RIMS BCM TL Deck v2

RIMS 2014
Building a Resilient Supply Base in
Response to Global Shifts
Business Continuity Management
April 28, 2014
Recording of this session via any media type is strictly prohibited.
Page 1
Globalized service and product sourcing increases
the need for vendor resiliency management
$3.2b
Average Fortune 500 loss
in market cap as result of
a reported disruption**
8%
85%
Companies confirming all
key suppliers had business
continuity programs in
place to manage
disruptions*
Companies reporting a
supply chain incident or
disruption during the year*
40%
44%
Companies reporting a
supply chain incident or
disruption, where the
disruption occurred below
tier 1 suppliers*
US companies who
considered supply chain
disruption in business
continuity programs*
* Source: Business Continuity Institute, 2011-2012 ** Source: World Economic Forum; PwC analysis
Recording of this session via any media type is strictly prohibited.
Page 2
What companies are saying?
Different operations are focused on
their own priorities and I do not have
an end-to-end view of our supply
chain’s resiliency.
We are definitely managing
supplier risk, but I don’t think we
are managing supply chain risk
across all possible dimensions.
We are being regularly hit with disruptions
and rarely see them coming.
We don’t have a good understanding
of our place in the supplier’s customer
prioritization stack.
If we are having difficulty
understanding our key suppliers’
resiliency, I can only image how
difficult it is for them to do the same
with their critical suppliers.
Recording of this session via any media type is strictly prohibited.
Page 3
Challenges and the Path to Effective Vendor
Resiliency Management
• Balancing efficiency with resilience in the face of continuing volatility and
heightened uncertainty.
• Continued growth in operations complexity and economic-induced supply/demand
volatility, as well as increasing vulnerability of networks to disruptive events
• Limited visibility to vendors, networks and products across the supply chain
• Limited internal supply chain risk and resilience resources
Map the Vendor
Risk Landscape
Understand
Vendor Resiliency
Resiliency
Prioritization
Integration Needs
Validation
Respond
Recording of this session via any media type is strictly prohibited.
Page 4
Map the Vendor Risk Landscape
•
•
•
If your company has a business continuity program, there should exist a current Business
Impact Analysis (BIA). The BIA provides a detailed, foundational view of how interruption
events (e.g., loss of technology, reduction in personnel, loss of facilities, and loss of third
parties) can impact the organization.
These third parties include supply chain participants, service organizations, technology
support providers, HR process enablers, financial intermediaries, and a multitude of external
organizations critical to your operations.
The BIA answers two important vendor resilience management questions:
1. Which vendors will have the most impact on my organization if they suffer an interruption,
and how quickly will the impact materialize?
2. How do my potential crisis recovery strategy involve my critical vendors?
Recording of this session via any media type is strictly prohibited.
Page 5
Vendor Resiliency Prioritization
Not all critical vendors are equally important to the organization, and not all customers are
equally important to those vendors. Taking a risk-informed approach, the following selection
criteria can help identify the most critical vendors:
1. Revenue and inventory impact from loss
2. Proximity of the vendor and logistics
3. Capacity utilization (performance and capacity of the vendor)
4. Service level agreements and right to audit
5. Potential impact on service/product quality during rapid vendor changes
6. Exposure to labor, country, and geopolitical risks
7. Level of vendor integration with your technology
8. Correlated risk (natural and man-made hazards, geographic concentration, availability, and
reliability) amongst individual and clustered vendors
9. Regulatory exposure and cross-border issues
Recording of this session via any media type is strictly prohibited.
Page 6
Understand Your Resiliency
Integration Needs
The best comfort comes from assessing the quality of the vendor’s resiliency and recovery
capabilities in areas that are integral to your organization’s operational resilience. This
information is documented within the organization’s BIA and should include, at a minimum:
• A list of the goods and services provided by the vendor
• A list of the processes within your organization that consume the vendor’s outputs, or rely on
a vendor to complete the service/product delivery cycle
• A description of where the vendor’s activities are geographically performed
• A determination of the point at which a vendor interruption crosses the threshold of criticality
• A description of possible regulatory impacts from a vendor’s lack of resiliency
• A description of the vendor’s role during an interruption and business process recovery
Recording of this session via any media type is strictly prohibited.
Page 7
Validation
Once critical vendors have been risk-ranked and resiliency questions developed, the process of
obtaining and validating the vendor’s resiliency and recovery capabilities begins. The following
are six best practices that will aid your vendor resiliency interaction and analysis:
1. Ensure that the majority of your resiliency inquiry communications with the vendor originate
from the individual who owns the vendor relationship.
2. Your point person should speak directly with the individual responsible for maintaining the
vendor’s resiliency and continuity program.
3. Enlist the vendor as a resiliency partner, since interruption events at either end of the
relationship continuum will affect both parties.
4. Obtain relevant portions of the vendor’s BIA and Risk Assessment.
5. Use a tailored version of international business continuity standards as a basis for vendor
inquiries.
6. Have the vendor describe its response to a prior potential or actual crisis event. Ask for the
impact thresholds where they would contact customers in advance of, or immediately after, a
crisis event.
Recording of this session via any media type is strictly prohibited.
Page 8
Respond
The final vendor resiliency management program phase is responding to the vendor’s resiliency.
Critical vendor interruption risk reduction strategies can include:
• Maintaining higher inventory levels for at-risk items
• Collaborating with the vendor to improve its resiliency
• Creating limited “backup” vendor relationships that can be activated quickly
• Implementing more robust business continuity practices for the affected business processes
• Replacing the less resilient vendor to reduce risk.
Conclusion
To achieve comfort around vendor resiliency and recoverability, it’s all about transparency, asking
the right questions and pushing the right levers. The more foreknowledge you have — about your
own needs, the capabilities of your vendors, and the robustness of your resiliency plans — the
more comfort you’ll have.
For detailed information about PwC’s approach to Vendor Resiliency Management, please stop by
our RIMs booth for a copy of ‘Business continuity beyond company walls: When a crisis hits, will
your vendors’ resiliency match your own?’ by PwC’s Performance GRC practice.
Recording of this session via any media type is strictly prohibited.
Page 9
About Your Presenters
Phil Samson is a Principal in PwC's Performance Governance, Risk and Compliance practice responsible for
leading Business Continuity Management services in the US.
• Over 28 years of experience in serving the operational and technology risk management needs of his
clients and has 20 years of experience assessing, designing, implementing and testing business continuity
and crisis management programs. You can listen to one of Phil's podcasts on business continuity which can
be found at http://www.pwc.com/us/en/increasing-it-effectiveness/podcasts/business-continuitymanagement.jhtml and read about PwC's perspective on business continuity at
http://www.pwc.com/us/en/10minutes/business-continuity-management.jhtml which is also available as
an iPad or Android app.
Neil Kaufman is a director in PwC’s Performance GRC Business Continuity Management (BCM) practice.
• Neil has over 21 years of management consulting, operational and crisis communications experience
(business, technology and operations) across multiple industries . He has designed, led and overseen
delivery of hundreds of plans and table top exercises across senior leadership teams and business
functions for his clients.
• Neil is 2013's "Consultant of the Year" in the Awards of Excellence Program from The Disaster Recovery
Institute International (DRII). He has published articles on Business Continuity Planning solutions and
concepts and their real world applications. Neil is a Certified Business Continuity Professional (CBCP).
Thank you
Recording of this session via any media type is strictly prohibited.
Page 10