Home Resources Blog May 2020

Opportunities to Improve Business Continuity Management in your Supply Chain

11 mei 2020
ISO management systems provide a framework of opportunities to improve business continuity management in a supply chain by introducing more aspects of collaborative management...

A crisis or disruption is notable in that, more often than not, you need to ask for help. In a business continuity situation, the situation will need all hands on deck otherwise it could spiral out of control.

As we have all learned from the COVID-19, our organizations do not exist without the support or input of others. We need our supply chain. We need all elements of the supply chain to function if we are going to meet our objectives of getting materials, services, or information through to our customers as quickly as possible. In short, Supply Chain Business Continuity is critical.

The purpose of this article is to encourage readers to consider their position in a supply chain, and whether there are opportunities to improve working arrangements with other organizations that will create value and better business relationships.

Top-tier organizations have a challenge when it comes to questioning their supply chains about their business continuity plans. As identified in the Business Continuity Institute’s 2019 annual report of Supply Chain Resilience ‘12.2% of disruptions occur amongst tier 3 suppliers and beyond. Yet over two-thirds of organizations (67.7%) fail to question the business continuity arrangements of suppliers within those tiers. (p.3).

Supply chains are complex organizations, made up of direct suppliers in the upper tiers, and a plethora of SMEs in the lower tiers. Often, there is a lack of visibility for an OEM or retailer in the top tier on the SMEs, and they will charge their direct suppliers for ensuring that the business continuity plans for these organizations are managed appropriately.  

What has been shown in published research, is that in the event of crisis, SMEs are very adaptable and flexible. In themselves, SMEs have a level of resilience to economic shock because they have simple decision-making processes, dynamic leadership and an entrepreneurial spirit. They can seek out new customers or develop new products, and research has shown that they will do this.

However, this flies in the face of business continuity management, which the ISO 22301 Standards defines as ‘capability of an organisation to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption’. The risk for the organizations in an upper tier of a supply chain is that the SMEs in the supply chain still exist during an economic downturn, but they are no longer operating to serve their particular needs.

This risk could be mitigated by organizations that lead supply chains if they take some simple steps. In any business relationship, organizations will naturally prefer to work with others where the relationship is mutually beneficial (this is a fundamental principle of ISO 9001). Whilst initial business relationships are often developed from transactional arrangements (e.g. you sell something, they buy something or vice versa) this arrangement can be developed into a more market focussed relationship if trust is built between the parties; the sharing of information, building joint-working arrangements and maintaining effective communications. Business Continuity in the supply chain is no different to this; if things start to go wrong, how will you respond as a supply chain – i.e. a joint entity?

Supply Chain Business Continuity situations can arise from three things; an issue with a single organisation in the supply chain, an issue with the supply chain itself, or external issues that affect the supply chain. COVID-19 has shown that in the event of an external issues that affects the supply chains, effective Business Continuity Plans are built on having a good understanding of how customer requirements need to be met in those difficult situations.

The Supply Chain Business Continuity Plans need to deal with four phases in Business Continuity planning; everyone thinks immediately of the ‘response’ and ‘recovery’ phases. However, not everyone thinks of the work that can be done to improve the ‘Resilience’ of the supply chain to protect or prepare itself for disruption, or the process of ‘Learning lessons’ post event.

There are some useful resources for organizations in the published ISO standards and guidance, listed in the table below. Together, these are a really useful and practical resource for organizations to consider how they develop mutually beneficial business continuity plans for their supply chains and keep them secure during times of crisis or disruption.

ISO 22301 is the standard for Business Continuity Management. It lays out, in a framework that is aligned to the other ISO management systems, the processes for identifying key business continuity risks, prioritising them, and planning effective management controls that can be followed. Key outcomes of using the ISO 22301 Business Continuity Management Standard is that an organisation is clear in it’s processes and has tested and exercised these in readiness for a business continuity event.

However, the ISO 22301 standard does not make very much in the way of reference to the development of joint working arrangements. For this, it is useful to refer to the ISO 44001 Standards and it’s guidance document (ISO 44002). In these documents, organizations are encouraged to collaborate for the purposes of adding value. Processes that encourage information sharing, joint working, cooperation and collaboration are abound.

The ISO 27001 standard is a useful reference tool for Business Continuity. It requires that organizations consider the operating situations that it may find itself in and ensure that information remains safe. (You should note that just because the Information Security Standard requires organizations to maintain a disaster recovery plan, this fulfils the same purpose as a Business Continuity Plan, but it does not). 

Standards or Guidance


ISO 22301

Business continuity management systems — Requirements

ISO 22313

Business continuity management systems — Guidance

ISO 22318

Business continuity management systems — Guidelines for supply chain continuity

ISO 44001

Collaborative business relationship management systems — Requirements and framework

ISO 44002

Collaborative business relationship management systems —  Guidelines on the implementation of ISO 44001

ISO 27001

Information security management systems — Requirements

ISO 27002

Information technology. Security techniques. Code of practice for information security controls

ISO 27031

Information technology — Security techniques — Guidelines for information and communication technology readiness for business

The purpose of this article was to give readers food for thought on their role within the supply chain regarding business continuity. For all organizations, there is a clear opportunity to improve the working relationship and achieve stronger and more effective business continuity plans. Without necessarily going to the extent of certifying against all of the relevant Standards, there is a great deal of guidance and information across a range of disciplines, and these are worthy of further investigation.

Authored by: Adam Faiers, Spedan (Specialist ISO Consultancy, Training and Legal Review)


* Disclaimer:

  • NQA does not provide consultancy in order to remain impartial from management systems implementation.

  • NQA shall not imply that certification would be simpler, easier, faster or less expensive if a consultancy listed on the ACR is used.

  • ACR Consultants shall not imply that NQA certification would be simpler, easier, faster or less expensive if their services are used.

  • NQA remains impartial from our partners on our Associate Consultant Register and does not endorse one partner over another.

‘Our consultants’ do not work for NQA, they work as independent bodies in partnership with us through our Associate Partner Programme. In accordance with the accreditation standard ISO 17021-1:2015 NQA does not provide consultancy in order to remain impartial from management systems implementation.