critical supplier continuity – believe it or not€¦ · operational, financial, legal, and...

© 2017 MHA CONSULTING. ALL RIGHTS RESERVED.

Critical Supplier Continuity –Believe It or Not

Michael Herrera, CEO, MHA Consulting

November 8, 2017

© 2017 MHA CONSULTING. ALL RIGHTS RESERVED. 2

18-year proven track record of applying

industry standards and best practices

across a diverse pedigree of clients.

A simple mission: Ensure the continuous

operations of our clients’ critical processes.

SaaS Tools: BIA On-Demand, Compliance

Confidence, Residual Risk.

SAASCompliance and

risk tools.

CAPABLEComprehensive suite

of services.

20Average years

industry experience.Years in

operation.

GLOBALDiverse, global

client base.

18

Michael A. Herrera, CBCP Chief Executive OfficerPhoenix, Arizona www.mha-it.comhttps://bcmmetrics.com/

KEY FACTS

SENIOR LEADERSHIP

MHA Consulting’s senior team has an average of over 20 years of industry relevant experience in the areas of Business Continuity, Disaster Recovery, and Project Management.

COMPANY BACKGROUND

http://www.mha-it.com/

https://bcmmetrics.com/


HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS

CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY

SERVICES

DIVERSE, GLOBAL CLIENT BASE


Business Recovery Strategies & Solutions

Data Center Recovery Strategies

Current State Assessment

Policy & Standards

Business Impact Analysis

Threat & Risk Assessment

BCMMETRICSTM

BIA On-Demand (BIAOD)

BCMMETRICSTM

Compliance Confidence (C2)

BCMMETRICSTM

Residual Risk (R2)

Training & Awareness

Mock Disaster Exercises

Plan Functional Walkthroughs

Alternate Worksite Exercises

Crisis Management

Business Recovery

IT Disaster Recovery

Update Recovery Plans

Update Current State Assessment

Update Business Impact Analysis & Threat Assessment

Third Party Assessments

EXERCISES MAINTAIN & IMPROVEASSESS THE CURRENT

ENVIRONMENTRECOVERY STRATEGIES &

SOLUTIONSRESPONSE & RECOVERY

PLANS

ROBUST SUITE OF SERVICES


AGENDA

5

• Governance• Critical supplier identification• Managing critical supplier risk

(prevention, mitigation, recovery)• Evaluating critical supplier resiliency

and continuity• Reporting & Remediation


Governance


ESTABLISH A

GOVERNANCE

PROCESS

• Do what you can to get your organization to require

you to evaluate your suppliers from a BC

perspective.

• Everything starts with senior management.

• If there’s not an oversight group responsible for

vetting the supply chain, it will be hard to get your

procurement people to go to the vendors and say

you have to evaluate them on a BC basis.

GOVERNANCE


C R I T I C A L S U C C E S S F A C T O R S

• Senior executive is the sponsor of the program.

• Management team regularly reviews the resiliency of the supply chain

• Oversight team members understand their roles and responsibilities.

• Strategic direction of the enterprise SCRM program is defined.

• Enterprise level policies consider critical suppliers and continuity of

supply chain services, material, and/or goods utilized by the

organization.

GOVERNANCE


SENIOR EXECUTIVE SPONSORSHIP. • A senior executive has been assigned as the sponsor and champion of the program and has primary

responsibility for its success across the organization.

MANAGEMENT TEAM REVIEW. • A cross-functional management team regularly reviews the critical SCRM activities, functions,

services, materials, goods, partnerships, supply chains, relationships with interested parties, and the potential impacts related to a disruptive incident.

OVERSIGHT TEAM ROLES & RESPONSIBILITES. • Roles and responsibilities of the SCRM oversight team have been documented, reviewed with the

members and formally approved.

STRATEGIC DIRECTION DEFINED. • The mission and objectives of the program are documented and approved by the

SCRM Oversight Team.

01

02

03

04

GOVERNANCE

CRITICAL SUPPLIERS CONSIDERED IN ENTERPRISE POLICIES. • Enterprise policies specifically consider and address critical suppliers, activities, functions, services,

materials, goods, partnerships, supply chains, relationships with interested parties, and the potential impacts related to a disruptive incident.

05


Identifying Critical Suppliers


IDENTIFY YOUR

CRITICAL

VENDORS

• Rank your vendors by importance.

• Identify the top suppliers most vital to your

enterprise.

• In evaluating the relative importance of each

supplier ask questions such as the following: • How important is the vendor’s product or success to

the processes of your company?

