Author
Phil Carter FBCI
Business Continuity Management (BCM) is now recognised as an important business requirement by most companies. However, in a world where more and more companies are outsourcing their critical business processes, it is evident that we are not doing enough in this space.
When an event impairs the ability of a third-party to fulfil its contractual obligations, a business can suddenly become exposed to a situation that could lead to revenue loss, reputation damage, regulatory action and potential litigation.
While an issue like the stationery order arriving late may not pose a big problem, suppliers of critical services need to have more than service level agreements in place. These arrangements require extensive due diligence to be carried out before contracts are signed and undergo a continuous program of governance and review.
It is no longer a simple business world and successful businesses often rely on a complex set of arrangements with third-party providers to reduce operational costs and enhance capabilities. Many companies neglect to consider the business continuity plans and resilience capabilities of their suppliers. Many more only address this matter as an afterthought and, quite often, after the solution is fully operational.
The fact is that in most cases, it is rare for someone in a complex organisation to have a view of who the company is doing business with or the risks these relationships pose. No matter if it’s your fault – if your customers cannot access your service, then you, and not the supplier, become the subject of scrutiny. It is important to remember that you can only outsource the process. The related business risks remain yours to manage.
Certainly, one thing to avoid is having any business process reliant on a service that is not covered by a formal contract. Remember SkilRoute? The start-up organisation that built its core platform on a third-party application that was acquired and subsequently shut down by a major corporation. It had to rebuild the entire company from the ground up.
If you are wondering how your company stacks up, ask yourself these questions:
- Does our procurement process have adequate controls to ensure that Business Continuity and Resilience (BC & R) is adequately addressed during negotiation?
- Can we establish a list of the suppliers and associated services that are provided to our organisation?
- Do we have a current contract in place for all our suppliers?
- Is BC & R a requirement in the contracts with our key suppliers?
- Do we understand the nature of our suppliers Business Continuity arrangements? And can they demonstrate that they can meet our recovery needs?
- Does our supplier outsource any of its services and have we assessed the implications?
- Have we seen real evidence that their plans have been regularly exercised and proved to operate effectively?
- Do we know if our supplier has multiple customers for these services and what priority of recovery we will be given if a major disruption occurs?
- Have we been involved in conducted joint testing?
- Do we have contact points and an emergency communications process to address BCM or crisis issues with our supplier?
If the answer to any of these questions is no, then you might be at risk of a failure because of something over which you have limited control.
A robust framework for managing your suppliers is a vital component of your BC & R program and good corporate governance. Ongoing management and review of third-party obligations are required to ensure that the arrangements remain current and relevant.