In the past 2 years, 80% of organisations surveyed had been subject to a disruptive incident due to unplanned IT and communications outages, adverse weather, and outsourced service failures. These unexpected incidents caused devastating consequences with 55% reporting a major loss in productivity and 5% claiming losses of $15 million or more in revenue.
For the most part, the financial and even structural damage incurred was fixable. You’ll see even today when you travel through the CBD of Christchurch, that seven years on they’re still throwing huge amounts of cash at the rebuild. The thing that really ruins organisations is being able to provide tangible assurance to your stakeholders and regulators that you’ve put everything in place to get back to business as usual – and then not meeting that promise.
When you are part of a large organisation that employs people on the ground, run major IT operations and support and service external stakeholders, you have a moral, and legal, obligation to remain resilient and prepared. Here are some tips on how to begin your resilience journey, and get on top of it.
What have others done?
Recently, RiskLogic made its way to Bengaluru, India where we worked with our client, Rakon (based out of Auckland) on an introductory course on Incident Management and Emergency Response. During the training, we identified some of their threats being things like power cuts, loss of IT or cyber attack, loss of skilled staff, flooding and breakdowns of critical equipment.
Rakon found themselves in the position to review their resilience capability through a response from one of their critical clients, Cisco. What this also highlighted to Rakon, a leading manufacturer in quartz crystals, was how resilient their supply chain was.
Similarly, Risklogic has worked with other manufacturers throughout Australia and New Zealand, in particular a well-known coffee and food manufacturer who also have recently felt the disruption a breakdown in critical third-party supplies can have. Southern-based, the earthquakes could have really halted operations for these guys, but they sought support from their wider teams in Australia, they actioned a plan RiskLogic had put in place for them and were able to bring in supplies by sea. Most of all however, they remained calm and kept communication strong.
So, whether you’re building microchips or micro-cookies, have you looked into what your plans are for a third party disruption? Have you practiced them and has your supply chain practiced theirs?
It may be time to answer all these questions by reviewing, practicing and in some cases, seeking external support.
Why should I care?
It’s not a matter of if, but when.
RiskLogic has run over a 100 training and exercises this year alone for our clients and we always start our sessions with the same question, “What do you think is the most likely event to hit New Zealand this year?” Earthquake is always number one, then perhaps adverse weather or a fire, but loss of supply chain seldom comes up.
If an earthquake hits the South Island, you’ll know pretty quickly if key routes north and south are affected. What about if it hits Central Asia, or even Central America? How far does your supply chain reach?
Having outsourced activities or supply chain functions is a very common practice for most organisations. But as you would learn on one of our Business Continuity Certification courses, whether you outsource or not, the responsibility for business continuity remains with you. If you can’t get coffee out the door to your fast food chain or quartz crystals to car manufacturers because an earthquake in Central America means no trucks or trains – your clients will be looking to you for answers, not your suppliers. A classic case of are you the victim of this disruption or the culprit?
If you don’t believe us, ask Nokia how they felt in the late 90’s when their most important supplier experienced what was originally thought to be quite a small fire. The key element that was implanted into all Nokia mobile phone batteries was part of a small but significant manufacturing belt which burned to a plastic mess within seven and a half minutes. Production of all Nokia phones halted worldwide.
Business Continuity, by definition, is about minimising the impacts of an unexpected disruption. So what can you do now to check the resilience capabilities of your organisation? As a basic starting point, ask your third-party suppliers the following questions:
Business Impact Analysts:
- Have all business continuity threats to your organisation been assessed and rated using a recognised methodology?
- Have your critical business functions been prioritised by recovery timeframes and resource requirements?
Business Continuity Planning:
- Do your Business Continuity Plans cover all functions of the organisation?
- Are your Business Continuity Plans up-to-date? (i.e. updated in last 6 months)
Incident and Crisis Management:
- Do you have an emergency framework in place that complies with AS3745?
- Are your Emergency Management considerations linked to your Business Continuity arrangements?
IT Disaster Recovery:
- Is there an appropriate IT strategy for system downtime?
- Are all critical resources and technologies covered by the DRP?
Training and Testing:
- Have all staff been trained in basic Business Continuity principles?
- Has testing covered all business functions and confirmed availability of all critical resources?
Asking these, and many more, questions should provide you with the peace of mind that your supply chain is resilient ready, guaranteeing you should not be affected if they suffer an unexpected event.
How to get started
RiskLogic provide a leading suppliers review where we’ll break down, analyse, and provide high level feedback on what we suggest. This is a great, affordable way to decide whether outsourcing your Business Continuity Program is worthwhile and how it can look.
By going through an Evaluation Checklist, you are going to start building credible questions that you should be asking your supply chain and stakeholders around their resilience. Once you’ve achieved this, you’ll know where to start. But, the most important thing is asking those questions in the first place.
If you would like more information on the Critical Vendor Suppliers Review and how you can implement it, click on the link below to contact us. We’ll chat with you about the most effective way to start this journey and support you when necessary.
Until then, plan, do, check and act…