News Stay informed about the latest enterprise technology news and product updates.

In assessing supplier risk, how far down the chain should CIOs go?

To ensure business continuity and mitigate supplier risk, CIOs need to take a closer look at second- and third-tier suppliers. It won't be easy.

Business continuity planning requires CIOs to ensure that their own IT operations remain up and running, but it...

also requires them to consider the services from their outside IT suppliers and outsourcing vendors. The question for CIOs is how far down into the supplier ecosystem should they delve to mitigate supplier risk?

Craig LenzCraig Lenz,
senior associate,
Pace Harmon LLC

The issue of IT supplier risk management has come to the forefront of business continuity planning, experts say. As companies increasingly rely on outsourcing vendors for their IT operations, and as IT services reach ever more deeply into business processes, business continuity planning is crucial. The steps CIOs can take to address the various and deepening levels of IT supplier risk are not as clear, however -- beyond tightening the screws on one's primary outsourcing vendors.

The danger of a major disruption due to a second-tier or even third-tier outsourcing vendor has proved to be a real concern in supply chain management. A recent survey done by the Business Continuity Institute on supply chain disruption showed that among the 85% of organizations that experienced a supply chain disruption (to the manufacture of a product or delivery of a service) during 2011, about 40% of the disruptions occurred below the immediate supplier.

What companies find, over and over, is that those primary vendors are using the same secondary and tertiary vendors.

Roberta Witty,
research vice president,
Gartner Inc.

For companies eager to take advantage of every means possible to save on IT costs -- from offshoring to less-expensive locales to public cloud computing -- supplier risk management has become more complex. In the case of cloud computing, it also has become less transparent than it is in traditional outsourcing vendor models. Last month's blackout that left 600 million people without power in eastern and northern India -- the location of many outsourcing vendor operations -- is proof enough of the risks inherent in offshoring critical IT services, said Craig Lenz, senior associate at outsourcing advisory firm Pace Harmon LLC in Tysons Corner, Va. Supplier risk management -- no matter what model is used -- depends on the service the supplier is providing and the business continuity principles adhered to by the CIO's company, he said.

"You have look at the type of services you are going after and the geopolitical situation of the location where those services are being provided," Lenz said. "If this is a data center service, I am going to be very stringent looking at all components of the network, the power grid, the safety system and the people, the levels of redundancy, ability to fail over, data center locations, and so on."

Even with data center services, however, Lenz is skeptical that vetting a primary supplier's secondary suppliers is the most effective way to mitigate supplier risk. "From a contracting perspective, we can look at their subcontractors, but that group is likely to change and is usually not part of the contract to be managed," he said. "We are more focused on the capabilities of the primary supplier and the maturity of their processes."

More on business continuity planning and supplier risk

A security business continuity plan with bite

Tips for building a solid disaster recovery strategy

Q&A: Developing your business continuity and disaster recovery plan

Free business continuity planning templates

Most companies don't pay close attention to the business continuity planning of a primary supplier's second- and third-tier vendors. "More and more are getting worried about it," said colleague Steve Martin, a partner at Pace Harmon.

"We have few clients who will do due diligence on the technical environments of their subvendors," Martin said. It's rare for clients to delve deeply into the technical requirements of their primary outsourcing vendors, he added. He estimates that less than 20% of clients' due diligence includes a physical inspection of their primary vendors' data centers.

Instead, CIOs rely on the contracting process with the primary outsourcing vendor. One of the chief reasons for moving away from a diverse ecosystem of vendors to a primary vendor is to place the burden on a single source. "They contractually bind the prime vendor to all of the principles that deal with business continuity planning that they themselves are bound to," Martin said.

Supplier risk management can backfire

Business continuity planning for supplier risk begins with developing a hierarchy of vendors, ranked by how critical they are to business continuity, said Gartner Inc. analyst Roberta Witty. Not all vendors are equal, and the due diligence to ensure business continuity should not be either, she said. Nevertheless, there is a problem with relying on the primary supplier's business continuity planning, namely the lack of diversity in the ranks of second-tier and third-tier suppliers.

"What companies find, over and over, is that those primary vendors are using the same secondary and tertiary vendors," said Witty, research vice president covering risk management at Stamford, Conn.-based Gartner. This is truer for some industries than others at the second-tier supplier level and for just about every industry at the third-tier supplier level. "This is why you have go deeper into the supply chain. It is not just the primary vendor that you only have to assess," she said.

Whether a lock-tight contract with your primary outsourcing vendor is sufficient remains a question. That potentially leaves CIOs with a lot of investigative work to do for supplier risk management and business continuity planning.

Let us know what you think about the story; email Linda Tucci, News Director.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.