A funny thing happened on the way towards building a Pandemic Plan; we wondered if our vendors, suppliers and partners had a Business Continuity Management (BCM) program and/or a pandemic plan as well. How novel. This was a bit shocking that there was suddenly all this talk about vendors and suppliers needing BCM program and related plans. I mean, shouldn’t they have had these before? You can’t tell me that no one had thought about this prior to the H1N1 pandemic this year. Didn’t we think of this when SARS hit – or at least after SARS hit (for those countries hit by it)?
If we – as an industry – believe that every corporation / organization / company should have a BCM program (or BRP Program or Disaster Program or any other name you want to give it) then this ‘sudden’ realization that we need to investigate out vendors is truly surprising.
In my personal view, before I would sign up with a vendor or supplier, I’d want to know about their BCM program and their Information Security processes and quite a few other things. Before I sign on the dotted line, I want to make sure that the product or service I’m purchasing has at least a reasonable chance of continuing when disaster or some level of strife erupts. Any vendor that ‘wing it’ when a DR hits isn’t going to get my business because I know they aren’t prepared. And let’s face it, if they don’t have a program in place then what’s that say about how they feel about their employee’s health and safety and the relationships they want to develop with customers – me. It says they just want my money while they can get it.
Still, not all vendors and suppliers are like this. Many have plans and program in place and take it quite seriously. It’s these companies that I would do business with and would want to build a relationship because I would know (as a BCM person) that they are serious about ensuring I – as the customer – continue to receive my products or services under any circumstance. That’s real customer service at work. It also tells me that they really do take seriously the well-being of their employees because if – as many corporations state – employees are their #1 asset/resource/concern, then a BCM program and everything related to it would ensure their safety first.
Here’s just a few considerations you might want to think of when you’re looking for a new vendor or supplier. Make some of these your criteria for choosing them and compare the responses to other vendors, which you might have done through the Request For Proposal (RFP) process. Remember, this is just a few ideas related to vendors and isn’t intended to be a formal list about BCM RFP’s. Some will be considerations you need to take when they – the vendor – has a situation, which can cause a situation for you.
- Communications (Between Partners) – What are the established communications lines or better yet, what are the expectations between you and your partner should one or the other experience a disaster? How will they let you know they have a situation? Should they just call ‘Sally’ or ‘Joe’ in the call centres or should they be calling someone higher up the food chain when a disaster strikes? Who should you call when you experience a disaster? Is the expectation that you’d contact the Director of Client Service or someone else? Communication is a key point between partners so make sure you understand how they will be managed when you become partners. Of course, there may be a level of expectation when all things are running smoothly but when one of the other is experiencing and issue and it will impact the other, then there are going to be new expectations, so find out what they are.
- Communications (Internal to You) – What are you going to tell you staff when a key vendor has an issue? Remember, many of your staff may have built relationships with some of the people they deal with. If one person from a vendor comes to your office everyday – let’s say to deliver a package – and they find out that that vendor has had a major disaster; your staff are going to be thinking of that delivery person. The vendor may have a name and fancy logo but for some the vendor is that delivery person. Make sure you’re sensitive to this kind of information, as your people could be affected by the disaster based on their relationships. I personally have had this occur to me. I was on the phone almost everyday with a vendor (in a different role than BCM by the way) but when I heard his place of work had a fire, my first thought was that I hoped he was OK. Again, the face of the vendor for me was this guy who I spoke with everyday – not the big corporate office or fancy corporate logo; it was him. So be aware of internal communications and how best to approach and present the situation. Who knows, some people may be traumatized and you need to ensure they get some support.
- Communications (External – Your Clients) – You may have an open relationship with a vendor but as a customer of yours, I don’t care. Sure, I might be sensitive to your partner/suppliers plight but so what – I deal with you and want to know what you are going to do for me. I’m waiting for a delivery from you, which I need to make sure I receive in time or I miss my deadline and my boss isn’t going to be happy. Consider what you’re going to say and do for your clients that may be impacted as a result of the disaster with your vendor. As a customer my business is with you, not your vendor. Sure, I feel bad they have a disaster but it’s not them I’m dealing with – it’s you. What are you going to do for me and how are you going to ensure that I still receive the product or service I’ve paid you to delivery? If your clients are going to be impacted, you need to ensure you have an appropriate communication strategy (and maybe a contingency strategy) in place when a key vendor of yours isn’t available.
