High Risks in Your Supply Chain that You May be Blind To

The benefits of outsourcing production processes or services to suppliers are many: it can provide a better product or service than you would be able to produce internally; it can increase your efficiency; it can allow you to focus on core areas; and, of course, it can reduce your overall costs. Meanwhile, it also creates additional risks companies may not be factoring into their own business formula for success.

Lack of transparency

Suppliers are often reluctant to share information they may see as proprietary or confidential but it’s essential that they give reasonable assurance that they have plans in place for business continuity and that they are regularly maintaining and testing these plans. Their process may include a wide scope of operational dependencies so it’s valid for regular assurance and audits from clients.

Sufficient monitoring and alerts of operational outliers or different-from-expected production or delivery is also a basic requirement. Many clients now require automatic monitoring and timely technical reports. If your organization is not already formally requiring this from your key suppliers, introduce it into your relationship. Conjoined tests and validation exercises are valid trust builders and can improve expectations and transparency in the vendor-client relationship.

Unclear contracts

Relationships with critical partners frequently begin with a trust or “handshake” agreement on delivering a small service with little risk but develop over time into a critical dependency. When contracts are not fully formed or re-addressed as the relationship matures, both parties can end

Secondary suppliers

It’s a global market and many of your suppliers have their own suppliers – around the globe. In fact, those that are delivering value to your suppliers may be receiving value from you or someone like you. It is a small world, afterall. The key is to understand relationships that are imperative to you and their dependencies. Are several of your vendors relying on the same supplier for a raw material? Do your vendors require the same level of standards you do from their partnerships? There are many layers of business these days and it’s difficult to see the supply chain clearly across several (perhaps as many as several dozen) variables. In short, you need to know your suppliers as well as you know your customers.

Quality control

Don’t forget that because today’s global supply chains are so interdependent, the number of organizations that influence your product multiplies the complexity of product quality. Each organization carries their own process methodologies, operational policies and strategic initiatives. Each piece of these creates another layer of complexity. It’s easy for a small part to become obscure and the detail less defined, resulting in a poorer level of product. Clear service level agreements and carefully systematized audits are needed to set and maintain standards of quality.

In conclusion, many risks that come with supplier relationships can be minimized through establishing clear expectations early in the relationship and continuing to clarify those expectations throughout the working contract.


Exercising for Safety and Soundness

Yes, for the next year or two your bank examiner may make the mistake of crediting you for exercising your disaster plan when you documented an actual crisis but let’s take a step back and think about this before we consider it a “win”.

Experiencing a crisis or disruption does not meet the standard for exercising your plan and should not be adequate to count as testing your plan for many reasons.  Including:

  1. Blood pressure checkUnder best practice continuity management guidelines it is clear that establishing and testing an exercise program is not the same as documenting events that threaten or impact the business.  These are two separate best practices.
  2. FFIEC examination guidelines state “The board and senior management should establish a testing program appropriate for the size, complexity, and risk profile of the organization and its business lines”.  Passively experiencing crisis does not demonstrate a testing program has been established and, no matter what the extent of the crisis, will it be appropriate for the size, complexity and risk profile of the organization.  In fact, it may be counter productive and make you look unprepared because you didn’t plan a test.
  3. Community banks are likely to have experienced 6-12 crises in a year.  What makes this one particularly meaningful?  Did you document the other ones?  What are your standards for documentation?
  4. Test objectives were not set or met (no, “survival” does not count) and only one part of your response plan was tested.  The “test” was not comprehensive.
  5. Since you weren’t planning to experience this problem, exercise controls were not in place when you had it.  You can only manage what you measure.
  6. Hypothetically, would you consider going to the emergency room because you thought you might be having a heart attack to be an indicator for your ability to deal with stress?  Technically the answer is “Yes”.  However, that’s certainly no way to live and if this is your common practice then it indicates you don’t really have a good plan for your health.  The same is true for your organization.  Why have a heart attack to wait to check and see if your blood pressure is too high?  It’s easier to use a blood pressure cuff and check your heart rate.

Let’s speak the truth: This is not the attitude of a healthy, mature business and will not, for much longer, meet requirements for safety and soundness.

Now, before you get frustrated, I realize you don’t want to do continuity management this way.  You have a LOT on your plate that you’d rather be getting to (call reports anyone?) and you’re just not sure where to get started.  So, DCS has set up some fantastic tools to make planning exercising EASY for you!  Get excited now and bookmark this for future reference! First, go ahead and log that problem you had on our FREE Crisis Event Log.  It’s got a couple of brief questions to help you get down the information you need to learn from and properly document the problem.

Next, use our FREE Strategic Road Map to get an idea about what a good, well-rounded financial institution can do on to build operational strength.  NO, you don’t have to do that big fail-over test right away.  We actually recommend against it.  Start drilling the little things first.  Can you guarantee that you can contact everyone when they’re not at work?  Try your call tree out and write down what happens.  That’s a great test!

Another quick tip is to see what your IT provider is doing to test regularly.  We often find out the IT department regularly tests failover procedures but rarely documents it adequately for oversight or examination requirements.  All you have to do is start documenting!  It’s easy!  You can do that!

We have also started a new product line: DIY Turnkey Continuity.  We’re building very strong key kits for your continuity tool case at affordable prices.  We’ve started with a data breach kit and will be releasing an exercise kit before the end of the summer.  For our BOL friends, we are looking for pilot users to test these at a discounted rate!  Private message me if you’re interested.  Also let me know what other kits you’re interested in.  Pandemic, social media and vendor management are on our list for 2013.

I hope these ideas help out.  We realize you are doing everything you can to keep compliant and the business moving in a positive direction.  Please let us know what else we can do to make your job easier!