PRIVATE CIRCULATION

BCM/1_15_0003
For comment/vote - Action Due Date: 2015/02/13

Proposed ISO/DTS 22318

DRAFT TECHNICAL
Date Reference number
SPECIFICATION OR 2015-01-12 ISO/TC 292 N 15
TECHNICAL REPORT Supersedes document

WARNING: This document is not approved. It is distributed for review and comment. It is subject to change without notice.

ISO/TC 292 Circulated to P- and O-members, and to technical

committees and organizations in liaison for:

Title discussion at
[venue/date of meeting]
Security
comments by 2015-03-06
[date]
Secretariat
SIS approval for publication as a Technical Specification or
Technical Report (as indicated below) by

2015-03-06
[date]

(P-members vote only: ballot form attached)

P-members of the technical committee or subcommittee
concerned have an obligation to vote.

Title (English)
Societal security – Business continuity management — Guidance on supply chain
continuity

Title (French)

Proposed Technical Specification or Technical Report

Reference language version: English French Russian

Introductory note

Copyright notice
This ISO document is copyright protected by ISO. While reproduction in any form for use by participants in the ISO standards
development process is permitted without prior permission from ISO, neither this document nor any extract from it may be
reproduced, stored or transmitted in any form for any other purpose without prior written permission from ISO.
Requests for permission to reproduce this document for the purpose of selling it should be addressed to the secretariat
indicated above or to ISO’s member body in the country of the requester.
Reproduction for sales purposes may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.

© ISO – All rights reserved

DTS/DTR Cover Sheet

Version 99.1E/A Williams
 ISO/DTS 22318

1 ISO/TC 292
2 Date: 2015-01-12

6 Societal security – Business continuity management — Guidance on

7 supply chain continuity

© ISO 2013 – All rights reserved i

 ISO/DTS 22318

1 Contents

2 FOREWORD ....................................................................................................................... IV

3 0. INTRODUCTION ............................................................................................................ V

4 1 SCOPE ............................................................................................................................1

5 2 NORMATIVE REFERENCES ..........................................................................................1

6 3 TERMS AND DEFINITIONS ............................................................................................1

7 3.1 Terms included in ISO 22300 .................................................................................................................. 1

8 3.2 Terms defined in this Technical Specification ..................................................................................... 2

9 4 WHY SUPPLY CHAIN CONTINUITY IS IMPORTANT ............................................4

10 4.1 Introduction .............................................................................................................................................. 4

11 4.2 Describing the supply chain ................................................................................................................... 5

12 4.3 Dynamics of supply chains .................................................................................................................... 6

13 4.4 The essentials for SCCM......................................................................................................................... 7

14 4.5 Benefits of effective SCCM ..................................................................................................................... 8

15 4.6 Challenges to effective SCCM ................................................................................................................ 8

16 4.7 Key points of Clause 4: Why supply chain continuity is important ................................................... 9

17 5 ANALYSIS OF THE SUPPLY CHAIN .............................................................................9

18 5.1 Introduction .............................................................................................................................................. 9

19 5.2 Considerations for analysing the supply chain ................................................................................. 10

20 5.3 Structure of the analysis ....................................................................................................................... 10

21 5.4 Conducting the analysis ....................................................................................................................... 12

22 5.5 Output of Analysis ................................................................................................................................. 12

23 5.6 Key points of Clause 5: Analysis of the supply chain ....................................................................... 13

24 6 SCCM STRATEGIES ....................................................................................................13

© ISO 2013 – All rights reserved ii

 ISO/DTS 22318

1 6.1 Introduction ............................................................................................................................................ 13

2 6.2 Continuity Strategy Options ................................................................................................................. 14

3 6.3 Including SCCM capability into a supply contract ............................................................................. 15

4 6.4 Ownership of SCCM .............................................................................................................................. 15

5 6.5 Key points of Clause 6: Considering options: developing strategies .............................................16

6 7 MANAGING A DISRUPTION IN THE SUPPLY CHAIN ................................................16

7 7.1 Introduction ............................................................................................................................................ 16

8 7.2 Before an incident happens ................................................................................................................. 16

9 7.3 Incident detection and notification ...................................................................................................... 17

10 7.4 During an incident ................................................................................................................................. 17

11 7.5 Return to business as usual ................................................................................................................. 17

12 7.6 Key points of clause 7: Managing a disruption in the supply chain ................................................17

13 8 PERFORMANCE EVALUATION ..................................................................................18

14 8.1 Introduction ............................................................................................................................................ 18

15 8.2 Engaging with suppliers ....................................................................................................................... 18

16 8.3 Implementing a SCCM performance evaluation programme ............................................................ 19

17 8.4 Maintaining the analysis ....................................................................................................................... 19

18 8.5 Outcomes of performance evaluation ................................................................................................. 19

19 8.6 Key points of Clause 8: Performance management .......................................................................... 20

20 BIBLIOGRAPHY .................................................................................................................21
21

22

© ISO 2013 – All rights reserved iii

 ISO/DTS 22318

1 Foreword
2 International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
3 Draft International Standards adopted by the technical committees are circulated to the member bodies
4 for voting. Publication as an International Standard requires approval by at least 75 % of the member
5 bodies casting a vote.

6 In other circumstances, particularly when there is an urgent market requirement for such documents, a
7 technical committee may decide to publish other types of document:

8 • An ISO/IEC Publicly Available Specification (ISO/IEC PAS) represents an agreement between

9 technical experts in an ISO working group and is accepted for publication if it is approved by
10 more than 50 % of the members of the parent committee casting a vote;

11 • An ISO Technical Specification (ISO/TS) represents an agreement between the members of a

12 technical committee and is accepted for publication if it is approved by 2/3 of the members of
13 the committee casting a vote.

14 An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a
15 further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or
16 ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be
17 transformed into an International Standard or be withdrawn.

18 lSO/TS 22318 has been prepared by Technical Committee ISO/TC 292, Security, Working Group 5,
19 Resilience and continuity.

20

© ISO 2013 – All rights reserved iv

 ISO/DTS 22318

1 Introduction
2 This Technical Specification (TS) expands the business continuity guidance given in ISO 22301 and ISO
3 22313 on establishing appropriate levels of continuity management within an organisation’s supply
4 chain. It assumes that the organisation seeking to establish Supply Chain Continuity Management
5 (SCCM) is already aware of the principles of Business Continuity Management and has established, or
6 intends to implement, a Business Continuity Management System (BCMS) broadly aligned to the
7 established standards. It also considers the implications to the organisation of suppliers of products or
8 services which do not have adequate continuity arrangements in place.

9 This guidance is intended primarily to assist anyone buying, managing or responsible for a product or
10 service necessary to an organisation’s critical products or services to implement good business
11 continuity practice in line with established standards.

12 Supply chain management considers the full range of activities concerned with purchase and provision
13 of supplies or services to an organisation as a part of business-as-usual. The scope of this document is
14 less broad in that it specifically considers the issues faced by an organisation which needs continuity of
15 supply of products and services to protect its critical business activities or processes, and the strategies
16 which can be used to mitigate the impact of disruption in the supply chain; this is SCCM. SCCM
17 depends upon business impact analysis (BIA) to identify critical business activities and processes and
18 thus is closely linked with ISO/TS 22317 which provides guidance on conducting a BIA.

19 Organisations rely on suppliers to deliver critical products or services on time and to agreed quality or
20 standards. It is important, therefore, for an organisation, as part of its wider approach to Business
21 Continuity Management to recognise the potential impact on its activities of a disruption within its supply
22 chain. Failure to deliver a product or service by a supplier may trigger a business disruption event.
23 There are however, conflicting objectives to be managed of maintaining and reducing supply chain cost
24 (for example, by reducing cycle times and buffer stock) while managing the supply chain risk arising
25 from single source and just in time supply approaches.

26 This TS is relevant to the supply of products and services from external suppliers and internal
27 relationships within divisions of the same organisation, under any type of continuing supplier
28 relationship. It also has applicability to single ‘one-off’ procurement events such as purchases of long
29 lead items for a major project where failure to deliver could impact the future development of the
30 organisation.

31 The TS recommends classifying suppliers according to their criticality, which considers the impact on
32 the organisation of a disruption to the supplied products or services, and “supplier tier”, which defines
33 the relationship with the organisation (i.e. a tier 1 supplier has a direct contractual relationship with the
34 organisation, while a tier 2 supplier supplies products and services to a tier 1 supplier). This TS
35 recognises that between tiers the same supply chain continuity considerations apply. Tier 1 suppliers
36 would be responsible for assuring their own supply chain relationships; recognising that the customer
37 may need visibility of these relationships both to ensure there is adequate resilience in the supply chain
38 and to take account of factors such Corporate Social Responsibility concerns which may require the
39 customer to understand the end to end supply chain.

40 The TS focuses on identifying and managing the risks and impacts arising within an organisation from
41 failure of a critical supplier to that organisation The guidance, however, also has relevance to the
42 supplier both so that they can prepare to meet the business continuity expectations of their customer
43 who is dependent upon them, and also to consider vulnerabilities which might arise from dependence on
44 a single customer.

45 This TS recognises that suppliers may also comply with the requirements of the ISO 28000 series of
46 standards which establish standards for security management within the supply chain. Conformance
47 with these standards will give organisations purchasing goods or services further confidence in the
48 resilience of their supply chain, and potentially reducing the risk of disruption.

