Business Continuity relationship with other activities

BC shares common goals and objectives with other management activities. When

John Bartlett CBCI, DBCI

implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.

The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.

That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one. 

Looking at these vulnerabilities in a more depth allows us to build an understanding of their relationship with BC, and therefore some of the considerations required when conducting a BC risk assessment as well as performing the on-going BC management:

Reputation & Customers

Any activities that are customer facing (such as product or service quality and reliability, help desk, websites, branches, sales people, reception desks) could impact the customers perception of the organisation and therefore the organisations reputation and possibly result in negative publicity which would require management attention and could lead to more wide scale impact and disruption.

Supply Chain

Selection and management of suppliers is an important quality criteria, get it wrong and you place your organisation in jeopardy. Therefore due diligence of suppliers and confidence in their ability to deliver reliable, quality services and have their own risk management and BC in place (for continuance of services to you in the event of an incident is critical). Being able to monitor and measure supplier performance (quality and reliability) and ensure controls are in place will help identify issues early and enable proactive management before an incident becomes a crisis. This may require specific contractual clauses in supplier agreements. For BC, spreading key supplies across suppliers and identifying alternative suppliers will also help manage the risks.

Information and Communication

Ensuring that key information is identified (e.g. during the BIA) and has the necessary controls for safe and secure storage and retrieval, along with preservation will help ensure the information can be available if something goes wrong.

Communication is vital in today’s world of technology, maintaining contact details for key suppliers and staff, and maintaining contact even following disruption is critical. Problems often occur with communication links, so controls should be in place to protect them and alternative links or methods of communication which can be relied upon in the event of an incident should be in place (e.g. email, SMS, GSM, fixed line, data links, satellite links/phones).

Sites and Facilities

Building and site facilities are essential for the smooth running of organisations and numerous resilience options are available from UPS systems and backup generators to spreading occupation over multiple sites. However, the right controls should also be in place to manage and maintain the sites, conducting risk assessments before maintenance work is carried out, notifying stakeholders and ensuring that only authorised or appropriate people conduct work or have access to facilities. It should not be forgotten that BC recovery facilities require the same level of maintenance and control as primary sites.

People

People are sometimes referred to as the ‘life blood’ of organisations therefore it is important to develop resilience and protection for them. This should include implementing Health and Safety (HSSE) to protect their wellbeing, providing suitable training to remove single points of failure (knowledge), improve staff morale & job satisfaction to reduce staff turnover rates, ensure BC requirements are included in job responsibilities and performance measurement. Assessing these is all part of the BC risk assessment as they could contribute to significant risks in the organisation.

Finance

Financial due diligence of suppliers as a control helps protect the organisation. But BC also requires budget, without the right budget facility BC can itself become a risk to the organisation as information and facilities may not be available or maintained as required and therefore not available when needed following a disruption. Also, the information from the BIA should help prioritise expenditure on risk reduction and resilience for critical activities and facilities to help protect the organisation from disruptions.

Technology

Ensuring controls and resilience over technology and infrastructure is paramount in protecting an organisation and developing resilience. This should include regular backups of systems, maintaining IT DR systems in-line with primary systems, include BC and DR assessments in projects and changes, ensuring security and access controls are in place to provide protection, controlling and managing the desktop environment at normal and Business recovery locations, and ensuring focus on the critical systems identified during the BIA and CRA.

Processes

A breakdown in a process often results in a disruption to the organisation. Therefore processes should be designed with controls in place and wherever possible alternative methods for conducting an activity. All these should be documented with procedures to ensure consistency and enforce controls, and maintained.

All of the above should be regularly monitored by the BC function to ensure the controls are in place, being managed and being maintained as they should be. The BC function should have the confidence that this is happening and the capability of escalating any problems if they are not.