- Deliveries – If the main method of delivery isn’t available, what are the alternate methods a vendor has in place to ensure delivery of their product or service? It could be instead of email (if it’s down) they will fax you information. Or if their delivery trucks aren’t running – for whatever reason – they have a contract in place with UPS or FedEx to ensure deliveries continue. Find out if they have these sorts of things in place. It will certainly help when they have a business disruption that hinders delivery of what you’re expecting from them.
- Onsite Vendors (Shared Sites) – Sometimes you’re in a large facility shared by many various corporations. Sometimes, these other companies are actually vendors or partners you have contracts with. Let’s choose something like a specialized print shop. In one case I now of, an Agency contracts to the print vendor who is located within the same building and has a very close relationship with them. However, it isn’t know what would happen if the facility became unavailable and the Agency and the print vendor were longer so close. It’s known what the Agency will do and where they will go (they are still developing their program at this time) but it’s unknown what the print vendor will do. The vendor has said it will do what the Agency needs but then again, the print vendor is also doing jobs for others within the same facility, so it can’t develop a BCM strategy based on one client. IN fact, it even stated once that it would go to the same “DR” location as the agency but the agency doesn’t have the print capabilities there or the equipment used (meaning, it’s not bought separate equipment that can be used by the print vendor and collecting dust at the alternate/”DR” location). However, it’s know the print vendor has an alternate site and can operate from there. But this brings up other questions; How do we send jobs to the vendor? How do we get our jobs delivered and where? These are just a few things to think about but there are all sorts of impacts to be considered when sharing a space with a vendor. Have you thought what you’d do if you and a vendor were hit by the same crisis and were located in the same place?
- Contingency Activations – What contingencies will you need to activate if a key vendors business is disrupted? As an example, for one company (Insurance Company) I did some work for, part of the process was to submit forms to a vendor and they delivered back and information card – like a credit card – for our policy holder. The question I had for the company was, ‘What do you do when that delivery is delayed and the policy holder is waiting for it?’ What contingency measure and/or what communication did they have to implement if the outage looked like it would be more than just a day or two. They enhanced their communication plan to address any policy holders who might be affected and made sure that they’d contact them immediately upon notification of a delay because in some cases, people might have needed these cards to get medical treatment and drug plans. They put in place a process that would extend the benefits to the policy holder in the event that the card was delayed. The contingency was small and has never been used but at least they know they’ll be able to service their own clients if their vendor has a disaster. So it’s these kinds of things that need to be addressed.
- Partnership Criteria Requirement – If you are seeking a new vendor to provide some sort of product or service, you usually query quite a few good corporations with the RFP process. Within the RFP are all sorts of questions you want answered to see if they are good enough for you to continue to seek a partnership. One of the things you’ll be asking is the price of services (or products) so that you have an understanding of what you’ll be paying for their partnership. This is a key criterion for deciding whether or not to do business. Another criterion could be the establishment of a BCM program. Do they have something in place and what does it entail? You will find out what vendors have a program and which ones don’t. This might be a deciding factor in the final decision if vendors are pretty even on many other categories. Read #9 below for some further comments on this.
- ‘Just the Fact, Ma’am’ – Do we really need to know the nitty-gritty details of a corporation BCM plan and program? Not really. What we want to know is that they have one and that the major aspects are covered; Crisis Mgmt Team, Communications, Technology Recovery Plan (TRP) in place etc. We don’t need to see these plans and audit them – I wouldn’t vote for that myself – but we would want to make sure that they have something in place to ensure we won’t be immensely impacted by them should they experience and situation. I know of many companies that develop a one or two page document that outlines their Continuity or Disaster Program that they distribute to clients, partners and potential customers. It doesn’t contain details but it does at least provide confidence to others that they have something in place. Ask if they have something like this because it does just provide the high-level facts of their program and let’s you know they take their operations seriously – and you seriously.
Pandemic may have brought some of this to the forefront of BCM/DR thinking but it’s nothing new. Anytime you do business with a corporation you want to make sure you’re going to get what you need, when you need it regardless of any mitigating circumstances. So be open about disasters and what the expectations and considerations are on both sides of the partnership, as any crisis or disaster will have larger impacts that you imagine. And you don’t want to loose your customers because someone else had a disaster.
The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at www.stone-road.com **