#6 – ROLLING RISK DOWN HILL – PAUL KOSTEK – SUPPLIERS@RISK

In this article I’m not addressing the risk of skateboarding or skiing.  Rather when I say rolling risk down hill, I’m referring to allocating risk and the associated identification and management of risk to suppliers.

For example, anyone in the medical device industry will be familiar with IEC 60601 Medical equipment/medical electrical equipment – Part 1: General requirements for basic safety and essential performance. The 3rd edition has been around since 2005 with planned implementation for 2013, won’t even go into the reasons for the long adoption, rather want to discuss how this impacts risk management.

This revision now requires suppliers to provide a risk management plan/results as part of their delivery.  The challenge for many suppliers of component level hardware (e.g. circuit boards) will likely not have anyone on staff with experience to perform a risk analysis. There might be push back on doing this work, previously this would have been done at the integrator level.

If you’re not in the medical business would you still want to do this?  Answer is yes, even with the issues associated with asking a supplier to perform risk management for their component, just having another set of eyes and ears (we hope people are listening and not just talking) considering risk as part of the design process at a lower level adds value to the overall project.  Just think, you’ve now pushed risk consideration down below the top level system and identified early on possible problems and solutions.  It does become another issue for project management to track, but better to do this from the beginning than try and address at the end, or consider the lost time spent trying to recover from a design issue.

So how do we start with the rolling (allocating) risk to suppliers?  We start with the SoW, this is where we spell out what has to be done, and keeping with the medical example, where we’d invoke the 3rd edition of 60601 for a medical device.  You then may need to provide a guideline document on how to perform and report the results of the risk analysis. Likely you’ll need to provide  a staff contact to support the supplier in this effort.  The results would be a standalone report and also be used in the project level risk analysis.

The first time out will be painful, but a supplier that gets through this first project will be better prepared for future projects and considering risk at the supplier level can only lead to improved project performance and product quality.

 

#3 – SUPPLY CHAIN CONTINUITY – BETTY KILDOW – SUPPLY CHAIN @ RISK

Every company’s supply chain – from procurement through delivery and everything in between – is directly tied to cash flow, profitability, and growth, as well as to essential intangibles such as customer trust, stakeholder confidence, company reputation, and protection of the brand.  In addition, there are increasingly stringent regulations and audit requirements that apply to supply chain risk management.

When a disaster or significant disruption of operations occurs –whether it is internal or external such as a supplier failure – your operations can be slowed down or even brought to a halt, possibly with grim consequences.  Logic tells us that to successfully manage enterprise risk the supply chain must be fully considered and integrated in a comprehensive business continuity program.   Yet despite growing awareness and reminders in the form of an ongoing series of disasters experienced across the globe over the past few years, many business continuity plans still do not adequately address the supply chain.

In alignment with business continuity best practices, here are some of the initial steps to take to identify and mitigate supply chain risks when selecting suppliers.  These guidelines are equally applicable to contractors, outsourcing companies, and other business partners.

 

As a first step, map your supply chain and identify:  critical suppliers (primary and their tiers), single points of failure, single points of contact, as well as internal dependencies including the IT support needed to keep the supply chain functioning.

Caveat Emptor!  Gain an understanding of who your critical suppliers are and which ones are high risk suppliers.  Avoid taking on a risk-laden supplier by making certain each of your suppliers is capable of managing their risks and continuing to deliver at a level to meet your requirements even in the face of a disaster.

Conduct an evaluation to gain full understanding of the inherited risks that come with each supplier.  The following list of questions, while not all-inclusive, will help provide you with vital information to consider during the supplier selection process:

  •        What are their risks and vulnerabilities?
  •        Are supplier’s operations geographically dispersed?
  •        What are the supplier’s logistics risks such as possible port closures, shortage of containers for ocean shipping, and customs issues?
  •        Are there geo-political issues that can cause operational disruptions?
  •        How transparent are their operations?
  •        How vulnerable are their suppliers?
  •        How likely are they to face shortages of purchased raw materials?
  •        How financial healthy is the supplier?
  •        Do they have proven effective security to protect your company’s data and intellectual property?
  •        Will they jeopardize your ability to meet regulatory or legal requirements?
  •        Are their business ethics in alignment with yours?
  •        Does the supplier consider your company a priority customer?

Gain an understanding of suppliers’ risk management capability by asking the right questions about their business continuity program.  Some of the basic questions to ask are:

  •        Do they have a Business Continuity Program?
  •        Is it enterprise-wide or recovery of IT only?
  •        When was the plan initially develop and when was it last tested, reviewed, and updated?
  •        Has the plan been audited; if so, by whom and what were the results of the audit?
  •        Does the plan provide for continuation or restoration of operations that will allow the supplier to meet SLAs and contractual obligations?

A well-developed and maintained business continuity program is critical to successfully managing supply risk and maintaining a resilient supply chain. Taking the steps necessary to identify, assess, and manage supply chain risks will help organizations mitigate and respond to disruptions that can carry serious financial and reputational consequences.

BIO:  Betty A. Kildow, CBCP, FBCI, has been a business continuity consultant for two decades, working with a broad range of companies and organization in the development and implementation of tailored programs to manage risk.  Betty is a member of the Peer Review Panel for the Business Continuity Journal and serves as a Board Member of the Institute for Supply Management (ISM) Risk Group.  Long a strong proponent of supply chain business continuity, she is the author of “A Supply Chain Management Guide to Business Continuity” (AMACOM 2011), also available in Japanese:  事業継続」のための サプライチェーン・マネジメント 実践マニュアル, プレジデント社 (President, Inc. 2011).  She can be contacted at BettyKildow@comcast.net