REGARDLESS OF HOW LARGE or small an organization is or whether a company manufactures a product or provides a service, its level of success in managing the consequences of any disaster that threatens to disrupt vital business functions depends on what it does now, before the event occurs. To a great extent, successful collaboration, both internally and between the company and the numerous links in its supply chain, determines the success of its efforts to continue or restore operations.
Following a disaster, companies striving to run lean operations may no longer have inventory or excess capacity to make up for production losses, whatever the cause. As a result, supply flow problems can rapidly domino and escalate to become a further disaster for the organization. Customers neither care what created the disruption nor want a supplier’s disaster to become their problem as well. They still expect the final product or service delivered at an acceptable level of quality and at the right time and price. Supply chain continuity strategies must thus address disruptions quickly enough to avoid failing to meet customers’ expectations.
Possible strategies may range from the very basic, such as contracting with low-risk business partners and taking another look at inventory levels, to the complex, such as establishing reciprocal agreements for sharing office or warehouse space, equipment, and personnel following a disaster. Strategies can even involve purchasing a supplier or creating the capability to produce a critical component internally.
It is important when considering possible strategies to balance the benefits with the costs. In most cases, strategies to meet shorter recovery time objectives (RTOs) are more costly and complex. The direct and indirect costs of the strategy being considered and whether or not it will meet the planning objectives established by the BIA must always be taken into account. Once the list of potential strategies has been narrowed down, cost estimates can then be developed. A cost-benefit analysis provides guidance as to whether the cost to implement a continuity strategy will pay sufficient dividends in the form of a quicker restoration of operations following an interruption. In addition to the financial cost, operational pluses and minuses should also be considered. The RTOs for some functions may be lengthened by executive management once the full cost of meeting the originally established time frame is known.
Throughout what can be a tedious process, the focus must remain on the goal: keeping the organization’s supply chain operational by continuing or restoring the business functions identified by the BIA as most time-critical. All options should be considered. Think strategically and think outside the box. Old solutions don’t always work for new problems. Business continuity requires innovative problem solving.
Just as your company developed its processes rather than duplicating those of another organization or buying them off the shelf, you must devise and tailor your continuity strategies to the requirements of the company. Don’t be fooled into thinking that it is possible to just use the same continuity strategies and plans as those used by another organization or that you can simply purchase one-size-fits-all generic strategies, make some minor alterations, insert your company’s name, and expect them to meet the unique needs of your operation.
The role of a business continuity manager is to provide leadership, direction, and oversight to ensure successful development, implementation, and ongoing maintenance of the company’s continuity program. If your organization has a continuity manager or an individual who has ongoing responsibility for enterprise-wide continuity planning, some time should be spent working with this person before beginning the strategy development process. It is important to become familiar with what is already in place, related company policies, standards, and requirements. It is crucial to collaborate with the person in charge of the continuity program to avoid working at cross-purposes, duplicating effort, or developing a planning effort that results in gaps or inadequacies.
You can ensure that the continuity strategies of your supply chain business unit will successfully integrate with those of all other departments to meet stakeholder requirements, regardless of unexpected events, by collaborating with the business continuity manager and continuity team. If supply chain business units do not yet have a seat at the planning table, request that this omission be rectified. Volunteer to get involved in business continuity planning.
Another strategy is to meet with the risk manager or a representative of the risk management department. As there likely are links between risk management and continuity planning, risk management staff will often provide valuable information or assistance. Seeking input and assistance from specialists, other departments, and consultants can also bear fruit. If there is no one in the organization who has ownership of business continuity planning, gather information and do some research and reading to prepare to begin the process working on continuity planning with colleagues in the supply chain business units.
Loss prevention and security specialists should be included when considering strategy options. Should it be necessary to temporarily or permanently relocate operations following a disaster, these business units play a major role in ensuring that the alternate site has sufficient physical security to adequately protect all facets of the operation.
The supply chain’s flow of raw materials, components, parts, and finished goods, as well as information, must be protected from both external and internal risks. Ensuring that the steps necessary to accomplish this are in place is an important planning consideration for those times when the organization is in business continuity mode.
The organization’s insurance specialist is a valuable resource to tap into during the strategy development phase in order to gain an accurate understanding of insurance coverage for supply chain interruptions. In most cases, insurance is in place to cover physical losses such as buildings, equipment, and inventory. In addition, the organization may carry business interruption insurance to cover extra expenses in the event it is necessary to conduct business at a different location because of insured damage at the original place of business. Knowing what continuity expenses business interruption coverage will—and will not—reimburse can be a deciding factor in determining the best continuity strategy for the organization.
When developing strategies, it is important to remember that business continuity does not mean conducting business as usual.
All possibilities should be investigated. Do not immediately adopt the first solution presented. For each situation, there are many possible approaches to consider. For example, when developing a strategy to ensure the continuing availability of a key component supplied by a sole source, options can include:
Doing nothing, crossing your fingers, and hoping for the best
Working with the supplier to develop a mutually beneficial approach
Establishing redundant suppliers
Purchasing the supplier
Begin by again gathering the supply chain managers for a series of brainstorming sessions, this time to identify options for strategies for maintaining or restoring time-critical supply chain operations. The brainstorming can be based on a disaster identified in the hazard assessment as one that is both likely to happen and that would have a severe impact on operations. Each manager can be assigned to tackle two or three of his or her unit’s most time-critical functions. Present a scenario—a brief narrative describing a hypothetical situation and conditions and the likely future when a destructive or disruptive event occurs—in which the managers arrive at work to find that the building is surrounded by yellow caution tape. In this scenario, no one is allowed access to the building or anything inside. Public safety officials report that it will be at least three days until they can allow anyone back into the building. Then, for each function, identify:
How operations would be impacted by the scenario
Current capability to address the situation
How long it would take to continue or resume operations based on current capability
Whether this meets the identified RTO
If there is a gap between the current capability and the identified RTO, brainstorm possible strategies to bridge the gap such as:
Temporarily transferring responsibility for the function to another of the organization’s locations
Temporarily moving the function and the people responsible to another of the company’s locations as well as temporarily suspending non–time-critical functions at the temporary location to make the necessary space available
Developing redundancy by dispersing the function to one or more other company locations
Having arrangements in place to temporarily outsource the function
Building a company facility now to accommodate the function in the event of an actual future disaster that displaces the function
Strategies are a must for two dimensions of every operation: (1) plans for disasters that directly impact the organization, and (2) plans for when a link in the supply chain experiences a disruption that creates a disaster ripple effect.
To be effective, strategies should vary according to industry and the organization’s product or service. For example, manufacturers might opt to have an inventory of additional parts and materials stockpiled in another location—a just-in-case supply—rather than relying solely on a just-in-time approach. Retailers may have additional product ready for immediate delivery to a store in the event in-store merchandise is damaged or destroyed. Call centers can arrange to transfer calls to another location or a backup site or to activate a virtual call center if a long-term power outage or system malfunction shuts down operations at the primary location.
There are also options for continuing functions that cross enterprise boundaries and require collaboration outside the organization, such as with contractors, suppliers, or an outsourced distribution center. When addressing a scenario in which the manufacturing plant of a supplier of a critical part is flooded, considered strategies might include partnering with the supplier to identify an alternate source or arranging for the supplier to maintain an additional supply of the product at a secondary location outside the flood plain. Other options may include having plans in place to re-engineer at a company-owned facility in order to be able to quickly produce the part internally or to work with the supplier to determine if it is possible to replace the part with an alternate product.
For a food service company that thousands of customers rely upon for bread daily, a strategy to ensure a sufficient supply of bread is simply storing enough in freezers to meet the requirements for one day in the event that daily delivery is not received, whatever the reason. This—coupled with having identified an alternate bread purveyor as a backup—covers both short-and longer-term supply interruptions.
When planning for continuity in the event a disaster severely damages or destroys a production facility, dual objectives must be met. Strategies are needed to replace the output of the impacted facility and thus continue to meet customer expectations. Equally important is having strategies and plans for quickly repairing or rebuilding the facility and making it again operational.
Several recent major disasters have shown the importance of developing a supply chain that is geographically diverse. Following Hurricane Katrina, businesses that relied only on local suppliers, contractors, and shippers found their efforts to resume operations brought to a standstill. It is imperative that continuity strategies include making certain that sources for critical goods and services will be available from several geographic areas. Having the necessary agreements in place helps ensure access to products and services that are in high demand and may be in short supply locally following a disaster that impacts the immediate and outlying areas. (An interesting exercise is to locate key business partners on a map to identify situations where multiple suppliers can be hit by the same disaster or where the same disaster can impact your company and one or more key suppliers.)
From a pure business continuity point of view, multi-sourcing is an excellent strategy to avoid a disaster created when a sole source supplier fails to deliver. This strategy encourages competitive pricing and establishes fallback possibilities.
That being said, in today’s business environment, the need to balance efficiency and redundancy is greater than ever before. An increasing number of companies have reduced the number of suppliers, shippers, or service providers they use, some by half or even more, in order to consolidate and negotiate lower prices. Other organizations have created new business units whose sole purpose is to manage company-wide procurement with a view toward even greater efficiencies and cost reductions.
Here again the need to consider both the benefits and the costs cannot be overlooked. Supply chain managers must continually make informed distinctions between the battling priorities of cost-effectiveness and efficient continuity strategies. As just one example of this push-me pull-me quandary, a supply chain manager may implement just-in-time-inventory to maximize efficiencies. But this approach eliminates the possibility of maintaining inventory levels that enable recovery time objectives. Relying on a single high-volume supplier rather than multiple suppliers is another decision that must be made while balancing cost, effectiveness, and continuity.
Consider the strategic continuity merits of giving a small percentage of total orders to a secondary supplier to establish redundancy. Keep in mind that the purpose is to have a source for a product or service in the event the primary supplier cannot meet delivery requirements. Of course, potential backup suppliers must be qualified. It is essential that the redundant provider be agile and able to respond rapidly to unpredictable changes in demand. In addition to standard supplier selection criteria when selecting a secondary supplier, consider:
Whether the company is currently producing at full capacity
The company’s ability to meet increased needs
How quickly and easily the company can expand its capacity if called upon to do so
The ability of the company’s supply network to support any required production increases
To ensure the availability of a critical supply or service provided by a sole source—that is, one company with one location—consider possible options. You might also contract with a single source—one company with multiple locations that fulfill your requirements. You might also have contracts with multiple sources—two or more suppliers each with multiple locations. As with all continuity strategy options, the value of such contracts must be weighed against the potential cost: the benefit, decreased risk of not receiving the required material or service, versus the cost, a more complex supply chain creating additional supply management challenges.
Yet another strategy combines continuity and mitigation. Establish a process to monitor your supply network for potential disruptions and disasters. Avoid disruptions that can result from a combination of a lack of supplier ownership and a lack of visibility. In the event suppliers and logistics providers have insufficient business continuity capabilities, explore the options.
Emerging risks can be identified by tracking details of supply chain incidents such as late or incomplete deliveries. Even the smallest glitches can portend future major disruptions. Be aware of patterns, particularly when problems occur more frequently or accelerate in scope.
Day-to-day real-time supply chain visibility systems can be applied to avoid a stoppage of incoming material resulting from any type of interruption. The visibility system can be used to review supply chain lines and take corrective action such as redirecting other incoming shipments to avoid shortages. Even with the increasing trend toward supply chain transparency, there can still be “black holes,” where shipments seemingly drop off the edge of the earth for a time. Investigate what’s going on in those transparency lapses to improve the ability to head off a supplier disaster.
When suppliers are not disaster-resilient, companies must find new business partners or diversify beyond their usual sources. Should it be determined that the best interests of the company are to change suppliers, contractors, transporters, or other service providers, again, the benefits of doing so need to be reviewed and measured against the possible additional costs that may be incurred. Remember, too, that there is always some level of risk involved in making such a change. Ensure that all possible steps have been taken to reduce the risks connected with the current supplier. Consider whether this is the best time to make a change in suppliers. If you decide to do so, write detailed procedures to provide to new suppliers and transporters to help ease the transition.
Plans for actions to prepare for natural disasters should be created as well. For example, for facilities located in a flood-prone area, develop strategies for reducing inventories, redirecting shipments, elevating equipment, and systematically suspending operations before flood waters are at the doorstep.
Another strategy for consideration is entering into reciprocal agreements, which are formal agreements made by two or more companies or organizations to use each other’s resources following a disaster. These agreements, often applied to the sharing of computer and technology resources, can also be applied to other resources such as facilities, equipment, processing capabilities, raw materials and components, or employee skills.
As an example, imagine that the corporate headquarters of two companies that both produce and distribute computer software are located within thirty miles of one another. Company A’s product is computer games, while Company B develops and distributes a financial software package used by small businesses. Company A has a second facility located thirty miles to the north, where its product is duplicated, packaged, warehoused, and shipped to brick-and-mortar and online retailers. Company B has a similar facility located thirty miles to the south that houses functions that are identical to those performed at Company A’s second facility. Both companies use the same duplication and packaging equipment, operate on an 8:00 A.M. to 5:00 P.M. Monday through Friday schedule, and have excess warehouse space. After testing compatibility, the companies enter into a reciprocal agreement that provides for the temporary use of the other’s facility and equipment should its own location be destroyed, be severely damaged, or be inaccessible for any reason for more than three days. Under the agreement, the affected company would use the other’s facilities from 6:00 P.M. Friday until 6:00 A.M. Monday to run 24/7 operations over the weekend and thereby avoid a total shutdown of production and shipping. Each company now has a backup facility without the cost of building or leasing and maintaining a second location. This arrangement can work because the companies have similar products yet do not compete with one another, are in reasonable proximity of one another, and have comparable equipment.
While this mutually beneficial cost-effective strategy can be successful in some cases, care should be taken with reciprocal agreements. For one thing, you should avoid establishing agreements with other organizations that are likely to be affected by the same disaster as your company. In addition, in some cases, agreements are just not practical. For example, it is not likely that upper management would approve a reciprocal agreement with a direct competitor. There are other factors to consider. Ongoing communication between the parties is a must since changes made by one of the companies can result in it no longer being possible to exchange the agreed-upon resources. It is essential that agreements include very specific provisions defining the resources included, requirements for reporting changes in equipment or processes covered by the agreement, any expected compensation related to the use of resources, and a process for activating the agreement. Work with security and loss prevention to fully consider the potential for physical or data security breaches, and as with any other legal agreement, consult with legal counsel before finalizing the agreement.
Once basic strategies are identified, dig into all related requirements for ensuring continuous business flow such as inventory levels, restocking plans, and the movement of materials, components, and parts and products. Don’t forget to consider the need for skilled people to carry out the strategies.
Each department has responsibility for developing, maintaining, and carrying out business continuity strategies. While supply chain managers focus on planning for their business units, it is essential that all plans throughout the organization are fully coordinated and adhere to all business continuity policies, guidelines, and requirements established by upper-level management. A silo approach to developing strategies will result in plans that are based on incorrect assumptions and expectations and are likely to create chaos and even additional disasters when activated.
Throughout the development process, keep in mind the goal: to protect the organization by ensuring that operations can continue or be restored to an acceptable level within a predetermined time frame.
In the early 1900s, Italian economist Vilfredo Pareto created a mathematical formula to describe the unequal distribution of wealth in his country: 20 percent of the people owned 80 percent of the wealth. Today, the Pareto Principle (also called the 80-20 Rule) has a wide range of business applications, such as:
20 percent of a company’s stock takes up 80 percent of its warehouse space
80 percent of sales comes from 20 percent of the sales force
20 percent of an organization’s staff causes 80 percent of its problems
20 percent of an organization’s staff provides 80 percent of its production
20 percent of the risks to an organization result in 80 percent of its disasters
Yet another application of this principle tells us that 80 percent of a company’s materials, supplies, and parts come from 20 percent of its suppliers. If this is the case, the 20 percent become critical suppliers, also referred to as survival suppliers.
In keeping with the 80-20 Rule, it’s also possible that 20 percent of your suppliers are responsible for 80 percent of your problems and can become your weakest links. An interesting exercise would be to determine if the 20 percent that are critical suppliers are the same 20 percent that create the majority of the problems. If that is true, having continuity plans to respond to any disruption involving that 20 percent becomes an immediate priority.
You should identify your critical suppliers—those that provide essential mission-critical supplies, parts, services, or outsourced processes. The current level of satisfaction with these business partners should be examined on an ongoing basis, such as whether they have sufficient plans in place for continuing operations when disasters occur.
By their very nature, niche suppliers likely belong in the critical supplier category. Niche suppliers are those that specialize in providing a particular type of product or service not available from a great many providers. It is often the case that their products or services are being used by a number of different companies. If a time-critical business function is dependent on a niche supplier that is identified as a single point of failure, it is a necessity that strategies are in place to protect the company when, for any reason, the niche supply or service is unavailable from the usual source.
Reliance on critical third-party providers, suppliers, or business partners can expose the customer organization to single points of failure that both create operational disruptions and prevent resumption of operations in a timely manner. In keeping with the Pareto Principle, it would seem logical to devote 80 percent of continuity strategy development efforts to those identified as critical or survival business partners.
Once possible strategies are identified, I suggest a reality check to be certain that the considered approach adheres to the identified recovery time objective. Start with the RTO and then subtract the time required:
To make all notifications
For people to arrive
To assess damage or operational impact
To activate strategies
To relocate people, equipment, and supplies, if necessary
To restore IT support systems and communications capability
To complete steps to continue or restore the function
I suggest also subtracting another 5 percent of the total RTO to accommodate Murphy, who has a way of showing up when disasters happen.
If the result of this exercise is a negative number, it’s back to the drawing board to refine the identified strategy or come up with a different approach that will result in meeting the RTO.
In order to remain competitive in today’s global economy, some companies have seen a need to contain supply chain costs by outsourcing supply chain and other functions. For example, in recent years there has been an increase in using third-party logistics or other services as a way to improve processes, reduce costs, or both. In this continuing outsourcing trend, no part of the supply chain—from order management to manufacturing and through to the distribution process—is exempt from risk.
At the risk of preaching to the choir, here’s a reminder. Outsourcing processing and services does not transfer responsibility for quality or timely delivery to customers; it transfers only the process. While outsourcing and vendor-managed inventory and shipping can significantly boost supply chain operational efficiency, improve service levels, and reduce costs, the result leaves companies more vulnerable. The risks are still there and are possibly compounded. With critical operations managed externally, there is an increase in the number of interfaces. Operations are just not as visible on an ongoing basis, and there is a loss of direct control, leading to an increase in the number and level of risks. If not proactively managed, outsourcing may become a disaster or slow down the business continuity process when disaster strikes.
The risks in outsourcing include threats to security, availability, integrity of systems and resources, confidentiality, and regulatory compliance. When an outsourcing company performs services on behalf of your organization, increased levels of reputation risk can result. A key to successful outsourcing is to avoid putting your company’s ability to meet stakeholder expectations in the hands of an organization that does not meet your business continuity standards.
List the supply chain and related business processes that your organization outsources such as distribution/logistics, warehousing, inventory control, information technology, procurement and sourcing, and reverse logistics. For each process outsourced, every possible measure must be taken to ensure that the provider is reliable, including:
Checking customer references
Auditing financial stability
Determining if there are inherited security risks from the outsourcing company or middlemen
Fully understanding what could happen and how it would impact the outsourcing company’s ability to meet your requirements if that company experiences a disaster
Asking questions about tier two suppliers and their dependability
Reviewing and understanding the service provider’s continuity strategies to ensure that the provider can restore services critical to your organization within time frames that are acceptable to you
Learning who has ongoing continuity responsibilities such as reviewing, auditing, testing, and maintaining the provider’s business continuity program
Understand the impact on your organization in the event of a partial or complete loss of an outsourcing company’s services. Be aware of whether the company is a single point of failure, and create continuity strategies accordingly.
Determine the advisability of developing internal manual processes to make it possible to bring the impacted operations back in house temporarily, having a redundant supplier of the service, or working with the outsourcing company to create a workable contingency solution.
The upstream and downstream movement of material, components, and finished products—whether locally or globally and by land, rail, water, or air—is indispensable to producing a commodity and delivering it to end customers. Transportation interruptions can result from a number of causes, from frozen rivers preventing the movement of river barge traffic, to flooding or major wild land fires closing highways and railways, to labor actions such as the fifteen-day UPS strike of 1997, which caused severe disruptions to thousands of large and small companies.
Internationally, we have recently seen an example of an ancient risk reappearing to again threaten one of the world’s most important shipping lanes. The continuing threat of pirates, such as those operating off the Somali coast, has serious consequences for maritime commerce. Countries including the United States depend on cargo ships for delivery of oil, petroleum, containers of dry cargo, and quantities of low-cost goods.
Yet whether the disruption is caused by something as sensational as a pirate attack or as relatively mundane as flooding shutting down a major truck route, from a supply chain perspective, a disruption is still a disruption. As a result, transportation links must be fully included in continuity planning. Whether transportation is an internal function or outsourced, and whatever the cause of the disruption, all related threats must be identified, quantified, and ranked, mitigating the risk to the extent possible, and strategies must be implemented to continue or restore receipt of upstream deliveries and distribution of downstream products.