49 The text is mapped to the elements of business continuity management, see Figure 1.

© ISO 2013 – All rights reserved v

 ISO/DTS 22318

Element Clauses in ISO/TS 22318

Operational planning and control Clause 4

Business impact analysis and risk assessment Clause 5

Business continuity strategy Clause 6

Establish and implement business continuity

Clause 7
procedures

Exercising and testing Clause 8

2 Figure 1 – Elements of business continuity management (BCM) – see ISO 22313 Figure 5

© ISO 2013 – All rights reserved vi

 ISO/DTS 22318

5 Societal security – Business continuity management —

6 Guidance on supply chain continuity

7 1 Scope

8 This Technical Specification (TS) gives guidance on continuity management within the supply chain.
9 Guidance is given on practical methods for understanding and extending the principles of business
10 continuity management (BCM), as embodied in ISO 22301 and ISO 22313, to the management of
11 supply relationships. This TS addresses relationships throughout the supply chain, between
12 suppliers and customers. The guidance is generic and intended to be applicable to all organisations
13 (or parts thereof), regardless of type, size and nature of business. It is applicable to the supply of
14 products and services, both internally and externally. Usually there will be an ongoing relationship
15 governed by contractual agreements (including Service Level Agreements (SLA) for external
16 outsource arrangements and Operational Level Agreements (OLA) governing internal service
17 arrangements) between the organisation and the supplier but it may also be applicable to single
18 event relationships, for example if there is a long lead time (i.e. a significant time gap between
19 placing the order and delivery of the good or service). The extent of application of the guidance
20 depends on the organisation’s operating environment and complexity.

21 The TS does not give guidance on developing a business continuity plan or business continuity
22 management system which is the subject matter of the parent standards ISO 22301 and ISO
23 22313.

24 2 Normative references
25 No normative references are applicable to this document. Important source documents are listed in
26 the Bibliography. This clause is included to retain clause numbering similar to other management
27 standards.

28 3 Terms and definitions

29 3.1 Terms included in ISO 22300

30 The following terms and definitions in ISO 22300 apply. All terms and definitions contained in ISO
31 22300 are available on the ISO Online Browsing Platform www.iso.org/obp.

32 3.1.1
33 business continuity
34
35 3.1.2
36 business impact analysis
37
38 3.1.3
39 event
40
41 3.1.4
42 exercise
43
44 3.1.5
45 incident
46
47 3.1.6
48 mutual aid agreement
49

© ISO 2013 – All rights reserved 1

 ISO/DTS 22318

50 3.1.7
51 prioritised activities
52
53 3.1.8
54 risk
55
56 3.1.9
57 top management
58
59 3.2 Terms defined in this Technical Specification

60 The following Terms and Definitions are applicable to this technical specification:

61 3.2.1
62 activity
63 process or set of processes undertaken by an organisation (or on its behalf) that produces or
64 supports one or more products and services

65 Note 1 to entry: Such processes include accounts, call centres, IT, manufacture, distribution.

66 3.2.2
67 business continuity management
68 holistic management process that identifies potential threats to an organisation and the impacts to
69 business operations those threats, if realized, might cause, and which provides a framework for
70 building organisational resilience with the capability of an effective response that safeguards the
71 interests of its key stakeholders, reputation, brand and value-creating activities

72 [SOURCE: ISO 22301]

73 3.2.3
74 business continuity management system (BCMS)
75 part of the overall management system that establishes, implements, operates, monitors, reviews,
76 maintains and improves business continuity

77 Note 1 to entry: The management system includes organisational structure, policies, planning activities,
78 responsibilities, procedures, processes and resources.

79 [SOURCE: ISO 22301]

80 3.2.4
81 business continuity plan
82 documented procedures that guide organisations to respond, recover, resume, and restore to a pre-
83 defined level of operation following disruption

84 Note 1 to entry: Typically this covers resources, services and activities required to ensure the continuity of
85 critical business functions.

86 [SOURCE: ISO 22301]

87 3.2.5
88 business continuity programme
89 ongoing management and governance process supported by top management and appropriately
90 resourced to implement and maintain business continuity management

91 [SOURCE: ISO 22301]

92 3.2.6
93 critical customer
94 a customer the loss of whose business would jeopardize the survival of the organisation

© ISO 2013 – All rights reserved 2

 ISO/DTS 22318

95 3.2.7
96 critical supplier
97 provider of critical products or services

98 Note 1 to entry: This includes an “internal supplier”, which is a supplier that is part of the same organisation as
99 its customer.

100 3.2.8
101 critical products or services
102 products or services, obtained from a supplier, which if unavailable would disrupt the organisation’s
103 critical activities and would jeopardize the survival or the organisation.

104 3.2.9
105 disruption
106 event, whether anticipated (e.g. a labour strike or hurricane) or unanticipated (e.g. a blackout or
107 earthquake), which causes an unplanned, negative deviation from the expected delivery of products
108 or services according to the organisation’s objectives

109 3.2.10
110 interested party - stakeholder
111 person or organisation that can affect, be affected by, or perceive themselves to be affected by a
112 decision or activity

113 Note 1 to entry: This can be an individual or group that has an interest in any decision or activity of an
114 organisation.

115 [SOURCE: ISO 22301]

116 3.2.11
117 organisation
118 person or group of people that has its own functions with responsibilities, authorities and
119 relationships to achieve its objectives

120 Note 1 to entry: The concept of organisation includes, but is not limited to, sole-trader, company, corporation,
121 firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether
122 incorporated or not, public or private.

