Resilience by Design: Practical steps that embed supply chain resilience in your contract
Foreword: This concluding article in David Window’s series Resilience by Design outlines a structured approach to strengthening resilience in the contracting stage. It offers practical steps organizations can take to build stronger initial procedures that support more robust supply chains.
In my previous articles Why supply chain resilience begins with the contract and From BIA to SLA, building stronger supply chains, the concept of building resilience into the pre-contract stage was examined. To conclude this series, this final article guides practitioners through a series of practical steps that can help build a structured approach to supply chain resilience in the initial contracting stages.
Connecting the principles of the BCMS in the context of supply chain
Stage 1 - The BIA
Supply chain resilience begins when supply chains are included in the scope of your BCMS and subsequently in the business impact analysis (the BIA). Practitioners must understand their organization in terms of its priority activities and map the value chain by understanding dependencies and interdependencies and, specific to this article, dependencies on priority of suppliers.
Stage 2 – Identify dependencies
Identify dependencies associated with the supply of goods and services or consultancy services if these are a priority (such as co-sourcing). The failure of these dependencies will directly impact the organization.
Stage 3 – Priority supplier list
These identified dependencies determine a list of priority suppliers based on the needs of priority operational activities and support the overall goal of operational resilience.
Stage 4 - Hold collaborative meetings
Do this before launching any bidding process with individuals who have the authority to commit the organization to a purchase contract, such as procurement, purchasing, or category managers, ensuring this guidance applies across different sectors and organizational structures. Include those who manage and own risks within the organization as this provides a comprehensive view of risk, including all operational representatives. These may be the people that own operational risks and helped complete the BIA.
Stage 5 - Requesting details of the suppliers BCMS, BCPs and evidence of exercising
Some organizations may choose to request documents such as business continuity management systems (BCMS) or business continuity plans (BCP) in the pre-contract stage to support bid teams. This is a supply chain risk as there is a likelihood that the documents are not indicative of the suppliers’ business continuity capability but simply offered to provide process compliance.
A stronger methodology is to create your requirements in the performance specification (binding it to the contract performance) then during due diligence, ask for the supplier’s solution to assure it meets the performance specification.
Stop asking for documents as proof of competency and ask them to walk you through their solutions to gain confidence in their capability. It is your need for confidence in the supplier, not the supplier’s confidence in their ability, they will always wish to sound positive in a bid.
Conventional (sometimes legally mandated) steps when seeking to place a contractual agreement and how to build in resilience
Stage 1-prequalify
The need (or possibly a legal obligation in the public sector) to progress through the competitive process and obtain a contract often leads to requesting the delivery of documents such as a BCMS at the beginning of a competition. The objective of the supplier at this point is to pass through the process by compliance to receive the tender document. Why would a supplier expose any weakness at this early stage? Compliance to the process is paramount to them. Without supplying the evidence requested, the bid may be automatically forfeit. Noncompliant bids can be forfeit and not considered for analysis in the prequalification stage.
Asking for these documents should be a first step and not the last time that resilience is considered in the tender process. Documents do not equal competency.
Stage 2-invitation to tender/bid
Receiving a bid document that contains nothing in terms of incident specific performance targets but contains terms and conditions stating the bidder has to have appropriate business continuity arrangements in place, is not a robust contract in terms of resilience. The potential supplier has only said these are in place. Documentation is not evidence of capability.
Some organizations may refuse to offer business continuity plans, stating it is commercial in confidence, practitioners should consider that asking for documentation may result in an organization receiving such documents as a business continuity policy, a high-level business continuity plan, and some basic details of the frequency of exercising. This simply provides compliance relating to any subsequent offer. A compliant bid is one that meets the performance specification written into a contract document.
Therefore, write your business continuity requirements into the performance specification, the bidder has to comply with the performance outputs, not simply provide a generic plan.
When seeking bids, ask what financial percentage of the offering is attributable to resilience? It is widespread practice to ask for a breakdown of costs, so why not ask about resilience?
Ask the supplier if they have scenario specific plans. If they confirm they have note them in the contract as a defence against “Force Majeure” which is an unplanned event.
Stage 3-analyse offers
Analyse the offers, but without detailing performance criteria relating to resilience, how can this be achieved? Traditional scoring systems often give resilience a low scoring index and therefore tells the supplier it has little value in the assessment criteria. This is why it is important to discuss the scoring system in the collaborative meeting before going to tender
Stage 4-Due diligence (visit)
Consider a physical visit to review a multitude of disciplines, financial, health and safety, security, and resilience and encompass solutions regarding risk mitigations and response capability. The supplier should at this point confirm the solutions that are in place.
Stage 5-Conforming the contract
Agree the final contract between the two parties, which may include stipulating any genuine third parties (if any). Conforming is the process of including all that has been agreed during the tender process, which may include questions and subsequent answers given by the supplier during the procedure which after signing become contractual.