You can ensure that strategies are in place to address transportation-related disasters by:
Determining whether your transportation system is sufficiently diversified
Developing redundancy by using multiple carriers on an ongoing basis
Creating strategies to implement in the event a disaster hits a transportation supplier
Identifying alternate routes for both incoming and outgoing shipments
The same level of attention needs to be given to the continuity planning of shipping companies as is given to all other suppliers and outsourcing companies.
The purchasing/procurement department has multiple business continuity roles. The first is to develop strategies and plans for continuing the department’s most time-critical functions following any interruption. The second is to develop and carry out a rigorous process that results in the selection of supply chain partners that are capable of supporting the organization’s continuity strategies and that have developed an acceptable internal business continuity capability. Equally important is to take proactive steps that make possible the rapid acquisition of services, equipment, and supplies necessary to continue or quickly restore operations when disaster strikes.
Not all suppliers are created equal, and the importance of the business unit responsible for the preventive selection of suppliers cannot be overstated. Whether ultimate responsibility lies with a chief purchasing or procurement officer (CPO), a procurement team, or purchasing department staff, or whether the responsibility is managed within individual business units, the overriding goal is to select suppliers, contractors, and outsourcing companies that contribute to the goals and strategies of the contracting organization, which includes their ability to support a company’s business continuity objectives.
Considerations in assessing each supplier in order to better understand the company and its importance to your organization can include:
Whether the supplier is a single or sole source for a vital product or service
The product(s) or service(s) the supplier supplies or supports
The level of criticality of the product(s) or service(s) the supplier provides
Whether your organization is considered a priority customer
The proximity of the supplier to your facility
The possibility that your company and the supplier can both be impacted by the same disaster
Whether the supplier’s operations are geographically dispersed
How often the supplier’s product is delivered
The inventory level of the supplier’s product(s) typically maintained at your facility
The length of time required to process the order and receive the product once an order is placed with the supplier
The supplier’s history and reputation
The expected level of difficulty in finding an alternate supplier
In addition, the financial health of the supplier is tremendously important in a volatile economic climate. Be sure to request third-party validation of the company’s financial health and operational history. Companies that may previously have been financially sound may experience sudden and extreme financial setbacks that may result in bankruptcy or shutdown.
Significant attention should also be focused on components and services required by time-critical business functions. Rather than looking only at volume supplied or frequency of orders placed and fulfilled, the best indicator of how critical a supplier is to the organization is its role in enabling a time-critical business function to operate as intended on a day-to-day basis and to support the ability to meet the RTO when disaster strikes. Think in terms of making risk-wise selections.
Child-produced products and other unfair labor practices, hazardous waste spills, substandard and unsafe products, bribery in securing contracts, and failure to meet regulatory requirements are just a few examples of unethical business practices that are all too often in the news. When a supplier, outsourcing company, or other business partner is guilty of unethical behavior, we have an inherited business risk. We are, after all, known by the company we keep.
The risks of an ethical misconduct disaster have never been greater because of the complexity of the global business environment. Legal systems, customs, and business practices vary throughout the world, and when operating globally, it is important to understand the variations and how they conflict with your organization’s positive core values, standards, and expectations.
The potential risk of a supplier’s misconduct leading to an operations disruption, harm to your organization’s financial performance, loss of public trust, and a media feeding frenzy can and should be mitigated. Avoid inheriting reputational disasters by factoring into the selection process a supplier’s ethical principles and standards of conduct. Educate your supply chain partners. Familiarize every current and potential supplier and outsourcing company with your organization’s code of ethics and conduct. Make them aware that you conduct supply chain management in accordance with national and international laws, customs, and practices, as well as your internal policies, ethical principles, and standards of conduct. Enact a no-tolerance policy regarding unethical or illegal business practices. Contract with businesses that hold the same high standards as your organization and that manage their social and environmental impacts responsibly. As part of the selection process, ask those vying for your business to provide their code of ethical conduct that outlines their health and safety, labor, environmental, and business integrity standards. In your vetting process, check for any history of unsavory business practices or hint of scandal.
Apply your code to your direct suppliers, and let them know that your expectation is that they will ensure that their upstream suppliers adhere to the same high ethical standards.
Equally import is to be certain that your suppliers walk their talk by demonstrating business practices that match the published code. Conduct periodic ethical audits to ensure that outsourcing companies are adhering to your expectations. Monitor their actions. Let each link in your supply chain know that any regulatory breaches or ethical misconduct will not be condoned and will be taken seriously when you are renegotiating supplier contracts. Make integrity continuity, protection of the ethical reputation of your company, a component of supply chain business continuity management by avoiding partnering with any company or person who does not adhere to your company’s moral and principled standards.
While cost, quality, technological capability and compatibility, customer support, and compliance with the customer’s labor practices, ethical standards, and regulatory requirements must be considered, the supplier’s ability to manage its risks must not be ignored either. Seek to contract with suppliers with a mature business continuity capability.
Customer-supplier relationships are necessarily strategic. Yet despite increased outsourcing and greater reliance on suppliers, it is still not a given that the supplier’s continuity capability is a factor in the selection process. Look at your supply chain from a risk management perspective. Go beyond purely financial considerations and also look at continuity capabilities. Cost savings alone may not seem as sensible if a failure on the part of a time-critical supplier or contractor results in a significant break in your supply chain.
It is important to be knowledgeable of critical suppliers’ level of disaster preparedness and the steps they have taken to prepare to continue business following a disaster that impacts their operations. “We can handle it” is no longer an acceptable response to questions asked of suppliers regarding their capability to continue to meet your requirements should they experience a disaster.
It is essential to include business continuity considerations in the evaluation process when you are selecting new suppliers and reviewing current suppliers. Hearing a supplier or outsourcing company state, “We have a business continuity plan” is simply not sufficient. Even if suppliers have a business continuity plan, it is important to understand how they will support your requirements, where you fit in their continuity priorities, and how quickly they will restore service to your organization when they experience a disruption.
Continuity capabilities within the framework of your organization’s requirements need to be evaluated. If metrics or benchmarking are used in the selection process, ensure that business continuity factors are fully considered in the evaluation criteria.
Beyond just knowing that a plan exists, gathering specific information allows you to gauge the level of continuity preparedness as it relates to your organization’s needs. Ask each supplier, contractor, service provider, and other business partner for the following information:
The scope of its continuity plan—for example, whether it is a comprehensive business continuity plan or a disaster recovery plan that covers only IT
How long the business continuity program has been in place
The owner and the sponsor of the business continuity program
Whether the planning process included a hazard assessment and business impact analysis
The frequency of scheduled training and testing
The date the plan was last exercised or tested
The date the plan was last reviewed and updated
Whether the plan has been audited; if so, when and what were the results
The degree to which all employees are familiarized with the business continuity plan
Whether backups of vital paper and electronic records are stored off-site
Whether procedures are in place to continue or restore minimum service levels following a disaster
How your organization will be supported if the supplier experiences a serious disruption in operations and the plan is activated
A clear-cut time-specific definition of how long delivery of the supplier’s product or service to your company would be delayed within the framework of the plan
Whether the company is confident that it is adequately prepared to handle all unplanned operational interruptions
Any unacceptable or ambiguous responses should be considered a red flag.