123 Note 2 to entry: For organisations with more than one operating unit, a single operating unit can be defined as
124 an organisation.

125 [SOURCE: ISO 22301]

126 3.2.12
127 outsource (verb)
128 make an arrangement where an external organisation performs part of an organisation’s function or
129 process

130 Note 1 to entry: An external organisation is outside the scope of the management system, although the
131 outsourced function or process is within the scope.

132 Note 2 to entry: An outsource provider is a supplier of a product or service within the context of SCCM. Any
133 threat which could lead to a disruptive event affecting the outsource provider is a risk to the organisation.

134 [SOURCE: ISO 22301]

135 3.2.13
136 products and services
137 beneficial outcomes provided by an organisation to its customers, recipients and interested parties,
138 e.g. manufactured items, car insurance and community nursing

© ISO 2013 – All rights reserved 3

 ISO/DTS 22318

139 [SOURCE: ISO 22301]

140 3.2.14
141 resources
142 all assets, people, skills, information, technology (including plant and equipment), premises, and
143 supplies and information (whether electronic or not) that an organisation has to have available to
144 use, when needed, in order to operate and meet its objective

145 [SOURCE: ISO 22301]

146 3.2.15
147 supply chain
148 network of organisations that are involved, through upstream and downstream linkages, in the
149 different processes and activities that produce value in the form of products and services in the
150 hands of the ultimate consumer

151 [SOURCE: Christopher 1998]

152 3.2.16
153 supply chain continuity management (SCCM)
154 application of business continuity management to the supply chain

155 Note 1 to entry: BCM should be applied to all the tiers of an organisation’s supply chain;

156 Note 2 to entry: In practice an organisation usually would only apply it to the first tier of their suppliers and
157 influence critical suppliers to apply SCCM to their suppliers.

158 3.2.17
159 supplier tier
160 measure of the distance of a supplier from the organisation

161 Note 1 to entry: A tier 1 supplier directly supplies products or services to the organisation usually through a
162 contractual arrangement. A tier 2 supplier provides products or services to an organization indirectly and
163 through a tier 1 supplier.

164 3.2.18
165 supplier criticality
166 result of an assessment to identify suppliers whose failure to deliver contracted products or services
167 would significantly impact on the organisation; failure of a critical supplier to deliver products or
168 services in accordance with an agreement would and materially affect the ability of the receiving
169 organisation to conduct its business

170 Note 1 to entry: The organisation needs to define the criteria to be used when evaluating the criticality of
171 suppliers

172 4 Why supply chain continuity is important

173 4.1 Introduction

174 This clause considers the factors which provide the structure within which SCCM is conducted.
175 Supply chains are becoming increasingly complex and extended (often extending internationally),
176 exposing the organisation to new and additional risk of supply chain interruption. In addition, the
177 supply chain can be in a state of change. A supply chain is always subject to potential disruption,
178 hence the requirement for SCCM.

© ISO 2013 – All rights reserved 4

 ISO/DTS 22318

179 4.2 Describing the supply chain

180 For the purpose of this document a broad view of a supply chain is considered which includes both
181 the manufacturing and distribution of products, and services, outsourcing and off-shoring. It is
182 applicable to organisations of all types and sizes. Figure 2 provides a simple supply chain model.

183

Tier 2 Inbound logistics

Outbound logistics
Supplier B

Inbound logistics
External
Organisation Customer
Supplier A

Supplier C

Internal
Tier 1 Suppliers Suppliers
Tier 2 Suppliers
184

185 Figure 2 – Supply chain model

186 A supply chain exists wherever a product or service delivery depends on inputs that are not under
187 the direct management or control of the operating unit (the organisation). It includes both internal
188 and external supply relationships. The relationships with the various suppliers vary with the degree
189 of flexibility and the ability of the organisation to control the relationship, see Figure 3.

190

191

192 Figure 3 – Supply chain influence and control

193 There is a range of potential customer relationship types, including:

194 • business-to-business (some of whom may be distributors, wholesalers, etc.);

195 • business-to-consumer; and

© ISO 2013 – All rights reserved 5

 ISO/DTS 22318

196 • third-party served (where customers are served or supplied indirectly, for example, via
197 subcontractors or agents).

198 There is also a range of potential supplier relationship types, including:

199 • recurring product or service suppliers (providing components, raw materials, financing, property
200 rental, essential fixed asset maintenance, etc.);

201 • one-off or infrequent product or service suppliers (perhaps to provide a new piece of capital
202 equipment);

203 • outsourced or contracted out (off-site service or business process providers, such as payroll
204 bureau, IT services, contact centres, logistics or distribution);

205 • strategic partners (such as franchises, distributors and joint ventures); and

206 • co-operative relationships or interdependencies between suppliers.

207 In addition to customers and suppliers, other stakeholders might be involved in and impacted by
208 supply chain interruptions, including local communities (for example, the community from which the
209 work force is drawn), informal community network members, trade bodies, contracted consortium
210 partners, partial competitors or “buddies” with reciprocal arrangements, etc.

