Thursday, April 17, 2008

Your supplier suffers a disaster: The case for ISO 27001

You've built out your disaster recovery plan. You've tested it. You are meeting your objectives. You keep your plan updated with regular reviews and testing. You've mitigated your risks and have systems and processes in place to handle any disaster that comes your way. You feel confident in your plan. Then one of your suppliers suffers a disaster. They cannot ship the raw materials you need. Now your supplier's disaster has become your disaster!

This should only be a bad dream. A large enterprise would have established risk mitigation practices to ensure that multiple suppliers are available for critical raw materials. A number of years ago I toured the manufacturing facility of a large PC server hardware vendor. While there, I posed a question on this subject, and they readily indicated that they source from three different manufacturers. Not only that, they perform audits on each shipment to ensure the component quality met standards they'd set. Furthermore, they regularly alternated between sourcing manufactures to ensure that the process to integrate an alternate component was always running well -- a sound and tested backup plan.

I suspect that all large enterprises source critical components from multiple suppliers to ensure a supplier's disaster never hurts the enterprise. But what about supplies for noncritical business processes? A large European enterprise approached me with an interesting question on this subject. They were in the process of updating their risk analysis for secondary back-office processes and stumbled across what appeared as a risk from their chosen supplier of desktop PC equipment. They required localized keyboards for PCs in branch offices of the various countries in which they did business – just as the French, German and Italian languages are different, so are their keyboards. They happened to know that their PC supplier's localized keyboard production facility was located in France. What if that facility is destroyed or compromised in some way? Would their supplier be able to build an Italian keyboard in another facility? They had not negotiated that requirement as part of their supplier agreement with the PC manufacturer, and realized they needed to update their PC supplier requirements. This is what they proceeded to do, ensuring that they would not suffer this risk.

What happens if only one supplier exists for a critical component? I'm sure you can think of a situation where this is the case. I've spoken with a smaller manufacturing company that sells about $250 million of product per year. They build very unique products that target the oil exploration industry. Two suppliers of one of their components exist in the market, but only one of those suppliers is able to produce the component with the quality that the company requires. This is a risk for the company, but they just plug along hoping that a large disaster never hits their supplier. They maintain large quantities on hand in reserve as a mitigation plan. I asked them if they have ever requested proof of business continuity plans from their supplier. They had not. Furthermore, they haven't created comprehensive business continuity plans for their own business operations. They only have about 20% of their business processes covered. I have found that this is the case in many small to medium-sized businesses, especially those that have been growing rapidly.

What I found surprising is that for the past 10 years, this small manufacturing company has focused on process efficiency, lean manufacturing, six-sigma quality and efficiency improvement, and has been ISO 9001-certified for about 15 years. But even with all of that, if their one supplier suffers a dramatic disaster, all of those quality improvement and lean manufacturing efforts will have been for nothing. (And yes, I keep bugging them about this, but the desire to rectify the problem has to come from the top.)

I've spoken to many other enterprises that demand proof of viable business continuity plans from their suppliers. And just as many of these enterprises have their customers demanding proof of business continuity plans from them. I have noted, however, that the supplier/consumer proof-of-business-continuity-plan requirements occurs ad-hoc. I have not seen a standard used in the United States. The ISO 27001 Information Security Management System certification standard is the only corporate-level certification standard that includes business continuity. It is almost three years old now and has seen some uptake in Japan. I'm hoping that corporations around the globe will begin to obtain ISO 27001 certification and demand the same of their suppliers as a proof point that suppliers have plans to survive any disaster the world throws at them.

Are you looking at ISO 27001 and demanding this certification stamp of approval of your suppliers?

Author: Richard Jones, VP and Service Director for Data Center Strategies, Burton Group

Source: http://searchdatacenter.techtarget.com  


Source:

No comments: