there should be a strong partnership between procurement or vendor management and your business continuity arm in establishing minimum continuity requirements and assessing and monitoring vendors.

Part of this collaborative process should include establishing minimum requirements of vendors, to include:

• Providing crisis & continuity plans applicable to services they provide to the organization (or a certification statement if they refuse to share)
• Documenting or describing their crisis management approach and how they will escalate and coordinate with your organization. If they’re relatively immature in their resiliency planning, they should minimally provide a continuity statement or program summary along with a commitment to annually review and discuss their process and steps for improvement.
• A summary of recent resiliency exercises or tests, including the scope, results, after-action report, and specific action items.
• A commitment to participate in annual resiliency exercises with your organization, including the after-action process and carrying out action items to address observations and/or findings (especially for tier 1 vendors).

Don’t forget to include your legal team in the planning process.  You’ll need to have contractual clauses to ensure compliance with the above minimum requirements, and a way out if they’re unable to meet your requirements in the long run.

2.   Identify vendors with a high disruption impact

I often see businesses make the mistake of focusing resiliency diligence efforts on their top vendors by volume.  But most big vendors already have a good business continuity program in place. They’re typically not the vendors that you need to be concerned about.

If you focus diligence efforts on mere business volume, you will likely end up wasting time and resources on low-risk vendors, while letting more risky but lower volume vendors slip through the crosshairs of your resiliency planning efforts.

A better strategy is to identify particular third-party providers whose disruption would have the most impact on your company’s operations. We identify these as “Tier 1 vendors” when working with our clients to develop their business continuity and crisis management programs.

In assessing the potential impacts of your vendors and providers on your resiliency efforts, you should consider:

• Which vendors and providers are integrally involved in your critical business processes?
• Do they have the ability to sustain services in the event of a disruption?
• If they don’t have a good business continuity and/or disaster recovery capability, are they willing to improve it?
• If they aren’t, are there alternate providers that you can partner with instead?

Once you’ve identified and assessed the resiliency of your Tier 1 vendors, you should layer on additional vendor requirements to mitigate those risks and shore up your resiliency plan.

These might include requiring Tier 1 partners to produce additional plans for review and discussion or requiring them to consult with your vendor management team about their resiliency planning and their escalation path to your organization.

3.   Conduct joint resiliency exercises with your vendors and providers

Exercising your business continuity and crisis plans is the only way to truly know if they work. Exercising your plans can help reveal gaps that need to be addressed and build the “muscle memory” that your team needs to respond smoothly when a disruption occurs.

Including your key vendors and providers in your business continuity and crisis management exercises is often overlooked by most businesses. But conducting these exercises together with your third parties is critical to bringing alignment to your collective crisis response and resilience capabilities.

Conducting joint business continuity and crisis management exercises with key vendors and providers can also facilitate new insights and channels of communication that improve your working relationship and effectiveness outside of a crisis response.

At an internal level, we recommend you conduct exercises on a monthly or quarterly basis. When including external parties, coordinating that many exercises may be impractical.  Still, we suggest that you conduct joint exercises with your key Tier 1 vendors on at least an annual basis.

Protect Your Investment in Resiliency and Your Business

Failing to include key vendors and providers in your resiliency planning is a lot like locking your front door but leaving the garage wide open.

When disaster strikes, you may quickly find out the hard way that your business is only as resilient as your third parties if you’ve failed to include them in the resiliency planning process.

Effective resiliency planning requires a holistic approach to assessing your dependencies, risks, and business continuity and crisis response.  Learn more about our approach and thought process around business continuity in our Ultimate Guide to Business Continuity.

Brygthpath can help you assess the supply chain risks of your key vendors and create a holistic plan for resilience.  Learn about our business continuity & crisis management services, then contact us for an initial conversation.