211 Supply chain relationships may be based on a number of factors, including:

212 • people: personal relationships;

213 • formal agreements: contracts, work orders, service level agreements, operating level
214 agreements, etc.;

215 • information: electronic or paper; purchase orders, design specifications;

216 • processes: workflow; product/service creation and delivery;

217 • infrastructure: transportation systems, Internet;

218 • culture: business networks, trading relationships; and

219 • environment: political, meteorological, economic (e.g. foreign exchange rates), etc.

220 NOTE These are examples only and the list is not intended to be exhaustive.

221 4.3 Dynamics of supply chains

222 4.3.1 General

223 The supply chain is important to organisations of all types and sizes, particularly as organisations
224 seek to lower cost and enhance efficiency. Driving out inventory, time and other forms of “waste”
225 means that goods, services, information and money are moving faster, which in turn means that the
226 impact of an interruption to the supply chain will be felt more acutely, sooner and more often. An
227 increasing and significant proportion of costs lie within the supply chain for many organisations,
228 presenting both a risk and an opportunity. Poor supply chain management can destroy value and
229 jeopardize brand and reputation.

230 A number of drivers have enabled and accelerated the extension of supply chains well beyond the
231 organisation’s direct control, both in terms of geographical spread and the number and type of
232 suppliers, including:

© ISO 2013 – All rights reserved 6

 ISO/DTS 22318

233 • the rise and development of the Internet, its global accessibility and relatively low cost;

234 • the reduction of international trade barriers and the free movement of capital;

235 • the addition of hundreds of millions of educated and relatively low-cost skilled workers;

236 • a management trend for organisations to focus on core, value-adding activities and outsource
237 an increasing range of peripheral business processes, such as logistics, distribution, payroll,
238 catering, cleaning, security and IT, making organisations more interdependent and extending
239 impact of disruption across entities; and

240 • the emergence of resource constraints as global demand exceeds supply, so that certain
241 supplies, including some natural resources, are only available in particular parts of the world.

242 Organisations are therefore increasingly interconnected and interdependent. As supply chains
243 become more global in their reach, new vulnerabilities are created and exposure is increased, while
244 horizon scanning to identify changing risk profiles (see Clause 7) becomes more challenging.
245 Furthermore, as supply chains become more integrated and lean, the more likely it is that any event
246 affecting one link may ripple through, affecting other links in the chain. Business impact analysis
247 should uncover interdependence across a supply chain, but often does not extend into the supply
248 chain past Tier 1 (direct) suppliers (those with whom the organisation has contractual relations) to
249 those in Tier 2 (direct suppliers to Tier 1 suppliers) and beyond.

250 4.3.2 Supplier and contract lifecycle

251 Suppliers and contracts exist within a lifecycle of supply and service acquisition, operation and
252 discontinuation. The point of entering into a new contract or renewing an existing contract presents
253 the organisation with an opportunity to influence future supplier behaviour through contract and/or
254 service level changes. Conversely, longer-term contractual commitments and high supplier
255 switching costs can shift the balance of power between the organisation and its supplier, creating
256 resistance to changing future supplier behaviour. (Figure 3). Implementing SCCM has to be
257 achieved within this environment. The analysis of the supply chain (Clause 5) will help to identify
258 both the critical relationships and the requirements for, and opportunities to implement SCCM.

259 4.3.3 Who owns the risk?

260 The fact that the organisation might be unable to deliver its products or services to its customers as
261 a consequence of a disruption in its supply chain is a risk that the organisation itself retains. The
262 onus is therefore on the organisation to mitigate this risk in line with its risk management policy and
263 approach and be prepared to respond to supply chain interruptions. Customers (backed by
264 legislation) expect the organisation to take responsibility for its supply chains and can be expected
265 to hold the organisation (rather than its suppliers) responsible for failure to deliver products or
266 services. Therefore, an organisation’s brand is at risk of damage in the event of a problem in its
267 supply chain or by the actions of a supplier.

268 In some extreme cases, a supply chain disruption might adversely affect an industry, market sector
269 or the wider economy, government and public stakeholders.

270 4.4 The essentials for SCCM

271 The essential requirements for effective SCCM are:

272 • top management support for an SCCM initiative/project to set the priorities and standards
273 required; to allocate resources for conduct of the analysis; and to evaluate the impact of
274 supplier/supply failure on the organisation’s critical activities;

275 • analysis to understand the organisation’s supply chain and the risk to the organisation arising
276 from its disruption;

© ISO 2013 – All rights reserved 7

 ISO/DTS 22318

277 • establishing continuity strategies to be applied to each supplier;

278 • procedures for gaining assurance from suppliers that appropriate SCCM is in place;

279 • a programme for ongoing management; and

280 • a long-term strategy to build a resilient organisation.

281 4.5 Benefits of effective SCCM

282 Potential benefits arising from effective SCCM include:

283 • mapping of the supply chain gives a better understanding of where and how to improve the
284 organisation’s supplier management, which in turn can increase efficiency and reduce the
285 likelihood and impact of supply chain interruptions;

286 • improved response to supply chain interruptions, including more effective collaboration with
287 suppliers and customers;

288 • more frequent identification and mitigation of supply chain risks before they happen or before
289 the organisation is impacted;

290 • improved business-as-usual supplier management, planning, due diligence, assurance and
291 working relationships with suppliers; and

292 • the organisation can gain new customers by distinguishing itself from competitors who do not
293 have in place effective SCCM arrangements.

294 4.6 Challenges to effective SCCM

295 Supply chain continuity management presents a number of challenges, including:

296 • scale and complexity (especially large organisations that can have many thousands of
297 suppliers);

298 • distance and visibility of suppliers in the supply chain (geographic separation and number of
299 links along the chain);

300 • convincing suppliers that SCCM adds value to the relationship and persuading them to
301 participate openly and transparently;

302 • existing contractual relationships might present infrequent “moments of change” when the
303 service is open to alteration;

304 • lack of structured approach (to determine where to start, how to proceed and overcome apathy
305 or inertia);

306 • lack of business case, top management commitment and necessary resources, including
307 trained people;

308 • defining and embedding responsibility for SCCM across stakeholder functions within the
309 organisation, and between organisations in the supply chain;

310 • striking a balance between the expense of supply chain risk reduction that pays off over a
311 longer time period and the short-term financial rewards of lower supply chain capital and
312 operating costs in “business-as-usual”;

© ISO 2013 – All rights reserved 8

 ISO/DTS 22318

313 • differences in risk tolerance/appetites between individuals, organisations and cultures;

314 • shortage of resources to implement preferred strategies(both for the organisation and the
315 supplier);

316 • cultural and legal differences including consideration of diversity issues;

317 • balance (or lack) of power in the supply chain (such as a small organisation dealing with a
318 much larger supplier with multiple customers);

319 • obtaining firm and meaningful product or service supply continuity commitments from suppliers
320 (might a supplier divert supplies to another more important customer in times of shortage?);

321 • difficulty in identifying indirect impacts: the loss of one supplier can make another critical; and

322 • difficulty understanding the full cost of disruption.

323 4.7 Key points of Clause 4: Why supply chain continuity is important

324 1) A supply chain exists wherever an organisation’s product or service delivery depends on inputs
325 that are not under its direct management or control.

326 2) Supply chain continuity is important in an increasingly global, interconnected and fast-moving
327 world, in which most organisations spend a significant proportion of their total costs via their
328 supply chains, which are increasingly exposed to new and elevated risks.

329 3) Disruption to the supply chain can severely impact the ability of an organisation to deliver its
330 critical business processes.

331 4) Supply chains are frequently composed of a large number of suppliers organized in series (like
332 a chain) or networks (like a web). These interrelationships and the transactions between them
333 are subject to constant change.

334 5) There are many supply chain stakeholders or interested parties, both within and between
335 organisations, which need to collaborate effectively during supply chain stress situations if
336 continuity is to be achieved.

337 6) The onus is on organisations (and not their suppliers) to mitigate their supply chain risk and
338 respond to supply chain interruptions.

339 7) Within an organisation conflicting objectives must be managed of reducing supply chain cost
340 (for example, by reducing cycle times and buffer stock) and reducing supply chain risk.

341 8) What matters is a supplier’s demonstrated continuity capability to reinstate the supply of
342 product or service to an organisation and its commitment to supply that organisation rather than
343 another.

344 5 Analysis of the supply chain

345 5.1 Introduction

346 Analysis of the supply chain allows an organisation to understand and assess the risk to their
347 operation of a disruption in that supply chain. Achieving consistency in approach is central to the
348 analysis. The depth of analysis of any given supplier needs to reflect their criticality to the
349 organisation’s activities and the level of risk to which they are exposed.

350 Suppliers are responsible for cascading the process of analysis to their own supply chains and
351 communicating the outcomes back to the organisation.

© ISO 2013 – All rights reserved 9

 ISO/DTS 22318

352 5.2 Considerations for analysing the supply chain

353 In carrying out the analysis, the following need to be considered.

354 a) Depth of analysis required to provide assurance that dependencies and risks have been
355 identified and understood.

356 b) Developing an approach which is consistent, auditable and can be maintained over time.

357 c) Cost/benefit analysis of the process

358 d) Setting standards and a framework which can be incorporated into procurement and ongoing
359 supplier management processes.

360 e) Including risks identified into the organisation’s risk management process.

361 f) identifying any legal or regulatory constraints on the suppliers.

362 5.3 Structure of the analysis

363 5.3.1 General

364 An organisation may adopt the following broad structure, see Figure 4.

365 a) Assemble relevant documentation currently available within the organisation, e.g. business
366 impact analyses, risk assessments and supply chain map.

367 b) Define and document the approach, including defining parameters which will be used to assess
368 supplier criticality, business continuity requirements, etc. (see 5.3.2).

369 c) Define a supplier engagement plan and allocate responsibilities for the review and completion
370 timescales.

371 d) Undertake the analysis and risk assessment with each supplier.

