How to Find Weak Links in Your Supply Chain

Just as all politics is local, so are supply chains local. If one of your key manufacturers in Asia or a big IT service provider in South America goes down after a disaster, you might, too.

More than ever, CIOs must create and test disaster-recovery and business-continuity plans, not just for your own operations, but for the extended supply chains on which your company has come to rely. That means you have to worry about your suppliers and your suppliers’ suppliers.

According to Protiviti, a management consulting firm, only achieving customer loyalty tops managing supply-chain risks on this year’s list of business challenges. And you can be sure you won’t keep even the most loyal customers if your products can’t get to them, says Manesh Patel, CIO of Sanmina-SCI, a $6.6 billion company that makes medical devices, military equipment and other electronics.

Last year, Sanmina-SCI temporarily moved production to Malaysia when floods in Bangkok stopped transport of electronics parts through Asia. Sanmina’s offices were not affected, but some of its suppliers were, potentially compromising customer orders. “You may be OK, but by definition if your suppliers are impacted, you are, too,” Patel says.

Roberta Witty, a research vice president at Gartner, says big companies are getting pickier about their suppliers’ recovery and continuity capabilities, looking for solid emergency plans early in discussions about doing business together.

Witty thinks CIOs need to assess suppliers and determine whether to ditch them, help them or live with the risk, and she suggests two metrics to measure them by: how important a supplier’s part or service is to making your larger product, and how much revenue an item brings in to your company. Financial services, healthcare and telecommunications companies, among others, often spend their own money helping suppliers improve, she says. “It’s in both companies’ best interests.”

For example, WellPoint asks key vendors to vet the recovery plans of their subcontractors and report back on that process, says Andrew Lang, CIO of the $58.8 billion healthcare company. WellPoint spent the last year studying its IT and business process outsourcers, and the smaller companies those suppliers hire. It’s important to understand the contingency plans of those subcontractors because their outages can become yours, Lang says. “They are a smaller cog, but they’re still a cog.”

This year, Lang expects to focus on the small, independent suppliers WellPoint uses, many of which came with the multiple mergers and acquisitions the company completed in the past several years. If a supplier is deemed critical to WellPoint’s operations, WellPoint helps improve its disaster-recovery and business-continuity plans. If the service or product can be provided by a bigger, more solid player, the smaller supplier may be jettisoned.

At Sanmina, risk mitigation also includes working with customers on product design to make them less vulnerable to supply-chain disruptions, Patel says. For example, customers receive feedback about the supply chain for parts and are given suggestions when there is too much reliance on a single source. To Patel, it’s a matter of reducing risk throughout the business relationship.

Contact Senior Editor Kim S. Nash at knash@cio.com. Follow her on Twitter: twitter.com/knash99.