Stage 6-Supplier relationship management
Continuous monitoring of the contractual relationship, including its resilience, is recommended. Vendor assessment (the term vendor is traditionally used for suppliers of component parts that create a final product) is a term often used for this activity and often considered a third-party risk assessment, even when there are only two parties.
The EU’s Digital Operational Resilience Act (DORA), that came into force from January 2025, references third parties and even fourth parties. Genuine third parties in the financial sector may be suppliers with access to data, and the fourth party is often a specific view from the finance sector on tiers of supply, with a specific focus on understanding the risks. Such regulations are designed to assure that financial institutions are specifically managing risk. Risk prevention is the driver. Compliance to such regulations can often be to the detriment of capability. Remember that risk is impact (consequence) and likelihood (probability) in contrast, a response is based on impacts over time, not the chance of the risk crystalising.
When the contract was “conformed” the specific elements of the performance specification that deal with resilience, such as what to do before (in terms of early warnings), during the incident, and after the incident, which will include contractual MTPD, RTO, MBCO and RTOs originally from the BIA (adjusted during your “Solutions Design” stage), will require the supplier to have a capability to deliver against these parameters.
In Supplier relationship management or if you prefer, post contract vendor assessments, your organization needs to assure that the contractual promise in relation to the supplier’s capability is still functioning and in place. Simply asking for documents as proof is insufficient to provide this assurance. Can they still provide the incident specific performance specification requirements? Although the Good Practice Guide V7 discusses assessing the supplier’s whole BCMS (page 113) I would suggest this is unrealistic and promotes compliance not capability.
It goes on to suggest that performance can be compared to the terms in the service level agreement (SLA). An SLA supports the performance specification and details the outputs and service to be provided, what is missing is that this needs to be an incident specific SLA which details expectations during a disruptive incident (the term disruptive incident, not scenario or threat but generally, would require a definition in the contracts terms and conditions).
Strategies and solutions: Thoughts on the Good Practice Guide 7.0
Professional practice 4 of the GPG 7 outlines strategies and solutions which would involve contracting with external parties and should be pre-defined in contract documents, keeping in mind that what you ask for you pay for in a bid, anything not determined in the contract is a “variation to contract” and could attract significant additional costs.
These steps go beyond professional practice 4 Solutions Design. In the design stage, business continuity requirements (from PP3) are used to design strategies and solutions.
Page 56 - suggests a list of third parties able to supply competent people. Let’s remind ourselves that not all suppliers are third parties, and this would need to be written into the contract and costed.
Page 57 - Purchase when needed, again potential additional costs and profiteering, think of supply and demand of protective clothing during the pandemic.
Page 58 - Transfer staff to a third party, requires contractual agreement with the supplier, who may or may not be a third party, this matters because of the risk profile of a genuine third party.
Page 61 - covers Continuous operation, Go to Market, Step-in or Replace (new supplier). The timescales offered are from days to months categorised on page 55. It should be noted that anything not in the original contract or requiring a tender procedure may not facilitate these shorter timescales, or at the very least incur considerable costs.
Remember that Top Management should sign off on strategies and solutions and should expect a cost benefit analysis before signing.
Page 53 “the cost of mitigating the impact of a disruption should not exceed the cost of the disruption itself” Consider this when the strategy and solution is delivered by supply chains.
The contractual performance targets mentioned in Validation (PP6 page 113) will be based on the Design Solutions (PP4) Operationalised in Enabling Solutions (PP5) and included in Business Continuity Plans (PP5). This will include risk assessments (PP3) and risk solutions (PP4).
All the above substantiates the fact that the Business Continuity Management System (BCMS) is less of a cycle and more of a series of interacting principles: Analyse, Design, Enable and Validate.[1]
In summary
Supply chain resilience is far more than managing risk in the supply chain, the end-to end risk environment within the chain requires both preventative controls and responsive controls. It begins with good sourcing strategies, procurement, and supply.
Validation of supply chain dependencies should focus on the contract's performance targets. Most contracts include performance expectations for normal operations, but they must also specify clear performance targets for incidents or disruption. This ensures that all parties understand how the supply chain should function under stress, not just during routine conditions.
There are other stages the resilience professional can undertake when engaging and facilitating supply chain resilience, which would include greater collaboration with legal teams, procurement teams, risk management and operations.
A contract does not guarantee continuity of services, however starting resilience measures at this stage enables the organization to embrace the concept and understand its supply chain dependencies.
This three-part series has its limitations, I could discuss building supply chain resilience into your re-letting programmes and how better to collaborate and the benefits of asking for supplier solutions not plans. These elements are discussed in the BCI 2-day Supply Chain Resilience training [2].
If I had one ambition, it would be to run such a course with procurement professionals and resilience professionals simultaneously, to assist with greater collaboration.
[1] Page 7 the BCMS has replaced what used to be termed as the BCM Lifecycle.
More on