When the shoe is on the other foot and it is your company being evaluated as part of a selection process, having a business continuity program in place can be a marketing advantage. Expect that prospective customers will ask you for information about your business continuity capability. Consider what your responses will be when you are asked for the continuity information listed above. Be sure that your responses will meet the potential customer’s requirements to avoid your company being excluded from the selection process.
In some cases, an organization may request a copy of your business continuity plan document. While I understand the need to ensure a supplier’s continuity capability, I believe that there are some serious issues with turning over a copy of your plan, even to a valued customer. Continuity plan documents typically contain some highly confidential, proprietary, and sensitive information such as the names, home addresses, and telephone numbers of employees—including executives and perhaps board members—as well as business strategies, financial information, client information, process flows, and technical specifications. You thus need to avoid plans getting into the hands of a competitor, anyone who could use the information for illegal purposes, or even a terrorist.
Here are a couple of suggestions for giving a customer or potential customer the necessary information while safeguarding confidential information:
Provide a copy of the business continuity mission statement signed by the executive sponsor, the table of contents, the plan overview, the plan review/update record, any audits referencing business continuity, and a record of training sessions, tests, and exercises.
Alternatively, provide a sanitized version of the plan to be read on-site. Issue an invitation to participate in your next scheduled test or exercise, and offer to participate in theirs.
If these options are simply not acceptable and a copy of the plan must be provided, go over it with a fine-toothed comb and omit any and all sensitive, confidential, or proprietary information. Have the edited version reviewed by legal as an additional precautionary measure.
You may be uncertain about the need to review the business continuity plans of supplier tiers. Good judgment and common sense come into play here. Tier one and possibly tier two suppliers should be included, as well as possibly tier three in lesser detail. Conducting a review of the tier suppliers’ business continuity capability beyond tier three becomes superfluous.
The bottom line is to ensure that you have conducted due diligence—in other words, appropriate carefulness, reasonable care and attention, and the degree of care that a prudent person would exercise.
The incorporation of business continuity considerations in each step of the selection process should include interviews with management. Start with the request for proposal (RFP) and have bidders include information outlining their continuity capabilities or use the list presented previously in this chapter of requested information.
When conducting site interviews during the selection process, be aware of potential disasters, both inside the supplier’s facilities as well as in the surrounding area. Notice the safety and security measures in place, particularly in geographic areas where standards are lax. To maintain operational efficiency, many suppliers have only one location. In the event a disaster such as a fire occurs in a single-location supplier plant with no sprinkler system, the entire building could be destroyed. The resulting time required to rebuild or relocate could be months or even longer, possibly leaving your organization with a fractured supply chain in the meantime.
Business continuity requirements need to be included in contract negotiations. Contracts should include detailed continuity time frames that meet the continuity planning needs established by your BIA. A best practice planning process includes developing and maintaining call lists for contacting key individuals for all suppliers and other stakeholders. Contracts should specify that the contractor will make complete contact information available and make prompt notification of any changes to any of the provided contact information. Contracts should also detail how the business partner will fulfill its commitment to maintaining services should it be necessary for the supplier to operate from an alternate location.
A contract clause that requires the vendor or contractor to develop or continue to maintain a business continuity program might also be considered.
Your legal department or legal counsel should be used to build appropriate business continuity wording into contracts and to review any contracts provided by the supplier. For instance, many construction and supply contracts contain a force majeure clause, which is an unanticipated or uncontrollable event or effect that releases the contractor from fulfillment of a contractual obligation. While these clauses may be acceptable in most circumstances, they may not be acceptable from a business continuity planning point of view. (Reading a force majeure provision may result in your eyes crossing and a feeling of light-headedness as you endeavor to gain a full understanding of both the legal language and the ramifications invoking a force majeure clause will have on continuity strategies.) Force majeure events are whatever the contract says they are. Depending on contract language, such events can be a hurricane, tornado, terrorism, labor action, change in ruling regime, transportation shortage, or an unending list of other events. In a global supply chain, there is always an event that is outside your supplier’s control.
A last-resort strategy is to take legal action after the damage is done—when a provider fails to meet service level agreements or contract terms. While there may be some recovery of financial losses, the greater loss is likely to be both tangible, in the form of lost customers and business, and intangible, such as an effect on customer confidence, reputation, and the perception the marketplace has of your organization. A procurement process that gives consideration to a potential business partner’s continuity capability is in the best interest of the organization and all its stakeholders, including supply chain partners.
As contracts come up for renewal, they should be reviewed from a continuity risk perspective. This is the time to reassess the supplier’s continuity capability. Initiate discussions with the time-critical vendors regarding changes in your organization’s business continuity processes and your current expectations of business partners. Let them know that your strategies rely on their level of capability, particularly in the case of single or sole source relationships. Describe your organization’s current supply chain continuity requirements and identify any specific desired corrections to be made by the supplier. Make sure that contract content still serves your organization’s best interests. If there is a service level agreement in place, check to see if it contains required business continuity–related provisions.
Too often, consideration of a supplier’s level of continuity preparedness occurs during the selection stage, but ongoing monitoring is ignored. It is not enough to evaluate only the inherited level of risk a supplier brings to the contract signing. The financial and operational stability of critical suppliers needs to be measured on a regular basis as well. It is important to understand and to continue to assess the supplier’s financial picture. Circumstances can shift quickly and have extremely detrimental impacts on a business. Suppliers can also inherit risks from their own business relationships that may not be obvious in an initial evaluation.
The operations of suppliers, contractors, and outsourcing companies should be regularly monitored. Track incidents, visit their facilities, and when you do, get beyond the executive offices and visit the manufacturing floor and the employee break room if possible.
Managing a global supply network is demanding, and the challenges are multiplied when there are a large number of suppliers. If tracking systems are available at all, there are often significant system disparities and the data that is available is often fragmented and inaccurate. Managing suppliers in this environment necessitates establishing requirements for consistent metrics and measurements. When the supply chain is international in scope, you should develop an understanding of global risks and be aware of political and environmental changes that impact your supply chain.
If a scorecard or other metrics is used to evaluate suppliers, it should include supply chain continuity factors such as when the continuity plan was last audited and updated, the date of the most recent tests and exercises, and the extent of employee continuity training. Used effectively, the scorecard becomes a valuable communications tool when encouraging suppliers to establish or enhance their business continuity program.
In addition to ensuring that the organization contracts with disaster-resilient business partners, procurement business units play an important role in supporting the strategies to be employed when a disaster occurs.
These units identify specialized vendors and contractors who will carry out or support continuity strategies and make available as-needed purchase orders. Pre-identifying the companies and providing them with a purchase order or crate and ship agreement now saves valuable time and gets requests for materials and services filled before those who wait to act until the disaster happens. These agreements can make the difference between successfully meeting RTOs and experiencing serious delays. These agreements can be particularly helpful when a disaster impacts a wide area and services such as cleanup and salvage are in great demand.
Some organizations have a complex and lengthy procurement process. Consider your organization’s contract and purchase approval procedure and how long it takes. Having the resiliency needed to meet continuity requirements may include developing a streamlined procurement process that can be temporarily activated as necessary in order to quickly arrange for needed supplies, equipment, and services following a disaster.
In addition, review how many signatures are needed to approve contracts and purchase orders and to sign checks, as well as the number of individuals authorized to sign these documents. Consider whether it would be beneficial to have a post-disaster policy that temporarily either decreases the number of signatures required or authorizes additional individuals to sign the documents.
