Manage Learn to apply best practices and optimize your operations.

Supply chain risk management best practices and business continuity

Learn supply chain risk management best practices in this tip from business continuity expert Paul Kirvan.

What you will learn in this tip: Nearly every business entity, whether in the public or private sectors, and regardless...

of size and complexity, has a supply chain. Learn how business continuity can help you protect your supply chain, and supply chain risk management best practices in this tip.

A typical supply chain for your business might look like Figure 1 below. The business depends directly on Suppliers 1 and 2, which themselves depend on Suppliers 3 through 6. Conversely, to ensure its products are delivered to consumers, the business also depends on Distributors 1 and 2. While this is a very simple model, we can clearly see evidence of many dependencies in the supply chain.

A normal supply chain

Figure 1: A normal supply chain

If risks to the supply chain are a consideration, business continuity management techniques can be introduced as part of the risk identification, mitigation and recovery processes.

Supply chain risk management research

In fall 2009, the Business Continuity Institute published a research report that determined:

  • Three-quarters of the 201 responding companies had experienced disruptions in their supply chains in the previous 12 months. The chief causes of disruption were the economic recession, H1N1 pandemic flu, and IT/telecom disruptions.
  • The impact of the disruption was primarily a loss of productivity, although loss of revenue, customer complaints and delayed product availability were also common.
  • Nearly three-quarters (74%) of businesses are taking a hands-on approach to supply chain risk management, according to Aon’s 2009 Risk in 21st Century Supply Chains survey. Key findings of the survey included:
  • More than half (53%) of firms launched regular communication and audit policies with suppliers.
  • There's been a 20% increase in the number of companies investigating their suppliers’ suppliers to assess the strength of the supply chain.
  • Although insurance is still a key risk management strategy, 20% fewer companies are using it as the only form of mitigating risks.
  • One in ten firms have placed an emphasis on evaluating ethical issues (such as fostering a compliance-based business) and performing according to a code of conduct they are being exposed to by their suppliers.
  • Fifty-five percent admit to having no key performance indicators in place to monitor supply chain risk management performance

Introducing business continuity to supply chains

Just as any organization can face risks and threats and have vulnerabilities; the same is true with supply chain members. Individual suppliers can be at risk through a variety of situations, such as fires, floods, technology failures, power outages and others. The links between them and their upstream and downstream suppliers, as well as direct links to customers can also be affected by things like communications failures, disruptions to transportation systems, Internet outages, and loss of staff through illness or work stoppages. When you start adding all these up, it’s easy to see why supply chains are logical candidates for business continuity management

Disrupted supply chain

Figure 2: A disrupted supply chain

The above figure depicts a situation wherein Supplier 1 is unable to deliver goods and services to the business. Regardless of the reason, the business must adjust its supply chain to compensate for the loss of Supplier 1. But can Supplier 2 pick up the slack? If Supplier 2 cannot take over for Supplier 1, can Suppliers 3 through 6 provide assistance? These are questions that must be asked, and an effective way to obtain the necessary information is with a business impact analysis (BIA). 

Among the key activities of a BIA are 1) to identify interdependencies both inside and outside the company, and 2) document the resulting financial and operational impact from a disruption to those dependencies. This activity is ideally suited to supply chains, as they can be a combination of internal and external entities. 

From the perspective of external supply chain members, first you must identify and map the supply chain. Next, using input from key members of your organization, assign weights of importance (e.g., "five" for very critical, "one" for not critical) and financial impacts (e.g., how much the company pays a specific supply chain member each month) to each supply chain player. From this, analyze any additional supplier dependencies beyond your own company, such as a key supplier’s dependence on a particular transportation company, and what they might mean to your organization. 

Each of these activities can help you establish a risk map of your supply chain. The resulting high-level diagram may look something like Figure 1, but it should also have greater detail at the supplier and link levels. Use these analyses to identify points of potential failure among suppliers, the organizations on which they depend and the linkages that move supplies forward along the chain. 

Supply chain risk management strategies

Like any other business continuity and/or risk activity, when you establish supply chain risk management best practices, be sure to document them, staff them with people who can deal with disruptive situations, exercise them (with the suppliers, if possible) and review them regularly.

A recoveryed supply chain

Figure 3: A recovered supply chain

Figure 3 depicts how a disrupted supply chain can be reconfigured to restore some level of functionality. As Supplier 1 is no longer in the chain, Suppliers 3 and 4 now provide products and services directly to the business. To make this reconfiguration work successfully, the business needs to carefully analyze its supply chain for risks and then identify opportunities to maintain continuity of the chain.

In addition to business continuity, two other options can be considered for dealing with supply chains risk and their mitigation.

1.    Risk Management – Begin your efforts at supply chain risk management by mapping the entire supply chain (see Figures 1-3) and its dependencies. Also, determine threats, risks and vulnerabilities; and identify single (and multiple) points of failure. Next, implement strategies to remove or reduce these issues. Remember, this is a continual process and can be supported by specialized production software, such as Epicor Manufacturing, Infor ERP, Microsoft Dynamics ERP and Oracle E- Business Suite.

2.    Insurance – It is often thought (incorrectly) that supply chain risks can be mitigated with business interruption (BI) insurance. However, to avoid coverage issues with BI insurance, some organizations are buying specialized supply chain insurance policies from insurers including Aon and Zurich.

Supply chain risk management and business continuity are true strategic partners. Within the business continuity profession, the issue is rapidly gathering momentum globally.

The challenge for supply chain executives is the ability to rapidly determine which daily events impact a corporation’s operations and need to be assessed and managed. The ability of an organization to adapt its supply chain to a disaster situation with a minimal amount of disruption rests in the firm’s ability to rapidly identify a pre-crisis condition, assess potential disruptive scenarios and their impact, and then launch responses that can prevent or mitigate the severity of such disruptions to the supply chain. 

About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at [email protected].

Dig Deeper on Disaster recovery planning - management