Supply Side Planning
WHEN ORGANIZATIONS PLAN their emergency and disaster response and recovery efforts, they should remember the old proverb: For want of a nail, the shoe was lost; for want of a shoe, the horse was lost; for want of a horse, the rider was lost; for want of a rider, the battle was lost; for want of a battle, the kingdom was lost. To put it in modern terms, if a hospital runs out of clean linens, it will become completely paralyzed. And if a factory does not receive necessary parts, its operations will stall.
Business continuity planning (BCP) is a way for businesses to ensure that their critical operations will continue in the event of a disaster or major disruption. But a good plan has to go beyond the company’s internal operations and address the source of supplies and services, which means involving vendors in the planning process.
There are so many suppliers involved that keeping them in the loop on BCP may seem daunting. The key is to conduct assessments and identify what is critical to the continuity of operations and which suppliers have a role in meeting those critical needs.
A company can kick off the process of involving vendors in BCP by including them in the business impact analysis. That process looks at what the organization’s vulnerabilities are and seeks ways to mitigate risks that could impact critical operations.
Essentially, management needs to identify “all the supplies you might need, all the repairs you might need, all the backup support you might need, from different companies,” says Allan Schwartz, CPP, president and CEO of Safeguards International Corporation, a security consulting firm.
Through this process, the company narrows down the list of suppliers it has to be concerned about in a disaster. “Talking to various people in the marketplace, the typical answer I’m getting is that out of all the suppliers for most companies, 10 percent of those suppliers are really significant to the business. And of that 10 percent, you’re looking for down to one or two percent which are the ones that you really have to worry about because your business depends on them totally,” says Duncan Ford, managing consultant at Link Associates International, specializing in business continuity. “So [if] you do the homework…you can reduce the size of the problem quite well.”
Included in the assessment process is a risk analysis intended to determine how likely it is that certain events will affect business operations and how long a company could survive without a given service, piece of equipment, or type of supplies. That process is used to further refine the criticality of a vendor because it gives management a sense of how long the company could continue operations without that type of supply, equipment, or service.
Once a company is aware of its critical vendors, says Ford, it can figure out which business continuity elements it should include in contracts with the vendor, and it can begin to work more closely with those vendors on BCP.
It is important to be aware of each vendor’s plans for its own business continuity or its plans to help the client in a disaster. Some vendors, especially smaller ones, will not have plans, but business continuity requirements can be written into those service provider contracts by the client company.
Another option is to provide a business-continuity questionnaire to the vendor or supplier, says Ford. The questionnaire should establish basic preparedness. But that vendor will likely have its own suppliers, and it’s difficult to know where to stop. That is why it’s so important to build a relationship of trust between the company and the vendors, says Ford; if the vendor is trusted in the sense that they have proven themselves to be a responsible and reliable company, then the client company can simply ask that the vendor assert that it does its own vetting and due diligence on the companies it works with.
The need for sharing plans or continuity planning ability goes both ways. As the ANSI/ASIS organizational resilience standard SPC.1-2009 points out, vendors should be made aware of a company’s business continuity protocols and its vendor expectations.
One of the issues with business continuity plans in general is that they must constantly be updated to ensure that they accurately address the company’s operations, says Robbie Higgins of GlassHouse Technologies. “One of the challenges we’ve seen with many clients is they map out what they believe to be the critical systems, critical parts of the environment, and what they actually don’t see is that there are many areas in which the business has actually evolved, but they haven’t formally documented that, [so those areas are] basically blind spots that if something does go wrong or does go out, they’ve got real problems in business continuity,” he says.
The technologies that will be used in a crisis response and business continuity situation also evolve, and the plan has to be constantly updated to address that. For example, even over the past few years, the use of mobile technology has multiplied, and its implications must be considered in business continuity.
Additionally, the company’s plans should be revisited whenever there is a major business continuity incident, such as a hurricane or power outage, according to Michael A. Thomson, CEO of the Association of Contingency Planners. “You need to then go back and look at that plan and see what worked, what didn’t work, what do we need to tweak, what do we need to change based on the results of that,” says Thomson.
Also, plans are no good if they never get tested. “One of the interesting things is still the amount of customers who really accurately test those plans, and on a regular basis. That tends not to happen,” says Higgins.
Not only companies but also their vendors must consistently update their business continuity plans. Scott Watson, consultant with S.A. Watson and Associates, says it’s a good idea to check with vendors annually to ensure that their plans are up to date.
