Business continuity in the supply chain

Share this article:

Business continuity (BC) is now well recognised as a critical business requirement by most companies, even if they themselves do not adopt comprehensive BC plans.

However, many firms neglect to consider the business continuity plans (BCPs) and capabilities of suppliers. The problems which could be caused by such an oversight have been highlighted with the recent power outages both in the United States and in London.

It has been an easy oversight to make - if all else fails, at least you can rely on the National Grid, right? Perhaps not. Firms, which either had well-maintained and tested generators or backup facilities - either provided by a BC supplier or self-maintained - were well-equipped to deal with the outages. Others were not so fortunate, and business and reputational damage may well have occurred.

Just in time

This demonstrates why your own supply chain must be reliable. While the stationery order arriving late may not pose a problem, critical suppliers of services such as energy, stock or particular components to be processed need more than service level agreements, rather they require due diligence to be carried out before contracts are signed. No matter if it's not your fault - if your customers cannot access your service, then you and not the supplier become the weakest link. If your supplier fails to deliver a critical item or service on time it can have serious effects on your business, particularly as many industries are moving towards 'just-in-time' solutions. Retail and manufacturing in particular are most likely to be affected by this as reduced storage space in retail outlets and cost-cutting in manufacturing has led to only just enough stock being held for a couple of days trading.

A leading high-street food retailer, for example, stores enough frozen bread for one extra day's sandwich production, should bread supplies falter for any reason. Not only do they have this resilience, but it is backed up by the threat of a hefty fine to the bread supplier if delivery fails.

Another more classic example (which is often overlooked) pertains to uninterruptable power supplies (UPS). Even if you have some form of BCP in place, it is always worth double-checking SLAs for UPS provision - because if your first line of defence for power loss fails, how soon will you get a replacement and how will your business bear up in the meantime?

The vulnerable enterprise

The enterprise is vulnerable in many ways which may not have previously been considered, and although these may not be your responsibility, you will have to deal with the consequences unless you have planned for them. ISPs, for example, are currently functioning in an unstable marketplace. If your ISP goes into liquidation, do you have an alternative supplier?

Another area which has only recently been considered is the human aspect of recovery. Horrific events like September 11 forced companies to consider what would happen if staff were lost, and whole buildings destroyed. Fortunately, the likelihood of such an incidence is slim, but people issues do still need to be considered. More likely human resource issues can arise from those incidents when denial of access to your premises occurs, such as when your office is cordoned off by blue-light services in response to another problem. Should such a thing happen, do you have alternative plans in place for your people in terms of where they should work from, who should relocate and who should manage recovery processes?

We are not suggesting that all sizes of companies need alternative workplace facilities for incidents such as the above - and nor do all staff need to gather there. However, a crisis management plan for even the smallest organisation should be in place, so that key members of staff have somewhere to regroup with vital business information so that they can ensure the continuance of the business.

For large organisations, remote departments could be the weakest link. A company is only as strong as its weakest part, but if a business impact analysis (BIA) is run, it will decide the criticality of each process, and help the BC or IT manager put the relevant BCPs in place. Companies tend to automatically protect their most important server, but the communications links between the workers (people) and that server (technology) are just as important. This process of keeping people and technology connected, SunGard refers to as 'information availability' - the next logical progression for BC.

Outsourcing

If you choose to outsource your own business continuity, you must ensure that your provider is reliable. Ask for customer testimonies. Run financial due diligence. Ask what will happen in the event of a multiple invocation - will you be pushed into facilities sub-contracted by your supplier, or are they big enough to have multiple locations where you will need them? Checking the reliability of your supply chain involves the BC manager and CFO working together to audit the financial stability of critical suppliers as well as their BC plans.

Information Availability

Having data available is fine - but unless people can access that information, it is worthless. Information Availability can be achieved by reducing the single points of failure leading into your business. Once a BIA has been run on each supplier, you can appoint secondary suppliers - telecoms providers, or power supplies, as necessary.

Again, having seen companies caught out by this in recent events, it is a good idea to have power coming into the building from two different locations. A survey showed that more disruption is caused by workmen digging up the roads and severing power supplies than by terrorists!*

In the same way that you might choose a supplier for their BC provision, having a BCP in place can be a sales generator for your own company. Making the provision for other companies to rely on you, particularly if you work with regulated customers such as those in the financial services industry, demonstrates credibility and responsibility towards your business.

*Survey of City of London firms, run by Safetynet in 1998. Safetynet has since been acquired by SunGard Availability Services.

Phil Carter, director of planning solutions at SunGard Availability Services

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.