Tuesday, May 5, 2015


PwC (finally?) realizes
Vendors are a real risk


MY FAVORITE SOURCE of links to risk articles, Advisen FPN, pointed me to a PwC puff piece (it came via PR Newswire) titled Growing Use of Vendors Intensifies Risk of Business Interruption, According to PwC US.

PwC, a/k/a PricewaterhouseCoopers LLP, tells us that

    As businesses increasingly rely on external parties for critical services, they become more vulnerable to business interruptions. This is especially true when such businesses know little about their third party vendors' resiliency and recovery capabilities, according to a new PwC US whitepaper, which examines the effects that vendor resiliency, or lack thereof, can have on an organization's business continuity strategy. Titled, Business continuity beyond company walls: When a crisis hits, will your vendors' resiliency match your own?, the PwC report also notes that risk becomes greater when the organization has a limited understanding of its own business interruption threats, resiliency status and recovery capabilities and strategies.

I wonder if, coming from PwC, that basic information experienced risk management practitioners have been preaching for years - decades - will have some impact.

According to PwC's report,

    (R)eliance on third parties is gaining momentum, and if companies lack insight into their critical vendors' resiliency and recovery capabilities, they run the risk of their own strategic goals being derailed. "Our clients are adjusting to the shift in global economic power and demographic shifts – two of the megatrends we identified – by increasing their use of strategic vendors to accelerate their global growth strategy and decrease time-to-market for their products and services. Along with the increase in strategic vendor reliance comes the need to more formally monitor vendor and other third party risks," said Brian Schwartz, PwC US Risk Assurance, Governance, Risk and Compliance leader.

    In order to protect against business interruption risks, companies should institute a business continuity management program that encompasses vendor risk by incorporating increased resiliency and rapid recovery. PwC outlines five steps to help companies look beyond their own walls and examine interruption risk among the vendors who provide support.

While I would suggest that "reliance on third parties" is not gaining momentum, it is a fact of life for almost every organization; I cannot think of any that survives sans vendors. No man is an island, nor is any organization.

Slowly, slowly business continuity practitioners are learning that limiting their search for risks "inside the building" is hardly sufficient. It could be compared to searching for hametz NB only in the kitchen while ignoring the dining room (and kids rooms).

Business continuity must expand to become true ENTERPRISE Risk Management considering ALL risks from ALL areas - from incoming (raw materials, orders, payments, delivery systems) to outgoing (QA/QC, advertising/PR, delivery systems, customer financial well being,), and the items mentioned here are only the tip of the proverbial iceberg. (Add to that government regulations, taxes, and fees, competition, lenders, investors, and many, many more potential "got'chas.")

Most practitioners have expanded out from behind the locked doors of IT/MIS to try to discover an organization's raison d'etre, but - unfortunately - many still are looking for risks only within the organization.

As PwC now recognizes, as "businesses increasingly rely on external parties for critical services, they become more vulnerable to business interruptions."

'Course you knew that.


Note 1 Hametz - leavened food prohibited to Jews during Passover

No comments: