No business operates in a vacuum. We live in an interdependent world where companies rely on each other. Supply chains can be complex, but they are vital. If they start to break down, the cost and the disruption can be massive and possibly terminal.Given this straightforward fact, it is surprising that more leaders and managers don’t pay as much attention as they should to the associated risks.Possessing understanding and visibility of your suppliers including those that sit below the strategic tier one organisational level, is an essential element of business resilience. This helps form the basis of business continuity planning.“It’s an issue that has really come to a head with the Covid-19 pandemic,” says Mike Ford, Global Lead for Sustainability and EHS at Avetta, the global supply chain risk contractor management services company. He is a long-time member of the IIRSM, and his company is a strategic partner.“We evaluate supply chain risk on behalf of our clients and deliver due diligence in this area. For example, awarding a multi-million pound contract to another business demands analysis of that company, assessment of their fiscal integrity, previous work history, their actual working capacity and their health and safety record.“However, when it comes to business continuity planning (BCP), we have found many companies, irrelevant of the sector they operate within, simply ask the question as to whether it’s in place. They don’t seek verification. We’ve found that many major global brands don’t carry out any analysis as to whether that BCP is actually fit for purpose.”That approach was suddenly found wanting earlier this year, he says, when Covid-19 impacted on the ability to deliver goods and services. “For example, the automotive sector and elements of the construction sector operating on a just-in-time basis, found they had a limited supply of critical components. They hadn’t done any checks and they were in real trouble.”One issue, Mike points out, is that different organisations in the supply chain can have differing views and levels of understanding on what BCP actually is. This can be influenced by their company demographic, access to resources and whether their clients ever evaluated their competency in this area.“When I worked in China, assessing suppliers for Western buyers, we would ask about business continuity. Their level of understanding was very often confused with them presenting things like fire drills, building evacuation and first aid when asked about BCP process.“In their mind, they felt they had presented good BCP principles to ensure business normality but in reality, this was not the case and it proved very difficult to communicate what was actually required.“This was especially the case in terms of understanding how different risks could impact on the business and more importantly, understanding the impacts these risks had on day-to-day operations.The risk of failing to recognise exactly what business continuity planning entails and how it should be carried out became clearer closer to home when the Covid-19 pandemic erupted earlier this year, Mike adds. “In April, clients started asking what we could add to our existing product portfolio to help them address concerns about suppliers working with them that could not maintain their service provision.“This was impacting on project deliverables and service level agreements. The problem was that they had done little or no assessment or validation of their strategic suppliers’ BCP programmes.“Suppliers might look to be in good shape and suggest they can meet their contractual obligations, but you have to assess what actions would they take if something impacts on their ability to source materials or services, or if one of their key suppliers suddenly can’t get their parts and goods because a factory somewhere has gone down.”Research quickly showed that their due diligence often only went as far as companies’ tier one partners. “There was literally nothing after that – nothing. They expected their strategic partners to be doing their own due diligence but in reality, no checks were being made on this vital part of business resilience.”The problem often lies in a lack of understanding of the companies in receipt of contracts. What is their actual capacity to deliver work? How reliant are the recipients on subcontractors to deliver the contracts?In fact, the supply chain does not end there. Subcontractors can place business with others, so the risk being imported then tumbles down the chain.Of course, this then immediately raises the question of how much BCP is applied right across the supplier ecosystem and how an assessment of this is made. Often no evaluation at all is being carried out.“To address this client demand, we developed due diligence content that was based on industry bestpractice – coincidentally, the relevant ISO standard relative to BCP was upgraded back in February.”This allowed development of a programme that could be used by clients to assess the suitability and level of preparedness of business impacts at any level within the supply chain.“We’ve not come across any organisations that have done this kind of assessment below tier two,” Mike adds. “We’ve also taken the initiative of producing very simplistic guidance documentation that is suitable even for businesses that aren’t particularly sophisticated.“This explains how to interpret the questions being asked of them, why the client is asking a question, what type of response they need and also what their expectations are.“Historically they may not have had any problems, but with Covid, they are thinking again.”Avetta’s discussions revealed that most suppliers felt BCP was largely about IT integrity, preventing cybercrime and the use of anti-virus and anti-malware software.“Of course, it’s a lot more than that. Companies must look at all the potential impacts that could stop their business operating normally.“This can be as far reaching as sourcing materials from an emerging economy where a change in political status, civil disturbance or inclement weather can suddenly stop the business in its tracks.“And remember the climate is changing. This could be an impact never really considered before that may prevent the smooth running of the company.”There has to be a recognition of the value a robust BCP brings to client organisations and the supply chain, he says. “It’s like good safety and risk management. A lot of people see it as a cost, but it’s not good business if something goes wrong at your business and someone dies.“Exactly the same principle applies to business continuity planning. You identify the risks, the control measures and the relevant mitigation measures needed to reduce the risk to its lowest level.“Smaller companies can struggle with this, but it’s not about bureaucracy. They too can put processes in place to maintain their business normality and it can all be done simply because they know better than anyone else what can prevent the business from operating normally.”Mike continues: “We know that in many cases smaller ones can feel penalised and unable to compete with larger, better resourced competitors, so Avetta took the initiative.“We gave smaller suppliers access to free templates and simplified guidance on not only the development and implementation of a BCP, but also how to conduct testing and simulations and demonstrate to existing and prospective clients they understand the importance of this planning.”He adds: “Business continuity planning does sometimes require lateral thinking to be effective. “There was a case in Liverpool some years ago where a department in a company had set up a syndicate for the National Lottery. The individuals weren’t earning that much, and they won.“It wasn’t a life changing sum of money, but they all left their jobs as a result. So, the department suddenly ground to a halt. That impacted on the whole business and the company had to put an alternative procedure in place straight away. A lot of businesses have now made it a condition of employment that staff don’t have lottery syndicates.”Supply chain risk is like an umbrella, Mike says. “Each risk – health and safety, environment, sustainability, social responsibility, quality control, business continuity – is a building block, and each one applies to the supply chain. And every individual risk will be bigger or smaller, depending on the supplier and what they do.“Whether it’s developed economies or emerging ones, it’s about applying due diligence appropriately for the location, the level of risk that can be imported when using a supplier and the type of service each supplier provides. Every time you use a supplier, you import risk. That risk can be high or low, so the level of diligence you apply will vary.“The umbrella analogy is because all these risks interconnect. The supplier has to recognise the value of carrying out this process regardless of their level within the supply chain.“If you do that, you have increased resilience. It’s a value-added process. You identify the risk, you mitigate it to its lowest level, and then you test it. That’s absolutely key.”View the original article by iirsm here.