372 e) Assess the overall level of risk from each supplier.

373 f) Share results with the appropriate supplier (gap analysis), make improvement
374 recommendations, agree an action plan and the process to monitor progress.

375 g) Review the results of suppliers’ analyses of their own supply chain.

376 h) Revise the level of risk from each supplier based on this and any common dependencies
377 between suppliers.

378 i) Produce an overall analysis of the supply chain mapping supplier capability against their
379 criticality.

380

© ISO 2013 – All rights reserved 10

 ISO/DTS 22318

381

382 Figure 4 – Supply chain analysis flow chart

383 5.3.2 Define organisational approach

384 In undertaking the analysis it is important to achieve consistency across the organisation and to
385 create an approach that is sustainable over time. To help achieve this, a set of core organisational
386 approaches should be developed. These approaches should be specific to the organisation, and
387 tailored to meet the operational and environmental needs. They should include:

388 • definition of supplier criticality, for example a two tier approach (see Note 2 below):

389 a) “critical”: suppliers whose products or services are essential for the organisation to
390 continue its critical activities and their loss would jeopardise the survival of the
391 organisation; or

392 b) “non-critical”: suppliers, the loss of whose products or services could be tolerated for a
393 limited period without adversely impacting the core activities of the organisation;

394 NOTE 1 Analysis needs to consider the impact of an incident and its effect on a number of non-critical
395 suppliers supplying the same product or service, at the same time.

396 NOTE 2 The example above only defines two levels of supplier criticality businesses with many suppliers
397 may need to define more supplier criticality groupings to provide a manageable structure for the programme;
398 for example a three tier approach: strategic (business partners), core (suppliers who provide essential services
399 or products), transactional (suppliers of routine non critical products).

400 • defining acceptable business continuity requirements for suppliers:

401 1) what capability the organisation expects for each category of supplier, e.g. minimum levels
402 of supply and recovery time objectives (RTOs), and

403 2) what evidence it expects from suppliers to demonstrate compliance/capability;

404 • breadth and depth of analysis – is the analysis to include all suppliers or only certain categories
405 of supplier based on their criticality? How far down the supply chain should the analysis be
406 conducted?

© ISO 2013 – All rights reserved 11

 ISO/DTS 22318

407 • how frequently the analysis is to be repeated; and

408 • incorporating the requirements into any tender/procurement process and the ongoing supplier
409 management and development.

410 The overall approach should be fully documented and signed-off within the organisation by top
411 management.

412 5.4 Conducting the analysis

413 The organisation should share with suppliers the rationale for the analysis and its potential benefits
414 to them, including an explanation of its requirements and the expectations of each supplier.

415 Working within the structured approach which has been defined, the organisation should map the
416 various layers of the supply chain (see Figure 2), drawing on any business impact analysis (BIA)
417 undertaken to identify the organisation’s critical activities , their respective RTO’s and the suppliers
418 on which it depends in order to deliver these. The results of the BIA and the supply chain analysis
419 together, should describe the effect on the organisation of any disruption to supply

420 For each supplier there should be evaluation, with respect to the organisation of:

421 a) the criticality of the product or service they provide;

422 b) whether this supplier is the only source for that product or service;

423 c) the risks facing the supplier with respect to the critical product or service provided to the
424 organisation;

425 d) whether the supplier has in place effective business continuity arrangements;

426 e) the extent to which the supplier has already assessed its own supply chain risks;

427 f) what priority the organisation has in the supplier’s list of critical customers; and

428 g) whether the supplier’s recovery time objectives will allow the organisation to continue to
429 conduct its critical activities.

430 To support maintenance of SCCM an evidential approach to assessment of suppliers should be

431 used including material such as:

432 1) documented BIAs, risk assessments and business continuity plans;

433 2) documented processes for maintaining and updating suppliers’ continuity plans; and

434 3) documented exercise plans and post-exercise and post-incident reports.

435 NOTE For the most critical suppliers review of documentation will rarely give sufficient confidence in the
436 continuity capability and should be backed up with site visits and observation of exercises to validate
437 documentation.

438 5.5 Output of Analysis

439 The output of the analysis is an auditable, evidence based report for each supplier which as a
440 minimum identifies:

441 • continuity provisions which supplier has in place and evidence that supplier’s BCM approach is
442 fit for purpose

© ISO 2013 – All rights reserved 12

 ISO/DTS 22318

443 • how these provisions compare with the organisations expectations

444 • how continuity in suppliers’ supply chain is managed

445 • threats to supply of the relevant product or service

446 • recommendations for improvements.

447 5.6 Key points of Clause 5: Analysis of the supply chain

448 1) Supply chains are often broad, complex and interdependent, with multiple layers of
449 dependencies.

450 2) It is essential to understand the supply chain and the risks it poses to the organisation before
451 selecting continuity strategies for supplies.

452 3) Any analysis should be undertaken jointly with suppliers, who in turn should be responsible for
453 cascading the analysis to their suppliers.

454 4) The analysis should be based on a set of core criteria developed by the organisation: giving a
455 common organisational approach.