Companies should not simply take a supplier’s word for it when it provides evidence of BCP or answers questions on how it will help a company function in a disaster or business stoppage. That’s where validation comes in.
“I had this experience working for a financial services company years ago,” says Watson, “where we had a contract security company. And one of the things that we were concerned about was if we had an issue where we needed a lot of people very quickly, can they provide that for us? And the answer we got back, it was this nice thick packet that was well-done, but the problem was it didn’t really tell us a whole lot. It was very noncommittal. And so it’s really important to dig deep down into those answers once you get them.”
A company might want to engage a consultant in validating the supplier. The validation may involve anything from an audit of the supplier’s plans to sitting in on the supplier’s drills, says Ford.
Another option that can be very helpful when applicable is if a vendor is accredited to a certain BCP standard. That would save the client company the hassle of validating the plans itself. (More on standards below.)
As companies and vendors work together on BCP and improvements, there are ways to make the process more efficient and manageable.
Clear objectives. The first step along this path is for the company to set clear and manageable objectives for all of its critical partners. When they go into business continuity needs analysis without having a lot of the knowledge, the goals can be vague, and then it’s “very hard for a project to be successful,” according to Helen Tang, worldwide lead for Hewlett-Packard Company’s data center transformation solutions. She further suggests that companies “break it down into chunks, never go for the big bang. Always look at what the low-hanging fruit is, and then have a phased-in process for the rest of the project.”
Watson agrees. “I think the major thing is to make sure that you have a specific scope for what you want the vendor to do, with specific milestones, and to manage it like you would manage any other type of project,” he says.
“You have to understand that business continuity is not always a formalized program in every company.... [T]hey may have somebody doing five or six other things and business continuity is sort of a sideline to that. And it’s easy to get distracted from that,” he notes. “But if you have a very set process in place and follow the basic premises of project management, it should keep things in line.”
Site visits. Werner Preining, CPP, executive vice president of Interpool Security, Ltd., says some companies invite their vendors to see how their factory or production operates so that the vendors know more about the company, which can only help in BCP. He says that although most communication is done electronically, nothing can replace face-to-face discussions between the company representatives and vendors.
As a supplier, that ensures that “you know what [the client] demand is, why they want it this way, and why they don’t want it another way,” says Preining.
Exercises. One of the most basic ways that vendors can be included in a company’s business continuity planning is for the client to invite the supplier to participate in business continuity drills and exercises. It opens up a line of communication and provides a way for both the client and the vendor to become aware of any missing pieces.
Vendor initiative. Vendors that have the resources can also be proactive in reaching out to their clients in business continuity planning. For example, HP has outreach events like forums and webcasts that aim to make the companies they work with more aware about business continuity issues and the importance of planning ahead in that area, says Tang. Additionally, the group visits its clients at the beginning of each year and speaks about business continuity if the companies are interested.
For vendors, it is definitely a business asset for them to be cognizant of business continuity and for them to have extensive continuity planning experience. Having such programs in place could help them secure another contract if a company knows it can trust them.
No amount of contingency planning can ensure that a vendor won’t sometimes have a service interruption, as would happen if its facilities were at the heart of where Hurricane Katrina hit or if it counted on flights that were grounded because of volcanic ash. Therefore, client companies should line up a backup vendor with a contract in place for vital services. An alternative supplier will be useful in other instances as well, such as when the original vendor has so many other clients that it cannot guarantee your company priority in situations that might affect more than one company.
There are several international and national business continuity standards that companies can follow.
Among the existing standards are three cited by the Department of Homeland Security (National Fire Protection Association’s NFPA 1600, British Standards’ BS 25999, and ANSI/ASIS SPC.1-2009 American National Standard). ASIS International is currently at work on an additional standard that focuses more particularly on business continuity management.
If a vendor company is accredited as complying with a certain standard, it will be easier to trust that it will be reliable in a crisis situation. However, not all companies can earn an accreditation, either because none applies in their field or because it’s too expensive for them to garner official accreditation. In those cases, says Ford, it may behoove the client or the third-party consultant to use the standard merely as a benchmark.
The idea of assessing the importance of one’s vendors seems basic, but many companies still do not do it, says Watson. That leaves a major exposure unaddressed in the overall business disaster response and continuity program. The failure to close that gap could be the real disaster should a disruptive event hit the company.