Risky Business (Part 1): Managing Third-Party and Supplier Risk

Business continuity planning is inherently cross-functional with a necessity to address risks to an organization’s product and service offerings, as well as the resources necessary to meet obligations.  As organizations increasingly rely on a global network of suppliers and service providers, business continuity practitioners have the responsibility to understand and analyze these relationships and lead strategy identification efforts to protect their organization when faced with a third-party disruption.

Developing and implementing business continuity strategies and risk treatment options related to third parties can be a difficult endeavor because strategies may seemingly contradict an organization’s strategic efforts to leverage single-source suppliers, make supply chains “lean”, and reduce stored inventory levels. However, business continuity practitioners must provide top management with the information needed to balance strategic initiatives with the need to reduce single points of failure and protect an organization should a resource become unavailable.

This perspective discusses the tools available to identify and document third-party resources and methods by which risks can be presented to top management for review and action.

Identifying Suppliers and Risks Levels
Before risks can be treated or continuity strategies identified and implemented, business continuity practitioners must understand which third parties are necessary to continue the delivery of in-scope (critical) products and services, as well as the level to which third parties are required in the execution of activities that support the delivery of those critical products and services.  Developing this understanding is most effectively accomplished by ensuring that the business impact analysis (BIA) process includes a proven, effective method to identify third parties used by the organization, how they are used and engaged, and the potential impact of a third-party disruption.  This effort will require that the organization conduct a BIA (if not done so already) or update an existing BIA to incorporate an analysis of third-party providers.

Once the business continuity practitioner identifies critical suppliers, understands usage, and documents potential impacts, the practitioner should identify existing controls and consider the likelihood of a disruptive incident occurring that would affect each third-party.  In some organizations, procurement, purchasing, or even a supplier risk team (or equivalent) serves as a comprehensive source of this information and can likely provide information regarding third-party continuity and disaster recovery capabilities or describe past incidents that have resulted in product/service disruption.  In smaller organizations, this information may have to be obtained by conducting a thorough analysis of historical incidents and by engaging third parties directly.  Strategic impacts (such as total financial impacts) can also be obtained while conducting this research and will assist in justifying strategy recommendations to top management.

In parallel to, or immediately after identifying and documenting this information, business continuity practitioners should formally conduct a risk assessment (or update an existing risk assessment) to take into account the likelihood of a disruptive event, potential threats, the impact of loss, and existing controls with the objective of identifying the risk level associated with each supplier.   The primary output of the risk assessment effort is to develop a risk rating for each supplier (typically the likelihood rating multiplied by the impact rating or a similar method).  Impact and likelihood ratings should be defined based on measurable criteria and consistently applied across an organization.

When the results of the BIA and risk assessments are combined, business continuity practitioners are better positioned to understand their organization’s most critical third-party relationships, as well as the most pressing risks and opportunities associated with these relationships.  The practitioner may have to conduct additional analysis to determine whether the highest risk suppliers that emerge require additional remediation. In many cases, organizations may choose to tier suppliers into critical or non-critical tiers to facilitate further analysis; example criteria for critical suppliers may include determining if:

  1. The supplier in question is required for the execution of an activity that supports the delivery of an in-scope (critical) product and service;
  2. The supplied product or service could not be provided by another provider already used by the organization; and
  3. The supplier’s level of integration within the organization and the complexity of replacing the supplier following the onset of a disruptive incident exceeds an acceptable level (as set by top management).

Examining the higher risk suppliers (identified through the assessment) and then determining if these suppliers require additional mitigation enables discussion with executive management to determine if additional mitigation may be required.

To further explore the specific business continuity strategies and risk treatment options available to mitigate the risk associated with supplier dependencies, read: Risky Business (Part 2): Too Lean, Too Late.

Keep in mind that while risks may run contrary to an organization’s other priorities (such as highly efficient and low cost supply chains), it is critical that business continuity practitioners inform and advise top management of existing risks to enable strategic and appropriate decision making.

Presenting Results
Presenting the results of the third-party business impact analysis and risk assessment allows business continuity practitioners to achieve two objectives:

  1. Inform top management of risks and mitigation opportunities related to critical suppliers and third parties (including vulnerabilities related to single-source suppliers and single points of failure); and
  2. Enable strategic decision making regarding risk treatment.

By presenting the results of the BIA and risk assessment in a prioritized and straightforward manner, business continuity practitioners can give top management the information they need to effectively balance strategic initiatives previously discussed with the risks inherently associated with a global network of suppliers and service providers.  Accomplishing this task requires deliberate planning, detailed data gathering/analysis, and an ability work cross functionally (ideally this presentation would take place as part of a recurring management review process).  When presenting this information to top management, care should be taken to highlight any single points of failure that were identified, as well as strategic impacts associated with suppliers that enable the delivery of multiple products and services. Presenting the highest risk suppliers will serve as a good starting point.

Management expects business continuity professionals to not only come to the table with a list of prioritized risks, but also suggested recommendations on closing these gaps.

It is also important for business continuity practitioners working in large organizations to recognize that while procurement and supplier risk teams add significant value and are key partners in this process, they are often not responsible for documenting potential impacts as they relate to internal departments or identifying business continuity strategies for individual third parties.  Supplier risk teams are often more focused on minimizing financial and operational risk rather than organizational preparedness and business continuity.

Conclusion
Business continuity practitioners who proactively seek to understand, document, and treat risks associated with third-party relationships can significantly reduce the likelihood of a disruptive incident, as well as the impacts should an incident occur.  This activity is a critical component of many business continuity management systems, largely due to an increasingly globalized business environment in which many organizations rely on complex third-party relationships to support the delivery their most critical products and services.  Business continuity practitioners play a critical role in assessing and managing the risk posed by engaging in these relationships, as they are responsible for equipping top management with the information required to balance business requirements with the risks and opportunities brought on by third-party relationships.

To explore the specific business continuity strategies and risk treatment options available to mitigate the risk associated with supplier dependencies, read: Risky Business (Part 2): Too Lean, Too Late.

Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.

Please contact us today to get started. We look forward to hearing from you!

ISO Technical Specification Release:
On September 16, 2015, The International Organization for Standardization (ISO) published a technical specification (aligned to ISO 22301) addressing the topic of supply chain continuity. You can learn more here:

ISO/TS 22318:2015
Societal security — Business continuity management systems — Guidelines for supply chain continuity

_______________________

Dustin Mackie
Avalution Consulting: Business Continuity Consulting

 

Related Posts:


Leave a Reply