BC cannot be implemented and managed in isolation. It holds critical information (from the BIA, RA and CRA) on the organisation, its critical activities, systems, information and suppliers. This should be shared with other management activities such as Enterprise Risk Management (ERM), IT, procurement and Quality Assurance, helping to focus controls, ensure prioritisation on expenditure, projects, etc. and enhance risk reporting. Thereby helping to manage risk more effectively and ensure informed risk-based decisions are made, reducing the likelihood of disruption and level of impact if it does occur. This is the proactive nature of BC and where it will truly add value to any organisation. 

 

 

Embedding Business Continuity in the Organisation

 

John Bartlett CBCI, DBCI

Getting people to think about business continuity and include it in their daily lives is one ofthe most difficult and underestimated aspects of a business continuity programme, yet it can make or break the perception of how successful the programme is. It doesn’t matter how good your resilience and continuity are, if people do not know about it, what to do in an incident or how to maintain it, then you have failed to achieve some of the fundamental principles of implementing business continuity.

This requires communication in the form of education, training and awareness on your organisations business continuity at all levels: staff, management, Directors and key suppliers. Embedding business continuity in the organisation requires an organisational culture change. Organisational culture is often described as ‘the way we do things’, which can be broken down into a collection of shared values, working styles and patterns of behaviour, typically enforced by a set of strong social controls which establish behaviour and control the behavioural patterns. Industry experience has shown that behaviour change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected. One such attitude which occurs frequently as a barrier to BCM is: ‘it will never happen here’ or ‘it will never happen to us’. In 2003, when embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks relating to Cyclones, Hurricanes, floods, industrial disputes and civil disorder/strikes.

 

The extent of successfully embedding BCM into the organisation will be determined by the degree to which individuals change their behaviour, attitudes and beliefs. To measure and assess this we first have to establish a baseline for the level of current awareness. This helps develop a targetted training, education and awareness strategy and allow the measurement of change achieved through the program. This awareness assessment is similar to a Training Needs Analysis which comprises of:

1. Identifying the current level of BCM awareness;
2. Defining the desired level of BCM awareness;
3. Understanding the nature and scope of the gap to be addressed between 1 & 2.

Once the gaps have been identified, it is a case of working out what needs to be communicated and the best way of doing it. This may also require some development in terms of the tools and techniques that will be used.

 

Embedding business continuity within the organisation is a battle of ‘hearts and minds’. People need to know what it is, what it does, what benefit it is to them and what could happen if it doesn’t work or is not maintained. The key messages that need to be delivered and understood can be summarised as the who, what, when, where and why of business continuity, the campaign (or project) will then define how these are best communicated. A key aspect is to ensure all the campaign activities are conducted in a clear, easy to understand and consistent manner so that no misunderstanding, mixed messages or confusion occurs.

 

Who

 

Simply put, who is responsible for what when it comes to business continuity. This includes: 

• What are the roles and responsibilities for establishing and maintaining business continuity?
• What are the roles and responsibilities for investigating, invoking and revoking business continuity?
• Who has ultimate accountability for the above?

The above information may be broken down by function, job title and/or individuals name, such as business continuity manager, department manager, internal audit, corporate communications, human resources, risk management, etc. It is also advisable to implement personal performance measurement criteria for each of these roles to assess whether these activities are being performed as required on an on-going basis. Lastly, there should be one named Senior Manager or Executive at the top level of the organisation who has accountability for business continuity.

 

What

 

This aspect should cover communicating what the roles will be required to do, such as maintaining BIA information, updated Business continuity plans, maintaining recovery facilities, updating IT disaster Recovery plans and facilities, conducting exercises and such forth. Each group of individuals identified above (in the Who section) will require specific briefing and clarification on what is expected from them in their business continuity role and how this relates to their day-to-day role.

 

In addition to the above roles, there will need to be an explanation to all the other staff to explain to them what they may be expected to do (for example, in the event of an incident await instructions from their manager or after a fire evacuation wait at the assembly point for instructions).

 

When

 

Having determined and communicated who is involved in business continuity and what they are expected to do, it is important to let them know when they are expected to do it. This will include timing requirements for reviewing and updating: 

• BIA and recovery requirements;
• Business continuity risks;
• Business continuity strategy;
• Business and IT recovery plans;
• IT Disaster Recovery and business recovery facilities;

 

It will also be necessary to communicate how and when issues and problems need to be escalated, to whom, how they will be managed and who is entitled to make decisions regarding business continuity, IT Disaster Recovery and the issues/problems.

 

Where

 

This part should communicate where people are expected to go in the event of an incident if business continuity is invoked. Should they go home, proceed to the business recovery site, meet at the nearest hotel, go to the IT Disaster Recovery site, etc. A clear plan of who may be required to conduct essential activities, when and where they will perform them should be communicated.

 

Why

 

This is most probably one of the most important aspects to communicate. It needs to be individually relevant to each group identified above and each function. Individuals need to relate to the need for business continuity, the benefit it brings and the protection it provides.

 

How

 

This aspect will vary from organisation to organisation and covers the methods that can and will be used to communicate the information above, the tools & techniques, which may consist of: 

• Posters;
• Newsletters;
• Computer Based Training;
• E-Learning;
• BCM awareness DVD’s;
• Email briefings;
• Verbal team briefings;
• Awareness sessions;
• Trips to the business recovery site and/or IT Disaster Recovery site;
• Individuals involvement in testing;
• Inclusion of business continuity in induction programs;
• Management presentations;
• A business continuity intranet site/pages.

 

   

 

 

 

Developing a response for the unexpected

“The only thing harder than planning for an incident, is having to explain why you didn't.”

 

John Bartlett CBCI, DBCI

A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an incident, the “it will never happen to me” attitude. More often than not, they are wrong. No organisation wants to be affected by an incident or expects it, but that does not mean that they should not consider and plan a response in case it does happen. 

Developing and implementing a response to incidents and disruptions is at the core of Business Continuity. It can determine how your organisation is perceived and whether your business survives. It consists of ensuring the appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support the plans; and completing the necessary risk treatments to achieve the desired Business Continuity strategy defined and agreed (see previous article).

Stages

No matter what the incident or serious disruption, there are five overlapping stages of the response, each of which needs to be considered and included within the planning. These stages are:

Emergency – the immediate response and actions that should be considered and if necessary taken, for example evacuation of a building;

Incident Management – the management and coordination of a response to an incident, for example deciding priorities and communicating with stakeholders.

Continuity – the initial response to ensure that essential activities can continue at their minimum level (as defined in the Continuity Requirements Analysis).

Recovery – the actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.

Resumption – the activities and actions required to return the organisation back to its desired state of operation, which is considered to be “normal” operations. This stage is sometimes referred to as the “Return to normal” stage.

Within each of these stages, most organisations will need to consider activities that fall within either a strategic, tactical or operational context. These three levels should be considered and addressed for each of the 5 response stages above.

Plans

Once you have discussed and decided on appropriate responses for your organisation, the appropriate individuals to be involved in each context (strategic, tactical and operational) should be identified along with how decisions, actions and communication will operate between them. The responses and corresponding structure should then be documented.

The purpose of a Business Continuity Plan (BCP) is to provide guidance, not to be too prescriptive, detailed and complex. This will defeat its purpose, reduce the likelihood of it being used and make it time consuming to maintain. A BCP should include all the necessary and essential information, but be concise, accessible and easy to follow. There is no “one size fits all” definitive structure that is appropriate for all organisations, but there are numerous examples of BCP’s on the internet. The ones which are appropriate for you will depend upon your organisation. However, Business and BCM knowledge should be combined to determine the optimum Business Continuity response structure for your organisation, and each plan should have an owner, be regularly reviewed, tested and validated - then updated if necessary.

Within large organisations it is reasonable to expect there to be a number of different plans covering aspects of the recovery stages, for example a Crisis/Incident Management Plan, Business continuity/recovery plans for each department, IT disaster Recovery plan and a “return to normal” plan. These may be complimented with specialist plans or procedures to deal with different types of incident such as evacuation, product recall, stakeholder/media communication, social media management, pandemics (not to be confused with specific threat scenarios). Within small organisations or SMEs, a number of these plans may be combined together.

Infrastructure and facilities

All Business Continuity responses and strategies will require resources, including people, infrastructure and facilities, whether the strategy is to operate from someone’s home, or commercial premises. Someone will need to do something and will need to use something to do it. The BIA and CRA previously undertaken will identify the essential items required and how quickly they are required; the agreed strategy will define how they should be provided. The essential part in planning and implementing the response is to ensure these requirements can be provided when needed, and the necessary provisions are implemented and tested to ensure this can happen.

Technology is at the core of most businesses these days and most organisations struggle to operate without it. Whether it be a large data centre with multiple, complex servers, data storage and communication links, or whether it is simply a GSM, laptop and internet connection. Developing a response, includes implementing the strategy for technology and proving its capability to support the business during the response stages. This may be spare GSMs, a backup data centre, replication of data storage, spare maintenance parts, additional supplies of PCs, laptops and printers or duplicate communication links.

In addition to the technology, people require somewhere to work and facilities to assist their working. This is true of a Crisis/Incident response team and also the people required to continue essential business activities. Facilities may include office space, desk, chair, telephone, fax, photocopier, filing cabinets and such forth. If the organisation is involved in manufacturing, there may also be a requirement for plant and machinery. These should be identified and provisions implemented to ensure they can be available when required.

Risk Treatment

As part of achieving the desired and agreed business continuity strategy, it is important that the agreed treatment for business continuity risks have been implemented, thereby reducing the likelihood or impact if certain incidents or disruptions do occur. The response plans should integrate into the risk treatment plans and ensure methods are implemented to identify when a risk materialises and the point at which escalation is required in case it develops into an incident or disruption which requires activation of part or all of the response plans. The risk treatments should also be regularly reviewed and monitored to ensure they are still appropriate and achieve the desired results.

Debate Unlimited – A glimpse into the Executive Forum

With this year’s Executive Forum running on 12^th and 13^th June in Brussels, it seems a good



Lee Glendon CBCI
Head of Research & Advocacy

time to look back at the two earlier Forums.  What does happen when 600+ years of BC experience converges on Brussels each year for two days?

 

As a recap, the purpose of the Forum is to generate informed debate among experienced BC professionals wrestling with ideas about the strategic direction of business continuity, while keeping a firm eye on what is achievable within a real organisation.

 

Perhaps, the two most memorable ideas that emerged from the 2011 Forum, was that ‘business continuity is not about compliance, it is about embedding resilience through silent running’ and secondly that a key benefit of BC was to identify and prevent ‘sideways bleeding’.   

The debate on compliance started with an academic view that BCM was about compliance:  BCM had become a discussion, which assumed that you can stop things happening if only people followed the rules; BCM lacked emotional intelligence and was seen as a tax on people’s jobs in some organisations; and standards weren’t helping either as they were based on bad organisations and stifled creativity.  With the gauntlet firmly thrown down, an electrifying discussion ensued which ultimately led to the conclusion that BC should actually free-up minds, as it actually assumes that things do go wrong!  While it was acknowledged that ‘tick-box’ might be the starting point for BC, it is not the final destination. There is a need to develop a roadmap and engage and sustain the interest of top management to realise the full potential that BC can bring.

As part of the debate on compliance, there had been extensive discussion around whether BC should look for value add, let alone articulate the next step of what the value would be.  Some asserted that BC was not about helping the financials and in the short term it was a cost, and others argued that adding value is not the same as stopping failures from bringing down the business.  Some questioned whether raising the ability of the organisation to respond to incidents before a major disruption occurred was adding value or capability.   In a sign of conversations to come, one delegate felt that the value add of BC was to be found in facilitating the mission of the organisation and its contribution to the sustainability of the organisation.

The ‘sideways bleeding’ idea came out of a workshop discussion where one participant articulated that external strategy consultants had been retained by their top management to bring about significant cost reductions.  The consultants advocated a vertical approach to securing the costs savings in IT.  The BC team could see the consequences of this initiative as the savings secured in one area of the organisation were effectively nullified by increasing costs and productivity losses in other areas.  This generated a healthy debate about the service that BC professionals should be offering their organisation – while the operational level BC service may be well established in many firms, what would a strategic level service look like?

The 2012 Forum picked up the challenge of defining the strategic level service and identified its key components from developing a centre of excellence in contingency and continuity to engaging top management through crisis response and focusing on the risks that concern them through exercising and scenario analysis.  Value measurement became a hot topic of debate with a very blunt statement from one delegate that reporting to executives that you were doing the job they pay you to do was not ‘adding value’ and BC professionals should take advantage of reporting structures to articulate the value that BC could bring beyond what was expected i.e. compliance to regulations.   Two areas dominated subsequent discussions:  supply chain resilience and horizon scanning.

The academic re-framing of supply chain complexity in terms of layers and networks rather than supply chains was brought to life over the two days with examples ranging from overlooking single points of failure beyond tier one suppliers to unforeseen cascading risks at the logistics level.   One organisation highlighted how its ability to maintain its supply chain during the Arab Spring - through preparedness and enhanced security - secured increased market share.    Supply chain risk was confirmed by all as one risk that can raise the profile and relevancy of BC.  But where should you start?   The advice was to use your analytical skills and look for single points of failure and examine outsource deals; from here you can offer to run an exercise and see what you learn – you may well highlight unknown vulnerabilities and win the mandate to bring in BC.

Horizon Scanning was seen as both a technique to change the conversation with executives from general loss scenarios to a more engaging discussion of specific threats and their strategic consequences.  It was seen as an essential source of developing a situational picture to improve not just the response to events but anticipation of events as well.  The ‘BC radar’ was introduced as an accessible model to set requirements for capability development and ensure readiness in the right areas.

Finally, in 2012 the Open Forum sessions were brought into the programme.  Here delegates proposed and prioritised seven topics of their own choosing to take advantage of the collective experience and expertise of fellow delegates.  Topics included the establishment and composition of ‘resilience councils’, the synergies between BCM and Security disciplines, and Eurozone contingency planning.  For those who take a look at the 2013 programme they will see that some of these topics are going to be developed further this year.

The Executive Forum is a rather unique event:  it seeks to bring together best practice from within the profession while drawing on inspiration from outside.  Participants leave refreshed and invigorated, ready to march towards the sound of gunfire!

Notes:

The Reports from the 2011 and 2012 Forums will be available to purchase from the BCI Shop in May 2013.

To find out more about this year’s Forum please visit the BCI website: http://www.thebci.org/index.php?option=com_content&view=article&id=379&Itemid=293

 

 

Exercising, maintaining and reviewing BC

John Bartlett CBCI, DBCI

Once you have established your business continuity requirements and put in place plans, facilities and resilience to defend the organisation against disruptions and incidents, these need to be proven and kept current as the organisation changes. This is the hardest aspect of most business continuity programmes and where most organisations fail to protect their investment in establishing this level of organisation protection.

 

Exercising

 

Exercising (or testing) plans and facilities is an essential aspect to ensure they meet the organisation requirements and work as required. Therefore exercises should be conducted on a regular basis, at least annually and should be based upon realistic scenarios, incidents and disruptions. The main benefits and reasons for exercising include:

• Validation of business continuity plans;
• Providing education, training and awareness to those with business continuity roles and responsibilities
• Confirmation that the required RTOs and RPOs can be achieved;
• Identifyting preparation or resresilience aspects that require enhancement or improvement (due to changes, such as facilities, technology, information or communication links);
• Providing reassurance that the plans and facilities work as required and demonstrating resilience or recovery capability

There are international standards (such as ISO 22398) which provide guidance on conducting exercising and testing. However, prior to conducting any exercises it is important for the organisation to consider a number of aspects such as the cost of the exercise, any potential disruption to normal activities, any risks that the exercising may introduce to the organisation and the type of exercise that should be conducted (desktop check, simulation, unit or system test, partial rehearsal or full rehearsal).