A relationship always exists between a customer and a supplier whether it is good, bad, or ugly. To best meet the continuity needs of both, consider working to elevate the relationship to a mutually beneficial, collaborative, integrative partnership. This entails both relationship management and supply chain management. While today’s supply chains may be highly automated, business continuity does not rely on technology alone. It is through a collaborative approach—partnering with your suppliers, contractors, and shippers—that the most effective supply chain continuity strategies are generated. For some, this is a new way to look at supplier-customer relationships.
Forward-thinking organizations are following today’s supplier-customer trends. These include establishing long-term relationships, having supplier management take steps to improve performance through a formal evaluation process that has as its goal mutually beneficial change, and forming strategic partnerships—trusting relationships with key suppliers. When suppliers and customers truly partner in addressing business continuity, the end result is mutually beneficial continuity strategies, a win-win for all involved.
While it can take some work to change a relationship that may have been adversarial into a cooperative one, in the long run, the dividends are well worth the effort. When developing supply chain business continuity strategies, use a cooperative approach among all those involved in your supply chain. View suppliers, domestic or international, as strategic partners. Develop and then build on good relationships with suppliers, forwarders, logistics services companies, brokers, and contractors, just as you do with your customers. Work with your supply chain partners.
Suppliers are stakeholders that want to have you as a customer, yet they have their own hazards and continuity requirements. Meet with time-critical suppliers and discuss your business continuity planning goals with them. When visiting key suppliers, meet with their leaders and discuss what your organization’s business continuity program is all about. A non-adversarial intra-organization partnership approach to business continuity can make a positive and significant difference in how successful your organization—and partner organizations—can be in continuing or more rapidly restoring operations following a disaster. Share information and ideas. Consider not only your organization’s needs but those of the partner organization.
To be effective, this approach requires that both parties are open about the risks they face. For tier one suppliers, this should include identifying threats that are inherited from tier two suppliers.
It is reasonable to assume that working with you has benefits for your suppliers. Let them know your expectations. A basic step toward accomplishing this is to include continuity readiness as a factor when awarding future contracts. True continuity partnerships require that companies collaborate directly with their suppliers. Establish business continuity performance measures and reward suppliers who consistently meet or exceed the performance indicators. Keep the lines of communication open. When suppliers fall short of the continuity performance goals, discuss performance issues promptly to provide them with an opportunity to quickly correct them. Establish a process that will lead to a cooperative approach to resolving any issues that arise. A partnership in the planning process lays the foundation for greater collaboration in developing and carrying out continuity strategies.
While it is important to convey the message that there are expectations for supplier business continuity competency, at the same time, it is also important in an overall program of customer-supplier collaboration for you to provide information, guidance, and assistance. In the event a business partner does not yet have a business continuity program, avoid an “us versus you” approach by simply dictating what they “should do.” Instead, initiate an ongoing dialogue.
It can be useful to see your interest in business continuity planning from the perspective of a supplier or other business partner. While suppliers need to take responsibility for and have full ownership of their own business continuity programs, a customer requirement for such a program may be the primary driver. Put yourself in the place of suppliers whose customers are demanding that they initiate business continuity planning several months after a contract is in place. Likewise, imagine that you are a supplier and, while preparing to respond to a request for proposal or in the middle of negotiating a contract renewal with a customer, you first learn of newly added business continuity requirements. Presumably, you would not be pleased. In some cases, suppliers and contractors are much smaller than the organization they supply and have limited resources to initiate a continuity program. Help your suppliers by providing them with your requirements early on and encourage them to take responsibility for their continuity programs.
In addition, providing a reasonable amount of hands-on assistance to help suppliers develop a business continuity strategy may be worth consideration. This can include:
Sharing business continuity standards and policies
Providing sources for business continuity training
Presenting supplier business continuity workshops to provide them with a better understanding of your organization’s continuity requirements and guidance in developing their own program
Offering project management assistance with the planning process, such as a project outline with a suggested timeline and milestones
Sharing planning templates and tools
Including suppliers and contractors in your business continuity training sessions and/or exercises
Offering business continuity planning coaching
While opting to take advantage of any offered assistance is strictly the decision of the supplier, these steps will show your organization’s willingness to cooperate rather than dictate.
When a disaster occurs, prepared supply chain partners are in a better position to leverage each others’ operational capabilities if realistic advance planning has been done to define mutual expectations, roles, and responsibilities, and redundant communications and information sharing tools. Partnering with your suppliers is certain to pay dividends.
Very few organizations have IT as their business, yet in today’s business world, technology is fundamental. It has enabled business to make enormous strides and continues to allow us to conduct business more efficiently, but it is often taken for granted. Companies—both manufacturers and service providers—recognize that recovering technology alone will not restore business functions and processes. Nonetheless, technology is a critical piece of the continuity puzzle that must be included to complete the picture.
While business continuity is not a technology issue, disaster recovery is the technology component of business continuity and is the IT department’s business continuity plan. Computer and communications systems are the center of complex procedures that underpin a wide range of business and management activities. Expanded use of the Internet and the growing reliance on e-mail has made even short-term system downtime unacceptable. Not that many years ago, upon completion of business impact analyses, e-mail was not often seen on the list of time-critical IT support functions. Today, BIA results for most organizations place e-mail at or near the top of the list of critical IT functions.
The supply chain’s dependence on technology has never before been greater than it is today, creating a critical need for IT support. Advancing technology has brought about great advancement and equally great challenges. The growing reliance on receiving and viewing documentation from supply chain partners is just one example of this reliance. While the IT department may have an excellent disaster recovery plan to restore technology infrastructure, recover networks, and restore applications, supply chain IT requirements may inadvertently be overlooked or not fully considered during the development of disaster recovery strategies and plans.
This oversight may result from the lack of full inclusion of the supply chain in the business continuity process or from a bottom-up planning process driven by the technology departments and having as its goal the development of only a disaster recovery plan rather than an all-inclusive business continuity program. When planning is done from the top down, a business continuity analysis is conducted by the business continuity planning group, and disaster recovery planning is based on meeting the requirements established by the BIA.
Business continuity is an operational and staffing problem, not a technical problem, yet the dependence on technology to provide support to the critical functions and the staff performing them is omnipresent. To retain a global competitive edge, companies throughout the world that have largely automated their manufacturing operations must consider the impact of technological disruptions and disasters on those operations. The proliferation of automation that has resulted in more cost-effective and agile manufacturing has also created a greater need to have coordinated, integrated business continuity and disaster recovery plans in place.
To illustrate the reliance many companies have on technology, consider an enterprise resource planning (ERP) system— an integrated information system that serves all departments within an enterprise to coordinate manufacturing processes to enterprise-wide back-end processes—to manage sales and purchase elements of supply chain operations. The data stored in an ERP system (such as suppliers, customers, materials, components, and parts) and the internal process flows and control functions within the system (such as sales order entry, generation of purchase orders and invoices, inventory control, distribution, and work orders) integrates the once-fragmented end-to-end business processes throughout the entire organization. In addition, the ERP system may link to external systems or have embedded accounting functions such as payables, receivables, and general ledger entries. The reliance on the ERP technology that controls internal functions from sales orders, picking, packing, and sales commissions to inventory, distribution, invoicing, and processing of returns and chargebacks is indicative of how dependent today’s supply chain operations are on technology and the importance of full inclusion of supply chain requirements in disaster recovery planning.
