Manage Supply Chain Risk with a Vendor Resiliency Analysis

As the COVID-19 pandemic fades as a major cause for global supply chain issues other factors have emerged to keep supply chain disruptions in the forefront in 2023. Political conflict in Ukraine, weather extremes, a global recession, labor shortages and even inflation and rising interest rates¹ will likely cause persistent issues for businesses in 2023².

It therefore remains critical for organizations to understand their supply chains, find weak links and take steps to reduce the risks³. The “just in time” supply chains that were optimized for cost and efficiency must now respond to emerging risks such as extreme weather events, labor issues and geopolitical shifts. Supply chain resilience is an imperative for business survival and growth and a key part of the total cost of risk ⁴.

To bolster resilience, risk managers should work with their supply chain counterparts to conduct a vendor resiliency analysis as a primary component of their organization’s Business Continuity Management (BCM) plan.

Conducting a vendor resiliency analysis

A vendor resiliency analysis verifies whether critical vendors can continue to support your organization with their products and services in the event of a crisis. This analysis enables a better understanding of an organization’s risk relative to its external suppliers and provides a rational way to address any supply chain issues and corresponding losses of vendor support. By conducting a vendor resiliency analysis, organizations can gain valuable insight into the following questions:

• Which vendors and business partners are most critical to my organization?
• Does my internal supply chain management group understand each vendor’s relative importance to the organization? Has a system of tiering been established?
• If my critical vendors experience a crisis, how will it affect my business?
• If my organization experiences a crisis, how will critical vendors support my needs?
• Are my critical vendors aware of their prioritization status and what will be expected of them during emergencies?
• How resilient are my critical vendors to relevant risk factors and changing situations, and how robust are their accompanying response and recovery strategies?

The first step is to identify key vendors and business partners by assessing the negative impact that would result from a potential disruption of their support to your business. The negative-risk impact should be evaluated along six variables: operational integrity, financial stability, customer service, regulatory and contractual compliance, operational processes and brand reputation. Various stakeholders will often have different views on the relative importance of vendors to the business. Therefore, it is the risk manager’s responsibility to take a holistic and enterprise-wide perspective of each vendor’s risk and to drive alignment on the set of critical vendors that require the most attention.

After key vendors have been identified, organizations should start by asking whether these vendors have their own risk management and BCM plans in place. From there, risk managers can go a step further by assessing the strength of vendors’ preparedness across the four key components of BCM: emergency response and life safety, crisis management, IT disaster recovery and business unit continuity.

Most vendors will have at least some measures in place across each of these categories (such as fire drills, regular IT backups and crisis communications plans). Others may have more robust business continuity processes if they have experienced an incident or have been asked by an insurance underwriter to create a business continuity plan. Regardless, all organizations should refresh their vendor resiliency analysis on an annual basis — or whenever a change in key customers, vendors or products leads to a meaningful shift in the supply chain.

Addressing vendor risk

A thorough vendor resiliency analysis will often reveal gaps that your company may want to mitigate and address. A few of the most common sources of vendor risk include:

Equipped with a strong understanding of their company’s vendor risk profile, leadership can then make informed decisions about whether to accept, mitigate or transfer some or all of the risk based on their risk appetite. Risk-mitigation solutions include holding more inventory, bringing suppliers closer to home, and exploring new logistics options or other alternatives.

Communication with vendors is also key. Companies can include language in their master service agreement (MSA) that requires vendors to have a business continuity plan and to undergo regular maintenance and exercises. They can also inform critical vendors of their prioritization status and clarify their service-level expectations during an emergency. These steps can encourage your vendors to perform the advance planning and preparation that is necessary to ensure business continuity — for their organization and for yours.

¹ ANALYSIS: From War to Weather – 2023’s Top Supply Chain Disruptors | Bloomberg Law
² Will the Global Supply Chain Crisis Continue in 2023? | My Logistics Magazine
³ “Finding The Weak Link In The Supply Chain: Cyber Lessons From The Aviation And Marine Industries,” Aon, The One Brief
⁴ The World is Still Short of Everything. Get Used to It. | NY Times