Vendors: partners in business, or risky business?

Many risk assessments have been done in accordance with your guideline documentation and management sign-off, accepting that the risk conditions have been secured. Dozens of response and recovery plans are in place, exercised for validation and ready for activation as may be required in support of a well-documented crisis management protocol. The organization feels comfortable now that all is in place and the plans will be functional when needed in addressing the continuity of the business. Nothing to worry about, right? Think again.

By definition, risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty of risk management is the measurement of both of the quantities in which risk assessment is concerned – potential loss and probability of occurrence – at times this can be very difficult to measure. The chance of miscalculating the measurement of these two elements is a risk in itself. A risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. But more importantly an overlooked risk is vendors, defined as the supply chain that includes suppliers of goods and services as well as business partners.

As businesses have needed to become leaner during this current financial economic storm, outsourcing and depending on vendors has become a viable cost saving measure. Part of the “comfort level” of the continuity planning process, businesses now need assurances that vendors will provide the highest quality products and services at exactly the right time under any operating conditions. Anything less may largely and negatively impact the bottom line of a business during normal times… not to mention the impact during times of crisis operations. So what can the business continuity planners, who rely on such delivered services, do?

Simple: establish proactive discussions with your essential vendors on their business continuity plans for the product or services delivered to your organization. In taking this on, a business continuity vendor management program to suit your organization’s deliverables needs to be part of your overall strategy for the continuity of operations. Many of these programs typically focus on service level agreements (SLAs), which provide penalties for supply failures or poor product quality. Some provide positive incentives for on-time supply arrivals or consistent service up-time. While these types of agreements may encourage a vendor to maintain process and quality standards, they do not address continuity of services when disaster strikes. And when it does, any contractual terms and conditions around SLAs may be waived and deemed uncontrollable and assessed as “acts of God.”

A more proactive approach needs to be established to ensure that a vendor will be a valuable partner, able to deliver your critical products and services during times of crisis. Essential vendors need to be asked or audited in understanding how their continuity plans will provide the products/services you need to maintain the integrity of your organization’s deliverables.

A successful vendor management program is a partnership between a business and its vendors/suppliers. It involves the open exchange of information between the parties and serves to strengthen the existing business relationship. Before you embark on such an initiative, just as you did in deploying your business continuity programs, you should secure the involvement and support of at least one executive who understands the downside potential of business continuity issues.

The business continuity vendor management program generally has three phases:

1. Establishing the list essential (critical) vendors list

Who are your essential (critical) vendors? Those that need to be in place to ensure and preserve the integrity of your business? Those without whom you absolutely can’t do business? The business impact analysis (BIA) is a perfect source for this information. A BIA will provide key information regarding what functions or processes are critical to a business and identify the suppliers for that function or process. This information may be used to develop and prioritize a starting list.

2. Establishing contact with the essential (critical) vendor organizations

Once a list of critical vendors has been established, make contact (consider meeting, phone, survey questionnaire) sharing that you have interests in validating which vendors are able to continue to meet the business’ needs during times of crisis, stressing the importance of being a partner in the effort. As part of the first contact, request information regarding the vendor’s business continuity and disaster recovery plans. The real goal for this stage is to confirm that they do, in fact, have plans that are written and exercised regularly.

3. Partnering with the essential (critical) vendors for performance

The next step depends on your approach in meeting your business continuity program compliance level. If the program is happy with a general response that each vendor has business continuity/disaster recovery documentation, then a minimal response may be acceptable. Information should be tracked by making an annual contact to check for changes.

If the vendor is a sole product one-of-a-kind supplier, to increase your comfort level, securing more detailed information on existing plans, or requesting a joint exercise to demonstrate a greater level of partnership should be in order. Keep in mind they need you as a customer to keep themselves in business.

Various options exist for a non-responsive vendor. First, re-visit and determine the risk to your business. Offer or partner with the vendor to assist in planning for such services when crisis strikes. This is a great opportunity to build a strong partnership with the vendor by offering assistance to help them get started.

If a vendor chooses to continue to be silent on this subject, this should be a warning of the vendor’s delivery capability. Follow-up by engaging the sponsoring executive to escalate directly with the vendor to promote participation and compliance within a given time frame.

The executive (and organization) may have to accept the risk knowing the position of the vendor’s capability if the vendor chooses not to meet your compliance requirements. (The determination will be made based on a number of factors, which will vary from time to time. In each case, the decision and the rationale should be documented.) Alternatively, highly recommended, plan to seek out alternate suppliers who meet your delivery expectations under crisis conditions, keeping in mind that any course of action should focus on eliminating the risk of a failed vendor affecting your otherwise secure business.

Proactive planning also includes the participation of your supply management organization (procurement department) to include language in your supply agreements/contract and purchase orders defining the need for vendors to have demonstrated capabilities (recovery and response plans, delivery options, participation in the vendor’s exercises, and the right to audit their business continuity programs,) to avoid such pitfalls before the vendor is even selected.

The primary goal of a vendor management program should be clear: ensuring that critical vendors are able to support the business under the worst of conditions. Without this knowledge, the business is at risk each and every day.

You can’t predict an emergency, but you can prepare for one.

Vito Mangialardi MBCI, CBCP, PMP, is a business continuity management (BCM) strategic advisor. vito.man@cogeco.ca.