Business-to-business dependencies create the opportunity for great benefits. But if a disaster strikes any company in the supply chain, the risks to all are equally great.
At Ryder System, customers routinely vet their supply chain partners to ensure that they meet minimum standards for robustness and security. "If they can't make the cut, we won't do business with them," says Chuck Lounsbury, senior vice president of sales and marketing at the Miami-based transportation, logistics and supply chain management services company. "We don't want to jeopardize the capabilities of all the other companies involved."
"It is a matter of working together," adds Richard Arns, executive director of the 'Chicago Research & Planning Group', which spun off a post-Sept. 11 effort called the Security Board. A key lesson from the terrorist attacks, he says, is that organizations should enlarge their circle of preparedness.
But that message may not be getting through. One survey conducted last year showed a sharp increase in the number of companies with crisis plans, drills or simulations. Yet only about a third of those companies reported having ongoing and backup emergency communications plans with their suppliers.
To make their operations truly disaster-resistant, IT managers should determine if business partners are ready to handle a disaster, experts say. Then they must work closely with those suppliers to achieve parity in their disaster recovery efforts and get their recovery times in sync. Here are some more tips:
TIP: Tighten SLA language
A good starting point, says Roberta J. Witty, an analyst at Gartner, is the language of the service-level agreement. SLAs are normally applied to IT providers but also offer a framework for talking about critical IT support from partners. But that's only the beginning. Witty says IT managers should conduct an internal inventory assessment to determine which points outside the enterprise are critical to a company's functions. They should then extend the process to suppliers.
"Have a conversation with them about what the risks are within their own supply chain," she says. "You are outsourcing functions; maybe they are, too." It may be worthwhile to line up backup suppliers for your outsourced services so you have more redundancy -- and encourage partners to do the same, says Witty. In any case, at each step in the supply chain -- including with your internal operations, your outsourcers, your suppliers and their outsourcers and suppliers -- there needs to be a credible recovery plan, she says, "or their disaster will become yours."
And nothing beats testing. Whenever possible, it's a good idea to include partners in your own tests and vice versa, Witty says.
TIP: Test ERP connections
Jim Grogan, vice president of alliances at SunGard Data Systems, says he's seeing more clients embrace the ideal of the real-time enterprise. And enterprise applications, such as ERP software, that support that vision almost invariably have links outside the organization.
"We encourage (clients) to do an information-availability study of their trading partners and suppliers, even if they have to foot the bill," he says.
Most worrisome to Grogan is the fact that many organizations have entrusted key business processes to software -- to the point that unaided humans would have difficulty handling those functions on their own.
"Even a few years ago, you could count on someone being able to get on the phone and fix things," he says. Likewise, Grogan notes, phone communication used to be planners' first priority. But not anymore. "Now, everyone tells us that the first thing they need to get back in business with partners is e-mail," he says.
At a granular level, Grogan says SunGard always looks for potential single points of failure within a supply chain, such as a server, switch or cable upon which many operations depend. Companies also need to coordinate their recovery plans because for many applications, particularly ERP, "systems are connected in real time with others that may have different recovery times or different recovery points, which can complicate efforts to get back to business," he says.
TIP: Secure partner communications
It's also important to look at the security of business partner communications because glitches in that area could precipitate a disaster. Nick Brigman, vice president of strategy at RedSiren, an IT security management firm, says it's important to understand whether you're connected to partners via a private network, a virtual private network or the Internet.
One of the best ways to enhance the security of that communication is to assign "least-privileged" accounts to partners that define the nature and even the volume of expected traffic, says Brigman. This not only eliminates potentially spurious communications, but it also provides a basis for detecting abnormal activities, he says.
Finally, John Jackson, vice president of IBM Business Continuity and Recovery Services, says business-to-business dependencies make it critical for companies to "get together and do a business impact analysis to determine how their individual recovery times could be made to mesh."
"In some cases, companies find that they are doing far more than their partners, and their partners either have to catch up, or they need to consider spending less, since they won't really get much benefit," he says.
Communication infrastructure is the key, Jackson adds. Partners, especially smaller ones, may not have the knowledge needed to ensure robust and resilient performance. And they may just need help to get there.