RIMS 2014
Recording of this session via any media type is strictly prohibited.
$3.2b
Average Fortune 500 loss in market cap as result of a reported disruption**
8%
Companies confirming all key suppliers had business continuity programs in place to manage disruptions*
85%
Companies reporting a supply chain incident or disruption during the year*
40%
Companies reporting a supply chain incident or disruption, where the disruption occurred below tier 1 suppliers*
44%
US companies who considered supply chain disruption in business continuity programs*
* Source: Business Continuity Institute, 2011-2012 ** Source: World Economic Forum; PwC analysis
Recording of this session via any media type is strictly prohibited.
Page 2
Different operations are focused on their own priorities and I do not have an end-to-end view of our supply chain’s resiliency.
We are being regularly hit with disruptions and rarely see them coming.
We don’t have a good understanding of our place in the supplier’s customer prioritization stack.
We are definitely managing supplier risk, but I don’t think we are managing supply chain risk across all possible dimensions.
If we are having difficulty understanding our key suppliers’ resiliency, I can only image how difficult it is for them to do the same with their critical suppliers.
Recording of this session via any media type is strictly prohibited.
Page 3
• Balancing efficiency with resilience in the face of continuing volatility and heightened uncertainty.
• Continued growth in operations complexity and economic-induced supply/demand volatility, as well as increasing vulnerability of networks to disruptive events
• Limited visibility to vendors, networks and products across the supply chain
• Limited internal supply chain risk and resilience resources
Map the Vendor
Risk Landscape
Vendor Resiliency
Prioritization
Understand
Resiliency
Integration Needs
Validation Respond
Recording of this session via any media type is strictly prohibited.
Page 4
• If your company has a business continuity program, there should exist a current Business
Impact Analysis (BIA). The BIA provides a detailed, foundational view of how interruption events (e.g., loss of technology, reduction in personnel, loss of facilities, and loss of third parties ) can impact the organization.
• These third parties include supply chain participants, service organizations, technology support providers, HR process enablers, financial intermediaries, and a multitude of external organizations critical to your operations.
• The BIA answers two important vendor resilience management questions:
1. Which vendors will have the most impact on my organization if they suffer an interruption, and how quickly will the impact materialize?
2. How do my potential crisis recovery strategy involve my critical vendors?
Recording of this session via any media type is strictly prohibited.
Page 5
Not all critical vendors are equally important to the organization, and not all customers are equally important to those vendors. Taking a risk-informed approach, the following selection criteria can help identify the most critical vendors:
1. Revenue and inventory impact from loss
2. Proximity of the vendor and logistics
3. Capacity utilization (performance and capacity of the vendor)
4. Service level agreements and right to audit
5. Potential impact on service/product quality during rapid vendor changes
6. Exposure to labor, country, and geopolitical risks
7. Level of vendor integration with your technology
8. Correlated risk (natural and man-made hazards, geographic concentration, availability, and reliability) amongst individual and clustered vendors
9. Regulatory exposure and cross-border issues
Recording of this session via any media type is strictly prohibited.
Page 6
The best comfort comes from assessing the quality of the vendor’s resiliency and recovery capabilities in areas that are integral to your organization’s operational resilience. This information is documented within the organization’s BIA and should include, at a minimum:
• A list of the goods and services provided by the vendor
• A list of the processes within your organization that consume the vendor’s outputs, or rely on a vendor to complete the service/product delivery cycle
• A description of where the vendor’s activities are geographically performed
• A determination of the point at which a vendor interruption crosses the threshold of criticality
• A description of possible regulatory impacts from a vendor’s lack of resiliency
• A description of the vendor’s role during an interruption and business process recovery
Recording of this session via any media type is strictly prohibited.
Page 7
Once critical vendors have been risk-ranked and resiliency questions developed, the process of obtaining and validating the vendor’s resiliency and recovery capabilities begins. The following are six best practices that will aid your vendor resiliency interaction and analysis:
1. Ensure that the majority of your resiliency inquiry communications with the vendor originate from the individual who owns the vendor relationship.
2. Your point person should speak directly with the individual responsible for maintaining the vendor’s resiliency and continuity program.
3. Enlist the vendor as a resiliency partner, since interruption events at either end of the relationship continuum will affect both parties.
4. Obtain relevant portions of the vendor’s BIA and Risk Assessment.
5. Use a tailored version of international business continuity standards as a basis for vendor inquiries.
6. Have the vendor describe its response to a prior potential or actual crisis event. Ask for the impact thresholds where they would contact customers in advance of, or immediately after, a crisis event.
Recording of this session via any media type is strictly prohibited.
Page 8
The final vendor resiliency management program phase is responding to the vendor’s resiliency.
Critical vendor interruption risk reduction strategies can include:
• Maintaining higher inventory levels for at-risk items
• Collaborating with the vendor to improve its resiliency
• Creating limited “backup” vendor relationships that can be activated quickly
• Implementing more robust business continuity practices for the affected business processes
• Replacing the less resilient vendor to reduce risk.
To achieve comfort around vendor resiliency and recoverability, it’s all about transparency, asking the right questions and pushing the right levers. The more foreknowledge you have — about your own needs, the capabilities of your vendors, and the robustness of your resiliency plans — the more comfort you’ll have.
For detailed information about PwC’s approach to Vendor Resiliency Management, please stop by our RIMs booth for a copy of ‘Business continuity beyond company walls: When a crisis hits, will your vendors’ resiliency match your own?
’ by PwC’s Performance GRC practice.
Recording of this session via any media type is strictly prohibited.
Page 9
Phil Samson is a Principal in PwC's Performance Governance, Risk and Compliance practice responsible for leading Business Continuity Management services in the US.
• Over 28 years of experience in serving the operational and technology risk management needs of his clients and has 20 years of experience assessing, designing, implementing and testing business continuity and crisis management programs. You can listen to one of Phil's podcasts on business continuity which can be found at http://www.pwc.com/us/en/increasing-it-effectiveness/podcasts/business-continuitymanagement.jhtml
and read about PwC's perspective on business continuity at http://www.pwc.com/us/en/10minutes/business-continuity-management.jhtml
which is also available as an iPad or Android app.
Neil Kaufman is a director in PwC’s Performance GRC Business Continuity Management (BCM) practice.
• Neil has over 21 years of management consulting, operational and crisis communications experience
(business, technology and operations) across multiple industries . He has designed, led and overseen delivery of hundreds of plans and table top exercises across senior leadership teams and business functions for his clients.
• Neil is 2013's "Consultant of the Year" in the Awards of Excellence Program from The Disaster Recovery
Institute International (DRII). He has published articles on Business Continuity Planning solutions and concepts and their real world applications. Neil is a Certified Business Continuity Professional (CBCP).
Recording of this session via any media type is strictly prohibited.
Page 10