Reduce Supply Chain Disruptions with Continuous Vendor Management

We are all aware of the issues that occur when there are supply chain disruptions. It has impacted countries, battles and companies throughout history. Not getting supplies or services when you need them stops progress.

When times are good and things are running smoothly, it’s really easy to ignore your supply chain.  But when things turn bad, and you can’t get the products or services you need when you need them, you realize how important it is to plan for supply chain disruptions when they do occur. This is really highlighted when things become personal.

One current example is the toilet paper situation that’s been going on during the COVID-19 crisis. There is toilet paper out there, but it is not packaged for the average consumer. The commercial side of toilet paper production has the product we need, but not in the form we need. Most households do not have the large dispensers that we see at airports or the office. Also, toilet paper for commercial use is shipped in such large quantities, it is not feasible for consumers to buy a gross of toilet paper rolls at a time.

Last week, the Secretary of Agriculture spoke at the White House. In his statements, he reassured the public that America had food and a good supply chain. He also mentioned that the demand for commercially packaged foods was down since restaurants and other large food service areas like schools are closed. This also means that any stockpiles of supplies in this area are not in the form consumers could easily use. Not every household can use a one-gallon can of green beans for dinner. But again, consumers who are now at home are not able to get the food that they need because it is not distributed in consumer-sized packaging nor is it available in grocery stores.

While none of us could have predicted we’d need to modify our ‘personal supply chains’ to deal with these types of disruptions, companies certainly can. And should.

Every organization relies on vendors, suppliers and other third parties to meet their business goals. Yet, for many organizations, the only time they focus on these third parties is when something goes wrong.  It’s critical to have a handle on vendor and supplier relationships every day of the year, not just during a pandemic. This requires having critical vendor information at your fingertips such as key contacts, terms of contracts and information about your vendors own pandemic plans.

It also includes knowing how they maintain important controls over their systems and, perhaps more importantly, your data. Hackers have been incredibly active during the pandemic. Yet most of the security standards out there like SOC, ISO, and NIST have organizations look at their vendors at least once a year. That may not be good enough for some of your riskier vendors, especially in the new paradigm we find ourselves in now.

In situations like we have today, you may need to evaluate your due diligence on a more regular basis. This can be in the form of a full review, or just in a monthly confirmation that Service Level Agreements (SLA) are being met. If SLA’s or other contractual obligations are not met, then it is important to raise that fact. If the vendor is having issues meeting SLA’s during the good times, how can you expect them to meet them during the anomalies such as our current crisis. Businesses need to ensure they are continuously managing their vendor and supplier relationships so they can be responsive when supply chain disruptions do occur. Only then can we effectively assess and manage the risks a vendor may pose.

 

Pat Osborne
Author:

Job Title: Principal | Executive Consultant - Information Technology, Security and Compliance
Organization: Outhaul Consulting, LLC

Pat Osborne, Outhaul Consulting’s Principal, is a CISSP and certified in ISO 27001 and ISO Certified Lead Auditor. Pat has a broad knowledge in multiple facets of the information technology space and extensive experience in information security and compliance, including FISMA, HIPAA, ISO, CMMC and PCI. Strong experience helping organizations develop their security programs and security training.

Contact us