How confident are you that you do in fact have clear line of sight regards all your interlinked supply chain risks?
If you felt any hesitation in answering the above, you could be significantly exposed with regards your supply chain resilience and continuity. This could be affected by insider threats or lack of effective maturity on the part of third-party vendors and suppliers that you have placed significant reliance on in meeting your objectives, goals and targets.
The impact of the global pandemic has certainly highlighted for many organisations, just how significant their lack of preparedness was, to deal with the impact, the pandemic would have on their operations over the last several months. The pandemic and resultant lockdowns have brought to light the gaps in the organisations ability to predict, assess and mitigate what is still to come relating to supply chain risks.
As a result of weak resilience and an inability to clearly identify and manage supply chain risk, stemming from the lockdowns or other crisis events has:
- Created shortage of supply to meet consumer demand as a result of unplanned and predictable delays from material events such as the financial collapse / closure of key suppliers or government restrictions around industries or imports and exports’
- Created circumstances where teams are unable to maintain and meet the requirements and obligations of service level agreements or other contractual obligations, compounded in many situations by managements lack of visibility and understanding of the various dependencies in their organisations.
Given the critically low levels of GRC maturity we regularly see within midsize and large multinationals organisations, it is no surprise that so many find themselves in various levels of reactive crisis management, rather than proactive crisis preparedness and risk mitigation.
No business should be in the position where they have not completed detailed and comprehensive Business Impact Rating exercises or supply chain exposure exercises. Such exercises need to include risk evaluation assessments and composite risk scenario analysis with resilience tests. Unfortunately, given that GRC related activities are still not considered critical core business functions and as such are done in silos or not done at all. The true impacts of this immaturity culminate when an unpredicted event, such as a global pandemic, emerges – organisations, overnight, see the tangible impacts/losses/events due to their exposed and unaddressed gaps in risks relating to supply chain management in real time. Mature and prepared organisations are able to address the unusual from a base of informed decision making and locked and loaded business continuity plans.
How to plan to be prepared – 6 steps in ensuring you are not in the dark when a crisis presents itself:
(1) Implement a process of ‘Context of Your Organisation’ information discovery:
- There are a number of approaches to go about this exercise. The organization context discovery exercise should be completed with all functional heads and critical role players within the workshop so as to ensure no aspect of the organization context is not considered. The Business Impact Rating exercise should include consideration of not just supplier dependencies but also aspects such as the nature of the business, the legislative and regulatory change scenarios, the existing and future IT landscape, the workforce, political climate and economic change impacts. There are many key areas that should ideally be considered and captured to a centralized information management system, equipped with the right functionality to engage the right key stakeholders.
(2) Detailed Business Impact Assessment including a full data and IT landscape mapping exercise:
- A BIA exercise is often found to be lightweight and executed through excel spreadsheets. This simple approach exacerbates the siloed and hidden information challenges that exist still in so many organizations. Technology needs to be used efficiently to capture this type of information across the organization and allows for all key role players to be involved and engaged in such an exercise.
(3) Risk Evaluation determining the impact on objectives – Vendor / Supplier Risk Assessments
- 1 and 2 above done well, allows the right focus to ensure that the risk evaluation step is relevant and meaningful, and no gaps are created in the process. This approach also helps to mitigate the risk assessment evaluation process from being an excel based check box approach. It is critically important that all key suppliers / vendors identified in 1 and 2 above are effectively evaluated through an efficient vendor management process.
(4) Define and activate the Crisis / Supply Chain Task Teams, inclusive of all stakeholders:
- Information centrally gathered, known, and understood will support your internal and supply chain partners to determine the cross functional activities needed to be put into place to ensure that visibility is maintained at critical task level on an ongoing basis.
(5) Scenario plan, considering impact for the short, medium, and long term and build out your Supply Chain Ecosystem Response / Resumption Plan
- Scenario analysis and development of continuity plans must be done again, as in step 1, with all the relevant key stakeholders, this will include engagement with key critical suppliers and vendors. It is extremely important for both client and vendor to understand their respective roles, dependences, and responsibilities within the end to end supply chain risk scenario.
(6) Launch the digital insights
- All the building blocks are now in place to be able to build an effective integrated reporting framework which will support transparency and visibility with the right processes in place for early warning detection and alert notification.
The above 6 steps are not the only approach but certainly proven as a workable approach. Many organizations often tend to start at 6 and then try and work backwards, the problem with this is that they tend to miss the vital steps of the data / information discovery achieved in 1, 2 and 3.
Should you be interested in defining your level of maturity to determine your business resilience, click the link below to sign up for an online maturity assessment of your organisation. https://www.rubiqbiz.com/maturity-assessment/