In most organizations the supply chain involves significant risks to business continuity and information security, however this is the least treated area and the reason for this is clear, business continuity costs money and business continuity of supply chain costs a lot of money.
For example, a customer from the Aero and Defense sector works with a lot of large individual suppliers. If one of the suppliers is not available, the entire line will be stopped.
A possible solution is to take care of additional suppliers with whom the organization will work on a regular basis. But while in a software company, working with several external SaaS providers is a common, relatively quick, and cheap process, in an Aero and Defense company with long and expensive production processes, it is a long and expensive process that includes a vendor certification and quality assurance process that takes several months.
Another option is to work with individual suppliers but demand a business continuity that includes alternative production lines and alternative production warehouses. Such requirements can only be applied if the suppliers depend on the organization as a single customer, but not with let’s say, a large Chinese supplier working with many customers around the world. In addition, this alternative will cost suppliers money and will be reflected in the price they will charge for their products.
Another option is to equip with security stock from the supplier, this option is good for some retailers as well as serial production lines, but when it comes to an expensive weapon system, the extra inventory will cost a lot of money and may require decision makers to give up other projects from other customers and may jeopardize the organization's revenue.
The decision to invest money in business continuity is the main obstacle in any business continuity project that we have accompanied for in the past years.
The CEO dilemma, how much to invest in growth (Value Creation) and how much to invest in continuity (Value Protection) can be compared to the football coach dilemma - how many players to put on the attack that will score goals (Value Creation) and how many players to put on defense to prevent goals (Value Protection). The balance point depends on the risk appetite, the style of play and the result on the score board. But it is clear that the defense or attack cannot be completely neglected.
While small organizations like start-ups mostly chase after new value creation, organizations like big banks or large drug manufacturers spend a significant portion of their budget on maintaining existing value as their business continuity events will affect millions of customers and may cause the organization to collapse.
Resilient Organizations and Fragile Organizations
In the critical processes mapping phase, that takes place with the senior management, recovery times are defined for all the required resources for the process, like purchasing inventory, adding a facility or developing a supplier.
In several cases, with the understanding that this decision should be backed by a financial investment, management carried out a "rethink" and decided to extend the recovery times and thus eliminate the gap between the required recovery time and the actual recovery duration.
Therefore, it is very important that the business impact analysis process, which is the key to a good business continuity plan, be done only after management has realized the importance of business continuity and is mature enough to make decisions that require investment of money and additional resources.
Such management understands well the difference between immune organizations and fragile organizations:
- Balanced between value creation and value protection
- Clear understanding that increasing in efficiency can reduce the level of resilience
- Preventative controls to minimize disruption to critical business processes
- Responsive controls for a quick recovery of critical business processes
- Lessons learnt from failures and continuously applied to improve resilience
- Periodic testing and exercises of different scenarios
- Recognize that adequate resources should be allocated for dealing with extreme crisis
Not Resilient (Fragile)
- Excessive focus on value creation at the cost of value protection
- Excessive focus increasing efficiency without adequate consideration of resilience
- Weaker preventative controls resulting in periodic disruption to key business activities
- Weaker detective controls resulting in delayed detection of disruption of key business activities
- Weaker responsive controls resulting delayed recovery of disrupted to business activities
- Lessons are not learnt from failures in a structured manner – same type of failures re-occur
- Testes are not conducted, or scenarios are not extreme
- Little or no focus on concentration risks
- Believe that allocating emergency resources is sub-optimal and attempt to minimize these to meet regulatory requirements
- Do not understand the relationship between complexity and resilience. No structured approach to manage complexity
In conclusion, the best team in football is not the one that produces the most value / most goals in the season, but the one that manages to score goals and at the same time protect its own goal and thus win most of the games.
Similarly, organizations that want to survive in the long run need to find the right balance for them, between creating new value and preserving existing value - through supply chain resiliency and business continuity.
Connect with us
Head of Cyber Information Security Services
KPMG in Israel
Director, Business Resilience, Cyber Security Services
KPMG in Israel