critical supplier continuity – believe it or not€¦ · operational, financial, legal, and...
TRANSCRIPT
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED.
Critical Supplier Continuity –Believe It or Not
Michael Herrera, CEO, MHA Consulting
November 8, 2017
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 2
18-year proven track record of applying
industry standards and best practices
across a diverse pedigree of clients.
A simple mission: Ensure the continuous
operations of our clients’ critical processes.
SaaS Tools: BIA On-Demand, Compliance
Confidence, Residual Risk.
SAASCompliance and
risk tools.
CAPABLEComprehensive suite
of services.
20Average years
industry experience.Years in
operation.
GLOBALDiverse, global
client base.
18
Michael A. Herrera, CBCP Chief Executive OfficerPhoenix, Arizona www.mha-it.comhttps://bcmmetrics.com/
KEY FACTS
SENIOR LEADERSHIP
MHA Consulting’s senior team has an average of over 20 years of industry relevant experience in the areas of Business Continuity, Disaster Recovery, and Project Management.
COMPANY BACKGROUND
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 3
HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS
CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY
SERVICES
DIVERSE, GLOBAL CLIENT BASE
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 4
Business Recovery Strategies & Solutions
Data Center Recovery Strategies
Current State Assessment
Policy & Standards
Business Impact Analysis
Threat & Risk Assessment
BCMMETRICSTM
BIA On-Demand (BIAOD)
BCMMETRICSTM
Compliance Confidence (C2)
BCMMETRICSTM
Residual Risk (R2)
Training & Awareness
Mock Disaster Exercises
Plan Functional Walkthroughs
Alternate Worksite Exercises
Crisis Management
Business Recovery
IT Disaster Recovery
Update Recovery Plans
Update Current State Assessment
Update Business Impact Analysis & Threat Assessment
Third Party Assessments
EXERCISES MAINTAIN & IMPROVEASSESS THE CURRENT
ENVIRONMENTRECOVERY STRATEGIES &
SOLUTIONSRESPONSE & RECOVERY
PLANS
ROBUST SUITE OF SERVICES
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED.
AGENDA
5
• Governance• Critical supplier identification• Managing critical supplier risk
(prevention, mitigation, recovery)• Evaluating critical supplier resiliency
and continuity• Reporting & Remediation
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 6
Governance
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 7
ESTABLISH A
GOVERNANCE
PROCESS
• Do what you can to get your organization to require
you to evaluate your suppliers from a BC
perspective.
• Everything starts with senior management.
• If there’s not an oversight group responsible for
vetting the supply chain, it will be hard to get your
procurement people to go to the vendors and say
you have to evaluate them on a BC basis.
GOVERNANCE
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 8
C R I T I C A L S U C C E S S F A C T O R S
• Senior executive is the sponsor of the program.
• Management team regularly reviews the resiliency of the supply chain
• Oversight team members understand their roles and responsibilities.
• Strategic direction of the enterprise SCRM program is defined.
• Enterprise level policies consider critical suppliers and continuity of
supply chain services, material, and/or goods utilized by the
organization.
GOVERNANCE
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 9
SENIOR EXECUTIVE SPONSORSHIP. • A senior executive has been assigned as the sponsor and champion of the program and has primary
responsibility for its success across the organization.
MANAGEMENT TEAM REVIEW. • A cross-functional management team regularly reviews the critical SCRM activities, functions,
services, materials, goods, partnerships, supply chains, relationships with interested parties, and the potential impacts related to a disruptive incident.
OVERSIGHT TEAM ROLES & RESPONSIBILITES. • Roles and responsibilities of the SCRM oversight team have been documented, reviewed with the
members and formally approved.
STRATEGIC DIRECTION DEFINED. • The mission and objectives of the program are documented and approved by the
SCRM Oversight Team.
01
02
03
04
GOVERNANCE
CRITICAL SUPPLIERS CONSIDERED IN ENTERPRISE POLICIES. • Enterprise policies specifically consider and address critical suppliers, activities, functions, services,
materials, goods, partnerships, supply chains, relationships with interested parties, and the potential impacts related to a disruptive incident.
05
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 10
Identifying Critical Suppliers
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 11
IDENTIFY YOUR
CRITICAL
VENDORS
• Rank your vendors by importance.
• Identify the top suppliers most vital to your
enterprise.
• In evaluating the relative importance of each
supplier ask questions such as the following: • How important is the vendor’s product or success to
the processes of your company?
• Does the vendor supply a commodity which you can
easily find elsewhere or a specialized product with
few or no other potential suppliers?
**One of the best tools for helping you work through
these questions is a Business Impact Analysis.
CRITICAL SUPPLIER IDENTIFICATION
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 12
• There is a clear understanding of the types of suppliers (direct and indirect)
• Business unit processes supported by critical suppliers have been identified and prioritized for recovery.
