A global semiconductor chip shortage will likely cost automakers billions of dollars in revenue in 2021, as manufacturers like General Motors and Ford are forced to shift production and suspend some lines altogether. Automakers expect to produce hundreds of thousands of fewer cars and trucks as a result, which will have a significant impact on global economic recovery.
The driver (pun intended) behind the shortage is COVID-19-related. When vehicle assembly plants shut down last spring in response to stay-at-home orders, chip manufacturers adjusted their production to meet demand in industries that weren’t as significantly impacted as automotive was. And while that was a demonstration of agile business processes on the part of semiconductor manufacturers, automakers were generally less flexible. Now that automotive production is ramping up again (amid stronger consumer demand than previously predicted), carmakers are in a difficult position.
A supply-chain disruption like this one with such wide-ranging implications should serve as a use case to prepare for future events. Following are five critical steps that organizations should take to assess the resilience of their third-party suppliers.
Conduct regular business resilience assessments. Assessments aren’t a one-and-done project, but rather should be performed regularly to ensure that vendor practices are up to date. Conduct assessments around the following topics:
- Service and criticality qualification. What are your suppliers’ criteria for identifying critical services?
- Current and projected impacts. What incident response plans are in place to mitigate impacts of disruptions, such as stay-at-home orders?
- Process preparedness. Does your supplier regularly conduct “war games” that simulate a supply-chain disruption, the lessons of which can be applied to real-world scenarios? Are processes regularly reviewed?
- Operating locations and changes. What are your suppliers’ failover or disaster recovery plans? How quickly can they re-adjust to new environmental changes?
- Communication mechanisms and timeframes. What are your suppliers’ public and customer communications plans? What’s a reasonable, contractual, and enforceable timeline to expect for notification of disruptions?
Answers to these questions can serve as a baseline for more extensive vendor risk and compliance assessments, to be conducted once the crisis has abated.
Map fourth-party and nth-party relationships to avoid concentration risk. Originating in the banking industry and adapted for use across multiple sectors, concentration risk describes the level of risk in an organization’s supply chain due to concentration in a single industry, geography or partner. The risk comes from a lack of diversification in the vendor portfolio. As the pandemic has shown, a failure in your supplier’s supplier (known as a fourth party to you), can have a significant downstream impact on your ability to deliver products and services to your customers. That’s why it’s essential to identify relationships between your organization and other third parties to discover dependencies and visualize information paths. Mapping these relationships will enable you to avoid concentration risk in advance of an event.
Monitor business events. One of the most frequently observed gaps in supply-chain risk-management practices is the over-reliance on cybersecurity assessments. Make no mistake, though: Assessing a vendor’s cybersecurity posture is absolutely essential in order to gain visibility into its security practices. But it’s not the only dimension of risk. Gaining insights into a supply-chain partner’s reputation, whether it’s subject to legal actions such as recalls or sanctions, has a lot of negative news, or has credit problems or trouble paying its bills, can shed a light on its ability to deliver when times get tough.
Enable third parties to proactively update you on events. As mentioned above, conducting internal controls-based assessments shouldn’t be a point-in-time exercise, since much can happen to an organization in between those assessments. Instead, your third parties should have the ability to report updates proactively and directly to you. Enable third parties to update you on topics such as mergers and acquisitions, data breaches, service outages, and more. Results from these proactive event reports should then kick off tasks in your enterprise to better understand or stay on top of potentially business impacting risks.
Keep your own business continuity plan up to date. Up to this point the focus has been on suppliers, but building a business continuity plan requires the coordination of multiple resources, both internal and external. Does your organization have a centralized plan that incorporates not only internal resilience measures, but also supply-chain partner risk assessments? Start with documenting your plan’s scope, responsibilities, and procedures to identify gaps. Essential elements of a business continuity plan include conducting impact analyses, performing internal risk assessments, and adhering to communications procedures throughout the organization. It’s possible that you are another company’s supplier as well, so be prepared to answer these questions for them.
Take the lessons learned from the current pandemic, and prepare for the next supply-chain disruption now. Continuously assess the resilience of key suppliers, understand in the broader ecosystem where potential points of failure exist, regularly monitor for changes, and most importantly, acknowledge that your organization owns the risk.
Brenda Ferraro is vice president of third-party risk at Prevalent.