• Does the vendor supply a commodity which you can

easily find elsewhere or a specialized product with

few or no other potential suppliers?

**One of the best tools for helping you work through

these questions is a Business Impact Analysis.

CRITICAL SUPPLIER IDENTIFICATION


• There is a clear understanding of the types of suppliers (direct and indirect)

• Business unit processes supported by critical suppliers have been identified and prioritized for recovery.

• Critical suppliers supporting key business processes have been identified for the enterprise.

• Critical suppliers are inventoried and ranked by type and importance to the organization.

• Management regularly reviews and approves the supplier criticality ranking.




PRIORITIZE CRITICAL BUSINESS UNITS. • BIA or similar process used to identify and rank the importance of business processes

supported by critical suppliers. • RTO assigned to each business process to minimize disruption to the organization and its

stakeholders.

IDENTIFY CRITICAL SUPPLIERS. • Critical suppliers identified as a component of the BIA. • Dependencies for each business process are identified including critical

suppliers and the services, materials and/or goods they provide.

INVENTORY & RANK CRITICAL SUPPLIERS. • Suppliers ranked by type and importance; the following minimum information maintained:

MANAGEMENT REVIEW. • Oversight team reviews and approves of critical suppliers. • Critical suppliers must adhere to additional guidelines and requirements to

ensure the resiliency of the supply chain and the services, materials and/or goods provided to the organization.


• Importance of the supplier• Business unit(s) supported• Services, materials. and/or goods provided• Business unit activities that rely on the supplier;

• RTO for each business activity• Critical subcontractors used by the supplier• Vendor contact information

01

02

03

04


Managing critical supplier risk (prevention, mitigation, recovery)


ASSESS THREATS

& RISKS FACING

THE VENDOR

• Get a handle on the specific dangers and

vulnerabilities to your critical supplier are exposed.

If you depend on them to provide business critical

products or services, their problems are your

problem.• Are they in hurricane country? Tornado Alley? On an

earthquake fault?

• Is their facility located across the street from a

chemical plant?

• How is their plant security? Their cyber security?

• Do they have a stable workforce or high turnover?

• What is their financial situation?

• Will economic conditions impact the industry they

are in?

• Do we have alternate options?

THREAT & RISK ASSESSMENT


PAY THEM A

VISIT

• The best way to evaluate most of the threats and

risks mentioned above is to go to a critical suppliers

facility and look around and review their

documentation.

• Is their level of security as good as they claim? Is

their backup generator really capable of supporting

their whole operation?

• You can tell a lot just by how happy they are to see

you. • Are they welcoming, prepared, and open? Great!

• Do they seem annoyed or nervous about your visit?

Maybe you should be nervous.



• Management has defined and approved the criteria to classify suppliers by type and by importance to the continued operation of the organization.

• Threats and risks to the enterprise supply chain have been considered, identified, inventoried and prioritized by criticality (e.g., impact to profitability, reputation).

• Management has identified mitigating strategies for supply chain threats and risks.

• Management regularly reviews enterprise risks, mitigating strategies and supplier ranking criteria.




APPROVED SUPPLIER CLASSIFICATION CRITERIA. • Specific criteria rank suppliers by type and level of importance to the organization, including the

operational, financial, legal, and reputational impacts that would be experienced if a supplier were unable to provide services, materials, and/or goods to the organization for an extended period of time.

IDENTIFICATION & PRIORITIZATION OF THREATS/RISKS.• A comprehensive mapping and assessment of the supply chain is regularly conducted

to identify and inventory relevant threats and risks based on location, probability and impacts (e.g., financial, legal, regulatory) to the organization.

MITIGATING STRATEGIES IDENTIFIED.• Documented and approved risk mitigating strategies that must be considered when addressing

supply chain threats and risks have been identified.• The mitigating strategies are considered when assessing the continuity capability of each critical

supplier and the ability to provide services, materials and/or goods to the organization.

REGULAR MANAGEMENT REVIEW. • The oversight team conducts a regular review of the risks/threats, supplier

ranking criteria, and mitigating strategies regularly for relevancy and to update as needed.

01

02

03

04



Evaluating critical supplier resiliency and continuity


GET IT IN

WRITING

• Ideally, the vendor will agree to your business

continuity requirements and for the terms to be

included in your supply agreement with the vendor.

• What is in a good agreement?• The vendor must have a plan,

• You have a right to inspect the plan,

• You have a right to on-site visits.

• Consequences to the vendor for any disruption of

theirs that impacts you.

• What if the vendor is reluctant to make such an

agreement?

