More than meets the eye
When most of us think of vendor risks we think of a vendor failing to meet its Service Level Agreement (SLA) with our organization.
The SLA can cover a product or a service.
Interestingly, the product or service might not be considered critical - until its needed "yesterday." (Forms for bills, for example, or checks to pay bills.)
Smart organizations ask critical vendors if they have business continuity plans. Very smart organizations ask the vendors to supply the plans or at least basic plan information such as
- Who is the plan/program sponsor? (Should be a Very Senior Executive with fiduciary responsibility.)
- What does the plan cover (InfoTech only, key business units, the enterprise).
- When was the plan last exercised. (Should be "within the year.")
- When was the plan last updated. (Should be "within the year.")
- Who is responsible for plan maintenance and updating?
Most of the time, the interest in the vendor ends here.
It should not.
What about the vendor's critical vendors? If the vendor provides a finished product - even something as simple as a threaded fastener (a/k/a screw), if that item is crucial then the vendor is critical and the vendor that supplies your vendor with raw materials likewise is critical.
As the risk management person in your organization, you might be wise to ask the critical vendor if it has an alternative supplier of raw materials; has your vendor asked its vendor for a business continuity plan?
Depending on the criticality of a product or service, it might be necessary to go back even father on the vendor chain, but this usually is not the case.
OK - you talked to your critical vendor and you are confident the vendor has a plan to meet all contingencies.
Is that enough?
How is the vendor's product or service delivered to your organization?
Via highways and byways? Railroads and trucks to the door? Ships and barges and trucks? Airplanes and trucks?
Ask the vendor if it has alternate delivery options.
What if the teamsters walk. That shuts down multiple options since trucks almost always are required - door to door, ship to door, plane to door, train to door.
The teamsters may be perfectly content, but weather can close roads and shut down airports; accidents can close roads and seaways and ports of all types.
Knowing that transportation is an easily interrupted critical process, your organization needs to do a little research to determine a "worst case" transportation interruption and maintain product on the shelf to cover that period. "Just In Time" is fine, PROVIDING nothing interrupts delivery.
Ahh, but your vendor delivers data via the Internet. Nothing to worry about, right?
There are as many, perhaps more, things that can go "bump in the night" for digital deliveries as there are with physical delivers.
The vendor's InfoTech can crash; your InfoTech can crash, the pipe can get choked, your organization's Internet Service Provider (ISP) may fail, a power outage anywhere along the line can knock out a service. Sure, everyone has backup generators, but are they checked regularly under load; is the fuel supply dry and sufficient, and . . .
As they say, "Nothing's perfect except you and me, and I'm not sure about you."
There are, by the way, two sides to the transportation issue.
Your organization is a vendor to your clients.
Whether you provide a product or a service, your organization typically has to deliver to the customer.
That means transportation from your organization to the customer, be the customer another manufacturer, a wholesale or retail organization, or an individual.
Your organization's delivery options - and hazards - are the same as those of the critical vendors.
The bottom line is that when considering risks relating to critical vendors, you must think of all related risks.
If I wrote it, you may quote it.
Longer articles at https://sites.google.com/site/johnglennmbci/
Comments to JohnGlennMBCI at gmail dot com