Resilience by design: From BIA to SLA. Building stronger supply chains
Foreword: This second article in David Window FBCI’s series on supply chain resilience explores how Business Impact Analyses (BIAs), Service Level Agreements (SLAs), and outsourcing shapes organizational preparedness.
A Business Impact Analysis (BIA) defines impact tolerances of a disruption and the impacts over time to help determine an organization’s response strategies, recovery priorities, and resource requirements. These outcomes establish the organization's business continuity (BC) requirements. However, many critical activities may rely on priority suppliers, whose performance is governed by service level agreements (SLAs) between the two parties
The attributes defined within an SLA between the two parties stipulate key parameters such as tolerances (MTPD), minimum delivery (MBCO) for specific incidents, and time-based objectives (RTO) that the supplier is expected to meet during a disruption.
The acronyms below are defined in the BCI Good Practice Guidelines V7 and detailed below. However, in simple terms you must understand the time (period) of the disruptive incident that you are prepared to tolerate. This is based on an understanding of how negative impacts grow over-time, before they reach a period of time that is unacceptable.
MTPD = Maximum Tolerable Period of Disruption, a time frame within which the impact of not resuming activities would become unacceptable to the organization [1]
Once the unacceptable time period has been established you can determine what is considered an “acceptable” time to absorb negative impacts during the disruptive incident.
RTO = Recovery Time Objective, a timeframe within the MTPD for resuming disrupted activities at a specified minimum acceptable capacity.[2]
Understanding only the two extreme periods of time (what is acceptable and what is not) is not enough. It is equally important to define the level of service the organization considers essential during a disruption (service level objective or capability). As such, business continuity planning should include two types of objectives: time-based objectives and service-level objectives, which relate to the delivery of specific products and services.
MBCO = Minimum Business Continuity Objective - the minimum capacity or level of service or products that is acceptable to an organisation to achieve its business objectives during a disruption.[3]
Any contractual service level agreement should define these parameters and oblige the supplier to support your objectives during an incident, regardless of whether they are the cause or part of the designed solution by your organisation.
The Good Practice Guidelines V7 and ISO22318:2021 indicate that Supply Chain Continuity Management is:
‘A process that identifies potential impacts to an organisation from disruption to its supply chain and provides an approach to manage and protect the organisations’ business activities from supply chain disruption by ensuring continuity of supply of resources as well as the ability to continue delivery of its products and services.’ [4]
In this context, the process is not about assessing the daily overall performance of the supplier, but the supplier’s capability to respond during an incident. Without these parameters how would it be possible to undertake ‘supplier performance’ specific to business continuity?
It is also worth remembering at this point that the supplier is not always a problem, but sometimes the solution to your disruptive incident. For example, organizations could consider adding contractual promises that enable the supplier to expand their products and service delivery to assist them in times of disruption.
The hidden risks of outsourcing
ISO/TS27036-1:2021 Securing supplier relationships defines outsourcing as ‘Acquisition of services (with or without products) in support of a business function for performing activities using supplier’s resources rather than the acquirer’s’. Various international standards conflict on the definition of outsourcing, but overall, we must consider why outsourcing is specifically mentioned in guidance, as opposed to contracts for other services such as obtaining goods, services or consultancy arrangements.
It is because the issue with outsourcing is the risk attached to it. Outsourcing does not avoid but increases risk to an organisation. The outsourced service provider failing to deliver on the organisation’s behalf would have further impacts on the organisation if only in terms of reputation - their failure is your failure.
However, it is often a process that is outsourced. In this case, we should avoid using a narrow definition of the term outsourcing. In many cases, outsourced service providers operate within the organization’s infrastructure or act as co-source partners, delivering elements of core processes, such as internal or external audit functions. Therefore, a broader perspective is advisable when considering the role and integration of these providers within continuity planning.
The GPG (V7) states that outsourcing increases risk, why? Outsourcing is actually a procurement strategy to “go to market” usually involving what is termed a “make or buy” decision. Outsourcing, once achieved, means that the organisation is now simply “buying in” that service, process or activity. Outsourcing decisions should be driven by the pursuit of efficiency gains, not as a means to offload or transfer risk
The GPG suggests that products are possibly outsourced, but I suggest this is not prevalent. The term outsourcing is as overused as third party, think of it as something the organisation did internally that is now undertaken externally. The additional risks come from the outsourced service provider being more at arms-length than when it was an internal provision. The contractual nature of the agreement means that the outsourced service provider may have different objectives in terms of efficiency and profit than if the provision was internally provided.