The simplest process follows the Plan Do check Act (PDCA) model. Whereby the exercising is:

Planned – The scope is defined, resources identified, risks evaluated, scheduled and communicated in preparation;

Done – The exercising is conducted in accordance with the plan, preferable with some independent evaluation and notes are taken on timing and any issues or observations to make improvements; 

Checked – The results of the exercise are reviewed and checked to ensure business continuity, RTO/RPO and resilience requirements were met, any actions identified for follow up and an exercise report produced;

Acted – The actions from the exercise are followed up, tracked and validated to ensure they are addressed and any issues/risks identified are addressed.

An important part of conducting exercising is to ensure the right people are involved and there is suitable business engagement to plan and conduct the exercises. For IT disaster recovery tests this is vital as any testing may introduce risks to production systems and recovery should be validated and verified by the business to ensure it provides the required functionality and data in the required timeframe. Ensuring exercising is conducted correctly and at the right frequency will help ensure the business continuity environment requires minimal amendments, configuration and purchases upon invocation and therefore avoids delays upon invocation.

Maintenance

Organisations constantly change, whether it is people, technology, processes or products and services. Therefore business continuity information, plans and facilities also need to be changed (to ensure they also remain current). Any change within the organisation should be assessed and evaluated to identify whether it affects the organisations ability to continue or recover.

Often organisations do not realise that by changing business priorities or implementing business strategy (e.g. introducing new products or services, or implementing projects to improve performance, processes or reduce costs) that they may alter the Business Impact analysis, continuity requirements and RTOs/RPOs as dependencies and priorities within the organisation may change, thereby invalidating the business continuity facilities, plans and capability that has been implemented. 

Therefore, the easiest and best method for ensuring a continued capability for business continuity and resilience is by including a business continuity impact evaluation as part of any change. This requires a strict change control and change management processes within the organisation, whereby all changes are recorded and evaluated, and the change processes are strictly adhered. This should include all projects, programs and strategic initiatives and will then also help to identify the true cost of these, rather than identifying additional (separate) business continuity costs later. 

In addition to maintenance and review as part of a strict change process, organisations should also regularly review (at least annually) business continuity information, plans and facilities to ensure these remain current, and review these as a matter of course after conducting exercises. It is very easy for information such as staff telephone numbers and supplier contact details to get out-of-date very quickly. 

Reviewing

Conducting a review of your organisations business continuity arrangements is essential to ensure it has been implemented correctly and appropriately. There are two kinds of reviews that can be conducted, either assessments or audits.

Audits – Verify the business continuity process has been followed correctly, not that the solutions adopted are necessarily the correct ones. Audits can be conducted internally or externally.

Assessments – Review the process to ensure it has been defined and adopted correctly, that it has been applied in an appropriate way within the organisation and (normally) that the solutions adopted and implemented meet the requirements identified. Either self-assessments can be conducted (if the necessary skilled, experienced and qualified people exist internally) or can be conducted by an independent business continuity professional (recommended).

Audits and assessments should be conducted against recognised industry practices and if appropriate, industry standards and will normally ensure:

• Business continuity policy is defined and contains sufficient appropriate detail;
• The business continuity policy is being implemented;
• Sufficient resources and budget have been allocated for implementation and on-going management;
• Appropriate business impacts, recovery requirements and strategies have been identified;
• Risks have been identified, recorded and are being addressed;
• All processes, products and services have been considered and assessed;
• Ensure the right (defined) facilities, technologies and information is available in the required timeframe upon invocation;
• Plans, facilities and technology for recovery are being maintained in-line with organisation changes;
• Roles and responsibilities have been communicated and are being discharged;
• Suitable and appropriate monitoring and measuring is in place, such as Key Performance Indicators (KPIs);
• Suitable mechanisms are in place to identify/report incidents and invoke business continuity arrangements;
• Appropriate business continuity governance and reporting is in place and involves the right people. 