CRITICAL SUPPLIER RESILIENCY & CONTINUITY


• Purchasing agreements require critical suppliers to address continuity planning and service levels.

• Critical suppliers are legally bound to ensure continuity of their supply chain and the delivery of services, materials and/or goods to the organization.

• A best practices approach is used to evaluate a critical supplier’s continuity program and supply chain resiliency.

• Critical suppliers are regularly audited to assess their capability.• Provisions for communication with the supplier are in place, including

initial notification parameters and ongoing event status updates.• The BCM process incorporates the supply chain as a component of

the enterprise preparedness program.




PURCHASING AGREEMENTS DOCUMENT REQUIREMENTS.• Purchasing agreements contain specific wording defining BCM requirements, service level

expectations, and penalties for interruptions/incidents, including:• Contract “out” for exceeding defined interruption levels• Fee reimbursements for delivery failures• Graduated reduction in fees based on diminished services.

SUPPLIERS LEGALLY BOUND TO ENSURE CONTINUITY. • Critical suppliers have agreed to BCM and service level requirements.• Signed purchasing agreements are on file.

SUPPLIER PROGRAM EVALUATED USING BEST PRACTICES.• A standardized questionnaire and approach, consistent with industry best practices and

standards, is used to evaluate the threats, vulnerabilities and the maturity of the continuity capability of each critical supplier and its supply chain.

01

02

03



CRITICAL SUPPLIERS AUDITED. • Qualified personnel conduct regular site visits at critical suppliers to:

• Identify any threats/risks, vulnerabilities and single points of failure associated with operations• Assess the supplier’s ability to continue to deliver services, materials, and/or goods to the

organization as promised in the event of an unplanned disruption..

SUPPLIER PRIORITIES IDENTIFIED.• Critical supplier assessment includes identifying the priority of the organization in

respect to restoration of supplier services, materials, and/or goods. • Gaps between the priorities of the critical supplier and expectations of the organization

are identified and documented for management review and action.

COMMUNICATION CHANNELS IDENTIFIED.• Communication channels are identified, established and exercised. • Prioritization during an event is agreed upon where multiple customers exist with supply chain vendor.

SUPPLY CHAIN IS PART OF BCM PROGRAM. • The BC Manager incorporates the teams, plans and processes to detect, respond,

recover and resume operations from a disruption to the supply chain.

04

05

06

07



Reporting & Remediation


BE PROACTIVE

• Keep in touch with vendors that are dealing with

problems such as storms or fires. • Reach out to them and see if they foresee any

impacts.

• Keep the lines of communication open.

• Diplomatically remind them that you are depending

on them.

• Ask what they are going to do to prevent or fix the

disruption.

• Identify alternate suppliers you can turn to if your

original supplier falters. • Look for vendors that are willing to partner with you

to safeguard your supply chain.

CRITICAL SUPPLIER REPORTING & REMEDIATION



• Critical supplier exposures are documented for management review and action.

• Management is apprised of the current state of the resiliency of critical suppliers and the supply chain at the organization.

• Management requires critical suppliers with significant exposures to implement a comprehensive remediation plan to minimize risk to the supply chain.

• Management renegotiates and/or amends critical supplier agreements to minimize risks to the enterprise supply chain.



DOCUMENTED SUPPLIER EXPOSURES.• Vulnerabilities and single points of failure that could impact a supplier’s capability to

withstand interruption in its supply chain and at its premises are documented. • Any historical costs incurred are also noted.

MANAGEMENT REVIEW. • The state of critical supplier continuity and supply chain reviewed by management on

a regularly scheduled basis.• At least annually or when a vendor has a mid-high level business strategy change (e.g., primary

facility move to new location, merger or acquisition, new business suppliers to the vendor).

SUPPLIER REMEDIATION PLANS REQUIRED.• Management proposes countermeasures to significant vulnerabilities, single points of

failure and lack of continuity planning at critical suppliers. • Countermeasures include strategies identified in the Threat and Risk Assessment..

RENEGOTIATE OR AMEND CONTRACTS. • Management revises critical supplier agreements to minimize impact to delivery of

services, goods. and/or materials to the supply chain. • Changes may include addition of service level expectations and penalties for

interruptions/incidents, including:• Contract “out” for exceeding defined interruption levels• Fee reimbursements for delivery failures• Graduated reduction in fees based on diminished services

01

02

03

04



MHA CONSULTING, INC.

T H A N K Y O U

www.mha-it.com

(888) 689-2290

(602) 708-1718

[email protected]

Michael Herrera, Chief Executive Officer

critical supplier continuity – believe it or not€¦ · operational, financial, legal, and...

Documents