• Critical suppliers supporting key business processes have been identified for the enterprise.
• Critical suppliers are inventoried and ranked by type and importance to the organization.
• Management regularly reviews and approves the supplier criticality ranking.
C R I T I C A L S U C C E S S F A C T O R S
CRITICAL SUPPLIER IDENTIFICATION
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 13
PRIORITIZE CRITICAL BUSINESS UNITS. • BIA or similar process used to identify and rank the importance of business processes
supported by critical suppliers. • RTO assigned to each business process to minimize disruption to the organization and its
stakeholders.
IDENTIFY CRITICAL SUPPLIERS. • Critical suppliers identified as a component of the BIA. • Dependencies for each business process are identified including critical
suppliers and the services, materials and/or goods they provide.
INVENTORY & RANK CRITICAL SUPPLIERS. • Suppliers ranked by type and importance; the following minimum information maintained:
MANAGEMENT REVIEW. • Oversight team reviews and approves of critical suppliers. • Critical suppliers must adhere to additional guidelines and requirements to
ensure the resiliency of the supply chain and the services, materials and/or goods provided to the organization.
CRITICAL SUPPLIER IDENTIFICATION
• Importance of the supplier• Business unit(s) supported• Services, materials. and/or goods provided• Business unit activities that rely on the supplier;
• RTO for each business activity• Critical subcontractors used by the supplier• Vendor contact information
01
02
03
04
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 14
Managing critical supplier risk (prevention, mitigation, recovery)
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 15
ASSESS THREATS
& RISKS FACING
THE VENDOR
• Get a handle on the specific dangers and
vulnerabilities to your critical supplier are exposed.
If you depend on them to provide business critical
products or services, their problems are your
problem.• Are they in hurricane country? Tornado Alley? On an
earthquake fault?
• Is their facility located across the street from a
chemical plant?
• How is their plant security? Their cyber security?
• Do they have a stable workforce or high turnover?
• What is their financial situation?
• Will economic conditions impact the industry they
are in?
• Do we have alternate options?
THREAT & RISK ASSESSMENT
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 16
PAY THEM A
VISIT
• The best way to evaluate most of the threats and
risks mentioned above is to go to a critical suppliers
facility and look around and review their
documentation.
• Is their level of security as good as they claim? Is
their backup generator really capable of supporting
their whole operation?
• You can tell a lot just by how happy they are to see
you. • Are they welcoming, prepared, and open? Great!
• Do they seem annoyed or nervous about your visit?
Maybe you should be nervous.
THREAT & RISK ASSESSMENT
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 17
• Management has defined and approved the criteria to classify suppliers by type and by importance to the continued operation of the organization.
• Threats and risks to the enterprise supply chain have been considered, identified, inventoried and prioritized by criticality (e.g., impact to profitability, reputation).
• Management has identified mitigating strategies for supply chain threats and risks.
• Management regularly reviews enterprise risks, mitigating strategies and supplier ranking criteria.
C R I T I C A L S U C C E S S F A C T O R S
THREAT & RISK ASSESSMENT
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 18
APPROVED SUPPLIER CLASSIFICATION CRITERIA. • Specific criteria rank suppliers by type and level of importance to the organization, including the
operational, financial, legal, and reputational impacts that would be experienced if a supplier were unable to provide services, materials, and/or goods to the organization for an extended period of time.
IDENTIFICATION & PRIORITIZATION OF THREATS/RISKS.• A comprehensive mapping and assessment of the supply chain is regularly conducted
to identify and inventory relevant threats and risks based on location, probability and impacts (e.g., financial, legal, regulatory) to the organization.
MITIGATING STRATEGIES IDENTIFIED.• Documented and approved risk mitigating strategies that must be considered when addressing
supply chain threats and risks have been identified.• The mitigating strategies are considered when assessing the continuity capability of each critical
supplier and the ability to provide services, materials and/or goods to the organization.
REGULAR MANAGEMENT REVIEW. • The oversight team conducts a regular review of the risks/threats, supplier
ranking criteria, and mitigating strategies regularly for relevancy and to update as needed.
01
02
03
04
THREAT & RISK ASSESSMENT
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 19
Evaluating critical supplier resiliency and continuity
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 20
GET IT IN
WRITING
• Ideally, the vendor will agree to your business
continuity requirements and for the terms to be
included in your supply agreement with the vendor.
• What is in a good agreement?• The vendor must have a plan,
• You have a right to inspect the plan,
• You have a right to on-site visits.
• Consequences to the vendor for any disruption of
theirs that impacts you.
• What if the vendor is reluctant to make such an
agreement?
CRITICAL SUPPLIER RESILIENCY & CONTINUITY
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 21
• Purchasing agreements require critical suppliers to address continuity planning and service levels.
• Critical suppliers are legally bound to ensure continuity of their supply chain and the delivery of services, materials and/or goods to the organization.
