It has become increasingly important for organizations to understand their supply chain and vendor risks. This article explores the rationale and the steps for conducting a vendor resiliency analysis—as well as actions to address and mitigate vendor risk.
The COVID-19 pandemic has underscored the fragility and interdependency of our global supply chain. In recent months, automakers have suspended production by up to 40% as a result of the enduring shortage of computer chips. In the U.K., the National Health Service has advised a possible delay in administering blood tests due to a supply disruption. And around the world, widespread bottlenecks of shipping containers have led to empty store shelves and prolonged delays for everything from shoes to electronics to furniture.
These examples remind us how critical it is for organizations to understand their supply chains, find weak links and take steps to reduce the risks. The “just in time” supply chains that were optimized for cost and efficiency must now respond to emerging risks such as extreme weather events, cyber threats and geopolitical shifts. Supply chain resilience is an imperative for business survival and growth and a key part of the total cost of risk.
Supply chain resilience is an imperative for business survival and growth and a key part of the total cost of risk.
To bolster resilience, risk managers should work with their supply chain counterparts to conduct a vendor resiliency analysis as a primary component of their organization’s Business Continuity Management (BCM) plan.
Conducting a vendor resiliency analysis
A vendor resiliency analysis verifies whether critical vendors can continue to support your organization with their products and services in the event of a crisis. This analysis enables a better understanding of an organization’s risk relative to its external suppliers and provides a rational way to address any supply chain issues and corresponding losses of vendor support. By conducting a vendor resiliency analysis, organizations can gain valuable insight into the following questions:
- Which vendors and business partners are most critical to my organization?
- Does my internal supply chain management group understand each vendor’s relative importance to the organization? Has a system of tiering been established?
- If my critical vendors experience a crisis, how will it affect my business?
- If my organization experiences a crisis, how will critical vendors support my needs?
- Are my critical vendors aware of their prioritization status and what will be expected of them during emergencies?
- How resilient are my critical vendors to relevant risk factors and changing situations, and how robust are their accompanying response and recovery strategies?
The first step is to identify key vendors and business partners by assessing the negative impact that would result from a potential disruption of their support to your business. The negative-risk impact should be evaluated along six variables: operational integrity, financial stability, customer service, regulatory and contractual compliance, operational processes and brand reputation. Various stakeholders will often have different views on the relative importance of vendors to the business. Therefore, it is the risk manager’s responsibility to take a holistic and enterprise-wide perspective of each vendor’s risk and to drive alignment on the set of critical vendors that require the most attention.
After key vendors have been identified, organizations should start by asking whether these vendors have their own risk management and BCM plans in place. From there, risk managers can go a step further by assessing the strength of vendors’ preparedness across the four key components of BCM: emergency response and life safety, crisis management, IT disaster recovery and business unit continuity
As part of your vendor resiliency analysis, assess each vendor's risk across the four components of BCM:
Incident-based emergency response to minimize injury to personnel and damage to company assets
Strategic management of the event, including internal and external communications to protect reputation and brand image
Technological recovery and restoration of data-center services — possibly at an alternate location — and computing capabilities
Preparations to identify the impact of business interruptions; formulate recovery strategies; develop business continuity plans; and administer regular training, exercise and maintenance
Most vendors will have at least some measures in place across each of these categories (such as fire drills, regular IT backups and crisis communications plans). Others may have more robust business continuity processes if they have experienced an incident or have been asked by an insurance underwriter to create a business continuity plan. Regardless, all organizations should refresh their vendor resiliency analysis on an annual basis — or whenever a change in key customers, vendors or products leads to a meaningful shift in the supply chain.
Addressing vendor risk
A thorough vendor resiliency analysis will often reveal gaps that your company may want to mitigate and address. A few of the most common sources of vendor risk include:
- Single-source vendors: When organizations depend on a single vendor for a critical input, vendor failure can result in immediate and significant interruption to critical business operations. At a minimum, these companies should have a contingency plan that identifies alternative vendors, if available, and the companies should consider diversifying their suppliers.
- Personnel risks: If your vendor’s operations are dependent on one or two critical staff members — for example, key IT personnel who are necessary to keep the computer systems up and running — this can pose a serious threat if they suddenly leave the organization. It is important to ask your vendors to identify any single points of failure in their processes and to address these dependencies where possible.
- Single manufacturing or distribution centers: Vendors that rely on a single manufacturing plant, warehouse or distribution center are more likely to experience an outage in the event of a natural disaster, geopolitical shifts, shipping delays and other catastrophic events. Organizations should be aware of the geographic footprint of their vendors, as well as any third-party logistics providers that also pose similar risks.
Equipped with a strong understanding of their company’s vendor risk profile, leadership can then make informed decisions about whether to accept, mitigate or transfer some or all of the risk based on their risk appetite. Risk-mitigation solutions include holding more inventory, bringing suppliers closer to home, and exploring new logistics options or other alternatives.
Communication with vendors is also key. Companies can include language in their master service agreement (MSA) that requires vendors to have a business continuity plan and to undergo regular maintenance and exercises. They can also inform critical vendors of their prioritization status and clarify their service-level expectations during an emergency. These steps can encourage your vendors to perform the advance planning and preparation that is necessary to ensure business continuity — for their organization and for yours.
 Peter S. Goodman and Keith Bradsher, “The World Is Still Short of Everything. Get Used to It.,” New York Times, updated September 23, 2021, https://www.nytimes.com/2021/08/30/business/supply-chain-shortages.html.
 Peter S. Goodman, Alexandra Stevenson, Niraj Chokshi, and Michael Corkery, “‘I’ve Never Seen Anything Like This’: Chaos Strikes Global Shipping,” New York Times, updated March 7, 2021, https://www.nytimes.com/2021/03/06/business/global-shipping.html.
 “Finding The Weak Link In The Supply Chain: Cyber Lessons From The Aviation And Marine Industries,” Aon, The One Brief, https://theonebrief.com/supply-chain-cyber-lessons-aviation-marine.
 Goodman and Bradsher, “The World.”