I don’t believe that any one of us working in any type of organisation, regardless of whether you’re a small business, a charity, a school or even a sole trader today can operate without the products or services of a 3rd party provider.
We may well have chosen to outsource our accountancy, HR, IT and compliance management requirements. Equally, our clients outsource to us e.g. audit requirements, Data Protection Officer and so on. Our Clients all have a dependency on us to deliver services. Here at Risk Evolves – we’re no different.
We’re great examples of the fact that very few, if any, organisations can operate without the support of a 3rd party. A 3rd party could be providing IT, critical resource, logistics support, payroll services, catering, cleaning etc. And yet, how many of us step back and analyse exactly what we would do if one of those third parties wasn’t available one day.
What happened if they were to suffer a flood to their premises so that they couldn’t operate, if they were to go out of business, cease to provide the service that we are reliant on, be acquired by another organisation – the list goes on.According to the Allianz Risk Barometer in 2016, supply chain disruption was seen as the top business risk. Little has changed in the subsequent years. The cyber-attack in 2017 that impacted TNT and which cost TNT in the region of £220m, there were knock on impacts for other major organisations such as AP Muller Maersk and Reckitt Benckiser.
Whilst this highlights the impact to large business, the same is true for smaller ones. A number of smaller organisations had distribution by TNT disrupted. If your business were to have deliveries delayed, what would be the impact? Loss of revenue? Loss of customers? Late delivery charges? Charges for re-shipment … the list goes on.
I recommend that every organisation reviews their supplier base and categorise them. It doesn’t need to be too complicated. Put into 4 groups :
- Low impact to the business, low risk of an incident
- High impact to the business, low risk of an incident
- Low impact to the business, high risk of an incident
- High impact to the business and a high risk of an incident.
By adopting a risk based approach, you can begin to understand the risk that those organisations may pose to your business and therefore how the risk can be mitigated. This may be achieved in a number of different ways. Perhaps you can audit the business to understand the governance? Can you reduce the risk by asking for evidence of standards such as ISO9001, ISO27001 or Cyber Essentials? Can you seek an alternative provider if your provider were to cease trading?
Classification of the risk that a 3rd party supplier presents will also differ from business to business, organisation to organisation. One size does not fit all. To give you an example. If we didn’t have a cleaner come to the office for a few days, it would be unpleasant, but not critical. We could empty the bins ourselves and we’d carry on. Pretty low impact. But if you’re the ward manager at a hospital, where you know that cleanliness on a ward is critical to the health and well being of patients, the cleaners are critical to the organisation and you would need a plan ‘B’ in place if they weren’t available.
Top tip. Don’t categorise on spend – it has to be done on criticality and impact to the business. Remember the earthquake and Tsunami that happened back in 2011 in Japan? This had a major impact on the car manufacturing industry across the globe. The quake caused the shutdown of a Japanese supplier that was the only global producer of a particular pigment used in paint. The lack of availability of this paint caused serious disruption to the car industry across the globe to the extent that some manufacturers had restrict the specific colour of vehicles for a period of time. Big companies impacted by some paint. Ask yourself, who in your supply chain is your equivalent of the paint provider, and what can you do to reduce that risk?
So, to conclude. No man is an island. How resilient is your supply chain?