Conducting a vendor resiliency analysis
A vendor resiliency analysis verifies whether critical vendors can continue to support your organization with their products and services in the event of a crisis. This analysis enables a better understanding of an organization’s risk relative to its external suppliers and provides a rational way to address any supply chain issues and corresponding losses of vendor support. By conducting a vendor resiliency analysis, organizations can gain valuable insight into the following questions:
- Which vendors and business partners are most critical to my organization?
- Does my internal supply chain management group understand each vendor’s relative importance to the organization? Has a system of tiering been established?
- If my critical vendors experience a crisis, how will it affect my business?
- If my organization experiences a crisis, how will critical vendors support my needs?
- Are my critical vendors aware of their prioritization status and what will be expected of them during emergencies?
- How resilient are my critical vendors to relevant risk factors and changing situations, and how robust are their accompanying response and recovery strategies?
The first step is to identify key vendors and business partners by assessing the negative impact that would result from a potential disruption of their support to your business. The negative-risk impact should be evaluated along six variables: operational integrity, financial stability, customer service, regulatory and contractual compliance, operational processes and brand reputation. Various stakeholders will often have different views on the relative importance of vendors to the business. Therefore, it is the risk manager’s responsibility to take a holistic and enterprise-wide perspective of each vendor’s risk and to drive alignment on the set of critical vendors that require the most attention.
After key vendors have been identified, organizations should start by asking whether these vendors have their own risk management and BCM plans in place. From there, risk managers can go a step further by assessing the strength of vendors’ preparedness across the four key components of BCM: emergency response and life safety, crisis management, IT disaster recovery and business unit continuity.
Most vendors will have at least some measures in place across each of these categories (such as fire drills, regular IT backups and crisis communications plans). Others may have more robust business continuity processes if they have experienced an incident or have been asked by an insurance underwriter to create a business continuity plan. Regardless, all organizations should refresh their vendor resiliency analysis on an annual basis — or whenever a change in key customers, vendors or products leads to a meaningful shift in the supply chain.