Skip to main content
Opens in a new tab External site

November 2022 / 5 Min Read

Manage Supply Chain Risk with a Vendor Resiliency Analysis


To bolster supply chain resilience, conduct a vendor resiliency analysis as a primary component of a Business Continuity Management plan.


Key Takeaways

  1. It continues to be increasingly important for organizations to understand their supply chain and vendor risks.
  2. Supply chain resilience is an imperative for business survival and growth and a key part of the total cost of risk.
  3. To bolster resilience, risk managers should work with their supply chain counterparts to conduct a vendor resiliency analysis.

As the COVID-19 pandemic fades as a major cause for global supply chain issues other factors have emerged to keep supply chain disruptions in the forefront in 2023. Political conflict in Ukraine, weather extremes, a global recession, labor shortages and even inflation and rising interest rates1 will likely cause persistent issues for businesses in 20232.

It therefore remains critical for organizations to understand their supply chains, find weak links and take steps to reduce the risks3. The “just in time” supply chains that were optimized for cost and efficiency must now respond to emerging risks such as extreme weather events, labor issues and geopolitical shifts. Supply chain resilience is an imperative for business survival and growth and a key part of the total cost of risk 4.

Supply chain resilience

To bolster resilience, risk managers should work with their supply chain counterparts to conduct a vendor resiliency analysis as a primary component of their organization’s Business Continuity Management (BCM) plan.

Conducting a vendor resiliency analysis

A vendor resiliency analysis verifies whether critical vendors can continue to support your organization with their products and services in the event of a crisis. This analysis enables a better understanding of an organization’s risk relative to its external suppliers and provides a rational way to address any supply chain issues and corresponding losses of vendor support. By conducting a vendor resiliency analysis, organizations can gain valuable insight into the following questions:

  • Which vendors and business partners are most critical to my organization?
  • Does my internal supply chain management group understand each vendor’s relative importance to the organization? Has a system of tiering been established?
  • If my critical vendors experience a crisis, how will it affect my business?
  • If my organization experiences a crisis, how will critical vendors support my needs?
  • Are my critical vendors aware of their prioritization status and what will be expected of them during emergencies?
  • How resilient are my critical vendors to relevant risk factors and changing situations, and how robust are their accompanying response and recovery strategies?

The first step is to identify key vendors and business partners by assessing the negative impact that would result from a potential disruption of their support to your business. The negative-risk impact should be evaluated along six variables: operational integrity, financial stability, customer service, regulatory and contractual compliance, operational processes and brand reputation. Various stakeholders will often have different views on the relative importance of vendors to the business. Therefore, it is the risk manager’s responsibility to take a holistic and enterprise-wide perspective of each vendor’s risk and to drive alignment on the set of critical vendors that require the most attention.

After key vendors have been identified, organizations should start by asking whether these vendors have their own risk management and BCM plans in place. From there, risk managers can go a step further by assessing the strength of vendors’ preparedness across the four key components of BCM: emergency response and life safety, crisis management, IT disaster recovery and business unit continuity.

The Four Components of BCM

Most vendors will have at least some measures in place across each of these categories (such as fire drills, regular IT backups and crisis communications plans). Others may have more robust business continuity processes if they have experienced an incident or have been asked by an insurance underwriter to create a business continuity plan. Regardless, all organizations should refresh their vendor resiliency analysis on an annual basis — or whenever a change in key customers, vendors or products leads to a meaningful shift in the supply chain.

Addressing vendor risk

A thorough vendor resiliency analysis will often reveal gaps that your company may want to mitigate and address. A few of the most common sources of vendor risk include:

Single-source vendors:

When organizations depend on a single vendor for a critical input, vendor failure can result in immediate and significant interruption to critical business operations. At a minimum, these companies should have a contingency plan that identifies alternative vendors, if available, and the companies should consider diversifying their suppliers.

Personnel risks:

If your vendor’s operations are dependent on one or two critical staff members — for example, key IT personnel who are necessary to keep the computer systems up and running — this can pose a serious threat if they suddenly leave the organization. It is important to ask your vendors to identify any single points of failure in their processes and to address these dependencies where possible.

Single manufacturing or distribution centers:

Vendors that rely on a single manufacturing plant, warehouse or distribution center are more likely to experience an outage in the event of a natural disaster, geopolitical shifts, shipping delays and other catastrophic events. Organizations should be aware of the geographic footprint of their vendors, as well as any third-party logistics providers that also pose similar risks.

Equipped with a strong understanding of their company’s vendor risk profile, leadership can then make informed decisions about whether to accept, mitigate or transfer some or all of the risk based on their risk appetite. Risk-mitigation solutions include holding more inventory, bringing suppliers closer to home, and exploring new logistics options or other alternatives.

Communication with vendors is also key. Companies can include language in their master service agreement (MSA) that requires vendors to have a business continuity plan and to undergo regular maintenance and exercises. They can also inform critical vendors of their prioritization status and clarify their service-level expectations during an emergency. These steps can encourage your vendors to perform the advance planning and preparation that is necessary to ensure business continuity — for their organization and for yours.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.