 

BCI Physical Workshop

Would you like to find out more about how to plan and run an exercise programme or how you can invigorate or  inject new life into an existing programme? 
 

The BCI is running a workshop dedicated to this topic in Manchester this month:

BCM Exercising Planning Workshops

Dates:

Wednesday, 24th April 2013: Planning and Running an Exercise

Thursday, 25th April 2013:Invigorating your Exercise Programme

Location: Manchester

Type: Physical (Delegates can choose to attend both or just one of the sessions)

BOOK NOW >>

BCI Member Rates apply.

Meeting the Supply Chain Complexity Challenge - Part Two

 

Lee Glendon CBCI
Head of Research and Advocacy

Having identified some of the drivers of complexity in supply chains in the first part of the roundtable report, how are organisations dealing with the challenge?

 

In dealing with the challenge of multiple tiers in the supply chain, there was common agreement on the need to gain better visibility but divergence of approach in practice.  Some organisations were looking at better methods to manage tier two supplier relationships, while others recommended that the best approach was to work with tier one suppliers and get them to work with their suppliers in turn.  In the case of one large retail organisation, they worked through their supply chains to the source applying a consistent code of expectation in terms of product quality and integrity throughout.  It was recognised that this was a very resource intensive process. However, it was an embedded practice, so for them it was not a case of having to justify the investment each time; an enviable position in the eyes of most of the roundtable participants.

 

The discussion moved on to the challenge of managing 10’s of thousands of suppliers and there was consensus on the need to focus efforts on key suppliers and key supply chains.  It was recommended that filters are applied to provide focus – these filters should be based around criticality in the sense of ‘would failure of this supply chain quickly stop my organisation from being able to carry out its key activities, and how quickly could they be replaced’ and secondly around risks or threats that might cause disruption, such as the supplier’s financial profile, the health of the industry in which they operate, their locations and consequent exposure to risks as diverse as flooding, earthquakes and geo-political instability.   These filters help generate a ‘shorter-list’ to scrutinise.  Another approach favoured by many at the roundtable was to use procurement ‘category management’ to breakdown suppliers into common supply groups and then perform risk profiling on this basis.

 

For those suppliers identified as key to the organisation, the favoured approach was to seek to build closer relationships at executive and operational levels with the objective of improving communication and co-operation and thereby reduce the number of ‘surprises’.  For one organisation, this took the form of running workshops on business continuity and running joint exercises.  Toolkits were provided free of charge and their business continuity plans were shared to help get alignment.  They would also recommend that supplier staff joined institutes such as the BCI to develop capability and drive programme improvement.  Interestingly, one of the unintended consequences of this deepening of the relationship, is the difficulty of exiting such relationship, as it would mean investing a considerable amount of time bringing on board a new supplier to get to the same level of understanding.

 

Some organisations were concerned about being overly onerous on their supply network, especially those operating in sectors where there are a limited number of suppliers.  One person noted that they had experienced suppliers not wanting to do business because the compliance requirements did not make it worthwhile.  In such cases, purchasing organisations are co-operating to reduce the burden on their suppliers through articulating common requirements.  

 

Following a good discussion on approaches to deal with the consequences of increasing supply chain complexity, the ‘wish list’ of participants included the need to gain a better understanding of ‘what supports the supply chain’ and mapping out supply chain networks.  Others were looking for a more dynamic set of indicators that would flag signs of difficulty and an impending risk event in the supply chain.  Another felt that there was a need to consider ‘profit impact’ rather than spend in identifying key supply chains.  While one delegate felt there was a need for procurement to drive risk conversations with suppliers and ensure due diligence had happened.  In this last respect CIPS is planning to develop a number of educational and training resources to support development of its members to meet the challenge.

 

The final thought from the discussion should go to the ‘what’s the return on investment’ question when it comes to investing in supply chain resilience.   For one major organisation top management evaluates the value of investment in resilience in terms of how well it prevented a problem and how well the organisation come out of it.   Quite simple really.