Continuity Plans - only as Strong as your Weakest Link | KPMG | ZA

Continuity Plans - only as Strong as your Weakest Link

Continuity Plans - only as Strong as your Weakest Link

Having recently returned from the global Business Continuity Institute (BCI) World conference held in London, November 2015, there is a lot to share regarding trends and good practices for Business Continuity (BC).

1000

Associate Director

KPMG in South Africa

Contact

Also on KPMG.com

The good news is that from my experience with the South African market when compared to our overseas counterparts, we are beginning to make inroads when it comes to preparing for the worst.

Many organisations in South Africa have already established continuity plans and emphasis is now on training and testing. The big difference is that globally, there is a massive drive to ensure supply chain resilience which is something we lack. 

Whether it be driven by a need for compliance or based on safeguarding our most valuable assets, more organisations in South Africa have seen the light…and yes, pun intended considering the load shedding disruptions prevalent in 2015. 

A hot item for the BCI conference pertained to “building resilience throughout an organisation’s value chain”.

While you may have put together robust continuity plans to ensure your organisation is resilient, have you considered if those you depend on have done the same? 

While we may have little “power” in analysing our electricity supplier’s continuity plans, there are other key suppliers we can interrogate. 

Analysing your value chain

The first step would be to analyse your value chain to determine who your key suppliers/service providers and customers are. 

Your Service Level Agreements (SLA) should incorporate provisions to allow you to review or audit your supplier’s continuity plan and even request evidence of testing. If this is not in place, it is certainly something to incorporate going forward. 

The list below includes examples of questions to consider when assessing your suppliers: 

  • Has your supplier experienced any incidents in the past
  • How have they recovered from these incidents?
  • How many facilities do they have and are the critical facilities adequately protected?
  • Do they have adequate insurance?
  • Are they audited and are the results available for inspection?
  • How is data collected, stored and destroyed?
  • Has your supplier implemented controls to safeguard your data?
  • Has your supplier performed a risk assessment and are controls in place to mitigate risks?
  • Does your supplier’s BCP and IT Disaster Recovery Plan (DRP) address processes and actions to be followed in the event of a disaster?
  • Does your supplier’s BCP address Business-As-Usual (BAU) i.e. conducting operations as per normal after a disaster?
  • Does your supplier have a backup plan commensurate to the sensitivity of data being backed up?
  • Is your data included in the backup?
  • How are the backups protected?
  • Has your supplier’s continuity plans been tested or exercised? 
  • Are the results reasonable?
  • Has your supplier considered succession planning? 

Some of these questions may not be relevant to your supplier if the service or product being provided is not critical to your business. Your assessment should be customised to the nature of your business and relationship with your supplier.

Consideration should also be given to whether your supplier’s continuity plans will allow for a recovery within your Recovery Time Objective (RTO). A question could also be posed regarding your supplier’s suppliers and their readiness to respond to a disaster. 

Case study

An excellent case study relating to supplier resilience pertains to a project we were involved in encompassing an assessment of over 300 suppliers for a large global client in the financial services sector.

During the assessment, we found that while our client had implemented strong controls to protect customer information, not all suppliers had followed suit. So much so that customer information became publicly available resulting in reputational loss to our client. 

So the next time you are in your boardroom, ask yourself if you have visibility on your strategic suppliers because this might as well be your ‘weakest link’.  

If you would like further information or have any questions, please contact Nashikta Authar at nashikta.authar@kpmg.co.za (Associate Director) on 031 327 6000.

Connect with us

 

Request for proposal

 

Submit