A fundamental disconnect often exists between IT and the other business units, creating a communications and collaboration challenge. Bridging that gap is a must when developing business continuity strategies and plans, and this requires working with the IT department’s disaster recovery manager. While the IT department has chief responsibility for disaster recovery and the restoration of computer systems, data, and communications systems, it is imperative that supply chain managers provide input and feedback during the process to ensure that the resulting plan meets supply chain needs.
Those involved in business continuity planning, even if not directly involved with the workings of the organization’s technology, can benefit from having a basic understanding of the technology required to continue or resume operations. Just as important, the person in charge of disaster recovery planning must be aware of time-critical functions in all business units and fully understand what technology and electronic data are needed to support the continuity of those functions and how quickly each function must be operational.
In all businesses, it is critical to gain an understanding of whether and to what degree the supply chain was considered when the disaster recovery plan was developed, what level of priority was assigned to supply chain IT support components, and the assigned RTO for each of the time-critical supply chain technical elements. This can be achieved by using the supply chain map. (See Chapter 5.) Overlay the IT functions that support and connect critical supply chain functions. Work with an IT representative to make sure that all IT support needs can be met, including the flow of information. As a supply chain professional, you are not expected to be fully knowledgeable about IT and the related technology that support your operations. What is necessary is that you and the IT professionals who are responsible for disaster recovery in support of business continuity strategies and plans fully understand the recovery needs of the supply chain and have plans in place that support those needs. This involves asking whether supply chain applications, databases, and connectivity were included in the last test and, if so, what the results of the test were, including the recovery time.
If your data backup policies, technology, and procedures are not well thought out, other aspects of disaster recovery planning are greatly diminished. Backup is the foundation of a successful disaster recovery strategy. Be aware of how often supply chain data is backed up, the technology used, how often the backups are taken off-site, and where they are stored. Ascertain whether electronic vaulting is used to immediately move data off-site to a secure location. When a disaster occurs, it is important to know how long it will take for supply chain data to be restored.
IT must be kept in the loop regarding any process changes to ensure that those changes are reflected in disaster recovery plans. Sharing knowledge between the technology and supply chain business units is critical when disaster strikes, as well as having tremendous value on a day-to-day basis.
A fundamental element in effective business continuity strategies is the establishment of alternative methods for operations. Whether a disaster impacts the entire organization or results in only a loss of IT support, individual departments have responsibility for planning how they will continue or resume critical operations.
Plans and procedures to cover technology outages should be part of each department’s strategies. Interim procedures that may be used by a business unit to enable it to continue to perform its critical business functions during temporary unavailability of IT support systems are commonly referred to as work-around or user-react procedures. These procedures are documented in department continuity plans to provide guidance and instructions for continuing the department’s most time-critical functions while interrupted IT support is restored.
Work-around procedures should be developed as part of the department planning process and are activated when the physical plant is undamaged and accessible and the data center is experiencing a major outage.
Consider whether manual processes are possible for some time-critical functions in order to allow operations to continue while electronic systems are restored. Avoid business-as-usual thinking. While work-around procedures are not usually pretty, since they are slower and necessitate that transactions still must be entered into systems once they are restored, they can prevent a full stoppage of many time-critical functions.
A situation I experienced not long ago provides a simple example of how work-around procedures can prevent a minor disruption from becoming a disaster. Arriving at the front door of a large home furnishings store one morning, I found handwritten signs on locked doors stating “Closed—our computers are down.” A work-around procedure to remedy this situation would have begun with cashiers pulling out printed step-by-step procedures, receipt books, hand-held calculators, and credit card slide machines. While less efficient, this work-around would have made it possible for the store to open its doors and continue to sell product and provide customer service while the automated system was being restored. The end result is an inconvenience, rather than a disaster resulting in lost sales, lost customers, and damage to reputation and brand.
In developing department business continuity work-around procedures, an approach I’ve found effective is to open the discussion this way: “Our computer systems are expected to be down for three days. We need to identify how we will complete the tasks identified as time-critical without the use of a computer until restoration is complete.” Avoid asking, “Can we accomplish that critical function without the computer?” The answer will most likely be, “We can’t.” Instead, assume at the outset that there is a way to accomplish the time-critical tasks.
While not necessarily under the disaster recovery umbrella, a comprehensive planning process will address the need for infrastructure to support operations as well. In today’s world, we need electric power, telecommunications, water and wastewater service, and perhaps natural gas to keep our operations running. These utilities are not referred to as lifelines for no reason.
The blackout of 2003 that created a power disruption across eight states in the United States and parts of Canada was a strong yet short-lived reminder of our dependency on the utilities we often take for granted. While memories of the 2003 power outage continue to fade, smaller power outages continue to regularly occur.
A growing number of companies have installed power generators, the capacity of which ranges from powering only emergency lighting to fully powering every part of the facility. It’s important to know whether your building has emergency generators and even more important to know exactly what they power and for how long. Making incorrect assumptions about what in your department is powered by the generators can have serious consequences when the lights go out. Also be aware of what equipment in each business unit has an uninterruptible power supply (UPS)—an alternate short-term power supply, usually battery-powered, to maintain power in the event of an electrical power outage. Power and telecommunications providers are suppliers and can be identified in the BIA as single points of failure. Since more power and telecom disruptions result from lines being dug up by backhoe operators than from terrorist attacks, it is likely that your power or telecom outage will be local in scope. Explore the feasibility of having power and telecom lines coming into your building from two different locations or having secondary suppliers.
Make no assumptions. Request that necessary adjustments be made to ensure that infrastructure services are available to support continuity or rapid restoration of time-critical functions.
An area that has recently garnered greater attention is the human factor of business continuity. Horrendous events like 9/11 forced companies to consider what would happen if employees were lost and whole buildings destroyed. While our hope is to never again experience such an event, people issues must be included when developing continuity strategies. Most human resources issues arise when a disaster results in denial of access to your facility or when people are not available to do the work. In the event your location is not accessible, have plans in place for your people regarding issues such as where they will work, who will relocate, and who will manage business continuity processes.
Recently, the potential for a widespread pandemic received a great deal of attention on local, national, and international levels with the global emergence of a new strain of the H1N1 virus (commonly and incorrectly referred to as swine flu). Media coverage kept the topic in the news as the World Health Organization (WHO) monitored the situation and advised the public of the changing worldwide pandemic alert level.
In spite of daily coverage in the broadcast and print media and warnings from health officials, it was difficult for many people and organizations to take the pandemic threat seriously. There is every indication that a majority of businesses opted not to develop formal plans for responding in the event that the global pandemic threat became a reality, or that they simply ignored the issue altogether. No historical data and information exists as to how a full-scale pandemic would impact today’s business economy and day-to-day operations. However, in the event the current pandemic threat level is raised or a future pandemic threat appears on the horizon, Appendix C provides a Pandemic Planning Guide that can be used for reference—just in case.
When developing continuity strategies, fully consider the human factor—the people who keep the supply chain moving. Imagine this scenario: A disaster destroys your primary business location. Business continuity planning strategies include shifting critical operations to a nearby alternate facility, which is now open with critical equipment and IT support installed and operational. One critical factor is missing. No employees show up. Even technically sophisticated systems and equipment require people to keep operations running smoothly.