Therefore, the provider’s potential failure becomes the organisations’ failure. Often such arrangements are better as a “pain and gain” contract where there are more mutual objectives and consequences.
Is it realistic to validate only through supplier performance reviews?
It is vital that “due diligence” is carried out before entering contractual arrangements, but is it truly realistic to audit or undertake due diligence on a priority supplier’s whole business continuity management system or indeed their business continuity plan?
Who should undertake this audit? It could be the procurement professional during a competitive tender or quotation procedure, but they may not be trained to do so. Or perhaps the business continuity professional who will be stretched in terms of resource and their knowledge of contracts and the tier of supply. I believe the most efficient method is a collaborative approach.
A lack of thorough due diligence can result in a superficial, checkbox-style approach to supplier evaluation, both during the pre-contract phase and after contract award, relying solely on standard supplier relationship management questionnaires.
When tendering, consider whether you have the ability to assess the supplier’s plan and whether it is fit for purpose or simply ticks the compliance box. Is it contractual, does it contain time objectives and service objectives, does it offer anything other than compliance to a process?
I believe that organizations should state their incident performance objectives and ask how the supplier would respond in terms of time, service, and communications, before, during and after the incident. In the due diligence (pre contract meeting) you will seek to understand their “solution” to meet these requirements. This will make the offer compliant in terms of specification, not just the process.
GPG v7, under Supplier Performance, recommends that the review of a supplier’s Business Continuity Management System (BCMS) or their response and recovery services should reference contractual expectations, including performance targets defined within their BCMS. While this represents good practice in principle, in reality is many organizations may not have the capacity—or in some cases, the intention—to conduct such a comprehensive review. In practice, it is often limited to requesting a copy of the supplier’s business continuity plan as part of a procedural requirement.
Ultimately, what is most important is ensuring that your organization's contractual and operational needs can be consistently met, or exceeded, by the suppliers you depend on. It is essential to clearly define your performance requirements and engage with suppliers to understand how these will be achieved before entering into a contract. Ongoing monitoring of these commitments should be embedded into supplier relationship management practices, helping to strengthen collaboration and optimise performance, particularly during disruptive incidents.
The challenges of terminology
A mixture of terminology in contracts may include vendor assessment, critical suppliers, and third parties. I leave the reader to investigate the legalities of these titles within their respective organisations and with their legal professionals. However, I do not believe they are interchangeable within the legalities of a contract, and they need to be in the contract definitions. If not correctly defined in contract they will be open to interpretation by both parties, and this may lead to legal issues should the contract be used in any litigation.
Remember that not everyone is a “third party” and neither are “vendors” (usually associated with purchasing component parts and goods). Sub-contractors and tiers of suppliers are also terms that need definitions in a contract, the latest financial regulations have added “fourth parties” and “fifth parties” and these I believe are merely tiers of supply in the chain.
It is good practice to state and define the relationships within contractual arrangements. A failure to do so, may be a risk in itself.
Concluding thoughts
The relationship between BIAs, supplier relationships, and contractual obligations highlights the need for well-defined service level agreements that are specific to disruptions. These agreements establish tolerances, minimum service levels, and recovery time objectives ensuring that priority suppliers align with an organisation’s needs.
The distinction between outsourcing, co-sourcing, and traditional vendor relationships adds complexity to risk management. While outsourcing transfers operational responsibility, it does not eliminate risk—rather, it amplifies it.
A supplier’s failure can directly impact an organization’s ability to recover, making due diligence and ongoing supplier performance validation crucial. However, the practicality of auditing a supplier’s entire business continuity management system remains questionable. The responsibility often falls between procurement professionals, who may lack business continuity expertise, and business continuity professionals, who may have limited contractual oversight. This gap risks reducing supplier assessments to a box-ticking exercise rather than a meaningful evaluation of resilience capabilities.
The next and the final article in this series provides practical guidance for practitioners on strengthening supply chain resilience through effective contractual processes.
[1] ISO 22301:2019 (Good Practice Guidelines 7.0 Page 13)
[2] ISO22301:2019 (Good Practice Guidelines 7.0 Page 14)
[3] ISO22300 :2021 (Good Practice Guidelines 7.0 Page 13)
[4] Good Practice Guidelines 7.0 ‘a contract containing expectations include the performance targets’ Professional Practice 6 Page 113
More on
About the author
David Window
Director, Numlock Limited. t/a Continuity Shop