• A best practices approach is used to evaluate a critical supplier’s continuity program and supply chain resiliency.
• Critical suppliers are regularly audited to assess their capability.• Provisions for communication with the supplier are in place, including
initial notification parameters and ongoing event status updates.• The BCM process incorporates the supply chain as a component of
the enterprise preparedness program.
C R I T I C A L S U C C E S S F A C T O R S
CRITICAL SUPPLIER RESILIENCY & CONTINUITY
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 22
PURCHASING AGREEMENTS DOCUMENT REQUIREMENTS.• Purchasing agreements contain specific wording defining BCM requirements, service level
expectations, and penalties for interruptions/incidents, including:• Contract “out” for exceeding defined interruption levels• Fee reimbursements for delivery failures• Graduated reduction in fees based on diminished services.
SUPPLIERS LEGALLY BOUND TO ENSURE CONTINUITY. • Critical suppliers have agreed to BCM and service level requirements.• Signed purchasing agreements are on file.
SUPPLIER PROGRAM EVALUATED USING BEST PRACTICES.• A standardized questionnaire and approach, consistent with industry best practices and
standards, is used to evaluate the threats, vulnerabilities and the maturity of the continuity capability of each critical supplier and its supply chain.
01
02
03
CRITICAL SUPPLIER RESILIENCY & CONTINUITY
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 23
CRITICAL SUPPLIERS AUDITED. • Qualified personnel conduct regular site visits at critical suppliers to:
• Identify any threats/risks, vulnerabilities and single points of failure associated with operations• Assess the supplier’s ability to continue to deliver services, materials, and/or goods to the
organization as promised in the event of an unplanned disruption..
SUPPLIER PRIORITIES IDENTIFIED.• Critical supplier assessment includes identifying the priority of the organization in
respect to restoration of supplier services, materials, and/or goods. • Gaps between the priorities of the critical supplier and expectations of the organization
are identified and documented for management review and action.
COMMUNICATION CHANNELS IDENTIFIED.• Communication channels are identified, established and exercised. • Prioritization during an event is agreed upon where multiple customers exist with supply chain vendor.
SUPPLY CHAIN IS PART OF BCM PROGRAM. • The BC Manager incorporates the teams, plans and processes to detect, respond,
recover and resume operations from a disruption to the supply chain.
04
05
06
07
CRITICAL SUPPLIER RESILIENCY & CONTINUITY
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 24
Reporting & Remediation
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 25
BE PROACTIVE
• Keep in touch with vendors that are dealing with
problems such as storms or fires. • Reach out to them and see if they foresee any
impacts.
• Keep the lines of communication open.
• Diplomatically remind them that you are depending
on them.
• Ask what they are going to do to prevent or fix the
disruption.
• Identify alternate suppliers you can turn to if your
original supplier falters. • Look for vendors that are willing to partner with you
to safeguard your supply chain.
CRITICAL SUPPLIER REPORTING & REMEDIATION
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 26
C R I T I C A L S U C C E S S F A C T O R S
• Critical supplier exposures are documented for management review and action.
• Management is apprised of the current state of the resiliency of critical suppliers and the supply chain at the organization.
• Management requires critical suppliers with significant exposures to implement a comprehensive remediation plan to minimize risk to the supply chain.
• Management renegotiates and/or amends critical supplier agreements to minimize risks to the enterprise supply chain.
CRITICAL SUPPLIER REPORTING & REMEDIATION
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 27
DOCUMENTED SUPPLIER EXPOSURES.• Vulnerabilities and single points of failure that could impact a supplier’s capability to
withstand interruption in its supply chain and at its premises are documented. • Any historical costs incurred are also noted.
MANAGEMENT REVIEW. • The state of critical supplier continuity and supply chain reviewed by management on
a regularly scheduled basis.• At least annually or when a vendor has a mid-high level business strategy change (e.g., primary
facility move to new location, merger or acquisition, new business suppliers to the vendor).
SUPPLIER REMEDIATION PLANS REQUIRED.• Management proposes countermeasures to significant vulnerabilities, single points of
failure and lack of continuity planning at critical suppliers. • Countermeasures include strategies identified in the Threat and Risk Assessment..
RENEGOTIATE OR AMEND CONTRACTS. • Management revises critical supplier agreements to minimize impact to delivery of
services, goods. and/or materials to the supply chain. • Changes may include addition of service level expectations and penalties for
interruptions/incidents, including:• Contract “out” for exceeding defined interruption levels• Fee reimbursements for delivery failures• Graduated reduction in fees based on diminished services
01
02
03
04
CRITICAL SUPPLIER REPORTING & REMEDIATION
© 2017 MHA CONSULTING. ALL RIGHTS RESERVED.
MHA CONSULTING, INC.
T H A N K Y O U
www.mha-it.com
(888) 689-2290
(602) 708-1718
Michael Herrera, Chief Executive Officer