Succession planning is needed for all critical skill levels— not only for executives and senior leaders. Employees should be cross-trained to ensure coverage for all identified time-critical business functions for times when those with primary responsibility are not available. This requires initial training and ongoing hands-on practice with guidance and direction from the person who has primary responsibility for the work. In some cases, it is necessary to arrange for required certifications and licensing. Most employees appreciate the opportunity to learn new skills sets, and this helps ensure that there is backup to cover functions when those primarily responsible are not available. In addition, when in continuity mode, it may be necessary to continue operations on a 24/7 basis. Having additional qualified people provides the necessary support to make this work schedule possible.
You should create and maintain up-to-date, documented procedures that will allow backup personnel to carry out critical business functions. To the extent possible, a manual of detailed work-around procedures should be developed in the event full IT support systems are not functioning.
Encourage and assist employees in preparing their homes and families for disasters. I have read business continuity plans that call for employees to “immediately report to work” following any disaster. In the event of a widespread natural disaster, the reality is that most employees will report only once they are assured that their loved ones are taken care of. Having a family disaster plan in place enables employees to move quickly to take care of family needs and then report as assigned.
When a disaster occurs, all employees can be kept informed through the use of an employee 800 number, e-mail, the intranet, or one of the increasingly sophisticated electronic notification systems. Employees want to know about the status of the disaster and its immediate and future impacts on the organization. They need to know what they are expected to do, such as when and where to report to work or if they are to stay at home until notified otherwise, and when updated information will be available.
Maintaining contact with employees, other company locations, customers, suppliers, contractors, regulatory agencies, shareholders, and other stakeholders—anyone essential on a day-to-day basis—is a critical element of business continuity. Often overlooked or given insufficient attention, continuity communications strategies need to be established and detailed in your business continuity plans.
Situations initially viewed as minor annoyances or small emergencies may turn into disasters if adequate stakeholder communication is not maintained. Being prepared to manage requests from print media, radio, and television can help ensure that media coverage does not become a secondary disaster as a result of not being well managed.
Identify the supply chain links with whom your company needs to communicate when a disaster occurs. Include both those who have an actual need for information and those who believe that they need information. In the case of the latter group, remember that if you don’t provide information, they will most likely get it elsewhere or even “create” their own answers.
In addition to employees who want to know what they are to do and how the crisis will impact them and their jobs, it is important to have strategies in place for keeping those who may have heard about a crisis and who have a vested interest in your company in the communications loop. This includes customers who need assurance that the products or services they receive from you will still be delivered on time at the quality level they expect and suppliers who need to know of any changes to orders, delivery schedules, or delivery locations.
Effective strategies address the four components of effective disaster communications: (1) getting the right information to the right people at the right time, (2) the technical capability to communicate, (3) clearly communicating the information, and (4) rumor control to prevent misinformation.
Start with emergency communications basics:
Implement enterprise-wide emergency calling systems and procedures.
Coordinate contact processes throughout the organization to avoid duplication or omissions.
Standardize notification lists, and review them for accuracy and updates no less than quarterly.
Ensure that call notification lists include all contact information such as cell phone, text, home phone, second home phone, work e-mail, and home e-mail.
Make certain that call notification lists for business continuity team members include both primary and backup team members in the event primary persons are unavailable or do not respond.
Brand all call notification systems—calling trees through sophisticated electronic systems—with identifiable names so that the person answering the phone is immediately aware of the call’s importance.
Include key supplier, contractor, and outsourcing company representatives in call notification processes.
Have multiple options for emergency notification.
Your post-disaster communication with stakeholders such as transportation companies, customers, and suppliers will be timelier and more effective if, before a crisis occurs, there is preassigned responsibility for keeping key contacts informed. Identify who will establish and, as necessary, maintain contact with whom and how. As with all others who have business continuity responsibilities, have a backup for each person who is assigned communications responsibility.
Create a database of key stakeholder contacts that is maintained and updated frequently. Present your information to all stakeholders quickly and honestly. As appropriate, provide frequent updates on how you’re doing in responding to and recovering from the disaster. While they will sympathize with your plight, customers need to know how your situation impacts them, and specifically whether the service or product you provide will be delivered as scheduled.
If not already in place, consider enacting a company policy that employees are not to give any statements about the company to the media. Not everyone is skilled at giving interviews, and having a no-statement policy benefits both the organization and its employees. It protects employees from possibly being responsible for incomplete, incorrect, or proprietary information making its way to the front page of a newspaper or from being the source of a damaging sound bite on an evening news broadcast.
Also, consider how your company’s Internet presence can be used to communicate your message when a crisis occurs. An additional preassigned continuity role can be a person or persons who facilitate use of the Internet to contact identified stakeholders and keep them advised of the company’s actions in responding to the disruption. The role can also encompass making information available to the general public.
Educate employees about the importance of following the company’s media policy and provide them with information about to whom to refer media representatives. Include complete and accurate contact information. Having a reporter with a microphone ask for your opinion or having a news camera bearing down on you can be compelling. While reporters have the right to interview anyone they want, everyone has an equal right to decline to be interviewed. Having a “no comment” policy and knowing to whom to refer media representatives provides direction and makes it easier for employees to decline to comment.
The importance cannot be overstated of making the necessary internal notifications following a disaster. To prepare for successful disaster communications, develop and regularly maintain notification lists, including immediate internal notifications to be made in each type of crisis, such as executive managers, public relations, security, human resources, and legal. Designate how each person will be contacted and by whom. Include business and home contact information such as land-line telephone, cell phone, PDAs, and e-mail. In addition to laminated cards listing company emergency contact numbers carried by all employees, those with continuity responsibilities can be provided with cards listing numbers they will need when the business continuity plan is activated.
Disaster communications capabilities should be tested often. Update all contact lists and contact information in electronic notification systems. Ensure that those assigned communications responsibilities receive complete training with periodic updates and refresher training. Develop communications redundancies and test the technology on a regular basis.
For any organization, remaining up and running no matter what is good business. To do so, develop a risk-intelligent culture within your supply chain business units. While the focus of business continuity planning addresses major interruptions and disasters, it also allows an organization to reduce downtime during routine events. When developing continuity strategies, make sure the process encompasses all links. Consider the supply chain big picture, internal and external; plan for backups for people who carry out critical functions; and understand IT systems and the other technology that supports supply chain operations. Select risk-resistant business partners, continue to monitor the financial status throughout the term of the contract, and provide assistance in business continuity planning to your suppliers.
Determine whether the business continuity capabilities of suppliers, contractors, and outsourcing companies are considered in your procurement or selection process.
If yes, review the business continuity planning standards that suppliers and other business partners are expected to meet.
Determine the time frame for when IT systems that support your department’s operations will be restored following a disaster that impacts the data center.
Find out whether there are streamlined procurement processes that can be activated if needed.
Review your organization’s emergency contact procedures with all department employees.
Check contact lists of employees, suppliers, contractors, and outsourcing companies to be certain the information is accurate.
Ascertain whether cross-training is available to qualify additional employees to carry out time-critical tasks.
13.58.230.203