456 5) These criteria should encompass the analysis process and the business continuity
457 requirements for suppliers.

458 6) Key outputs from the analysis process include an overall assessment of the level of risk posed
459 by the supply chain and by specific suppliers within it.

460 7) Supply chains are dynamic so business continuity requirements should be built into
461 tender/procurement and supplier management processes, and the overall analysis process
462 should be repeated periodically.

463 6 SCCM Strategies

464 6.1 Introduction

465 An appropriate recovery strategy (section 6.2) should be identified for every supplier. In choosing
466 the most appropriate strategy, or combination of strategies, account needs to be taken of the
467 challenges to SCCM identified in section 4.6 which may limit the options available. The results from
468 the analysis should have identified:
469
470 • the suppliers;

471 • the impact on the business should the supply of product or services be disrupted;

472 • the criticality of each supplier and hence the tolerance over time of disruption; and

473 • an understanding of the continuity measures each supplier has in place both for itself and its
474 own supply chain.

475 The options described here are not mutually exclusive and mitigating the risk arising from an
476 individual supplier may require more than one approach to be implemented. Achieving the final
477 solution will take time; it might be necessary to adopt interim approaches with some suppliers until
478 the opportunity arises to implement the optimum solution, particularly where the supply
479 contract/agreement in place has a considerable time to run and there is limited opportunity to
480 negotiate any change of conditions.

© ISO 2013 – All rights reserved 13

 ISO/DTS 22318

481 Where it is possible to quantify the cost of disruption in terms of lost output, cost of customer
482 compensation, likely scale of fines for breaching regulations, or price of purchasing alternative
483 products or services, it is relatively straight forward to justify the cost of putting risk mitigation
484 measures in place. It is not so easy to measure the intangible costs of disruption, such as damage
485 to reputation or loss of competitiveness, so the case for implementing mitigation measures might be
486 less clear, but the risk assessment/BIA should emphasize the importance of suppliers to delivery of
487 critical activities or processes.

488 6.2 Continuity Strategy Options

489 6.2.1 Option 1 Accept status quo

490 This ‘Do Nothing’ option is more likely to be adopted for non-critical suppliers. It might be
491 appropriate to take out insurance to cover loss of profit (this is not a BC option as payments can lag
492 significantly behind any incident; and in some cases, they arrive too late to save the organisation
493 and are used merely to pay creditors).

494 6.2.2 Option 2 Reduce dependency

495 Reduce dependence on a supplier(s) by, for example:

496 1) having two or more sources of supply at all times (see Option 3);

497 2) lengthening the time before a disruptive event affects the organisation by measures such as
498 increasing stock holding on site or with distributors; and

499 3) establishing alternative solutions: pragmatic responses to managing risks arising from critical
500 suppliers which the organisation is unable to influence, e.g. providing a standby generator to
501 cover for loss of power supplies or developing multichannel communications systems to reduce
502 dependence on a single channel or supplier.

503 6.2.3 Option 3 Increase resilience

504 Develop recovery strategies which are independent of the supplier(s) for example:

505 1) developing workarounds (to mitigate loss of services);

506 2) identifying alternative suppliers who are able/prepared to pick up the demand at minimal notice;
507 and

508 3) agreeing mutual support arrangements with competitors.

509 6.2.4 Option 4 Work with the supplier

510 Work with each supplier to improve resilience/recoverability by:

511 1) developing relationships with critical suppliers to understand their arrangements and form
512 partnerships based on mutual trust which will faciltate speedy recovery;

513 2) clearly defining the performance standard required and the process by which this will be
514 assessed;

515 3) helping/encouraging the supplier to improve its resilience; and

516 4) include SCCM requirements into contract terms.

© ISO 2013 – All rights reserved 14

 ISO/DTS 22318

517 6.2.5 Option 5 Exit the relationship

518 If a suitable provision for SCCM with a critical supplier cannot be found consider exiting the
519 contract.

520 6.3 Including SCCM capability into a supply contract

521 To deliver SCCM over the longer term the organisation should include the continuity requirement
522 within the tender process to ensure suppliers have adequate BCM provision for the product or
523 service being provided:

524 • defining the organisation’s BC requirement in the invitation to tender (ITT) and assessing the
525 quality of the responses during the supplier selection process (this would include seeking
526 documentary evidence of BC arrangements);

527 • establishing a framework solution (e.g. a standard contract clause) to deliver the chosen
528 continuity strategy, which can be applied immediately to new contracts and for which early
529 opportunities can be sought to apply it to existing contracts;

530 • including escalation triggers and measures for notification and incident management in contract
531 terms and SLAs;

532 • specifying in contracts a requirement to notify key events and information, including invocations,
533 plan reviews, exercises and documents;

534 • arrangements for joint exercises and sharing of learning points;

535 • incorporating into contracts provision for management review and/or audit of BC arrangements;

536 • encouraging visibility of a supplier’s approach to assessing the impact of disruption within the
537 supplier’s own supply chain and measures being taken to mitigate this risk;

538 • early notification of changes to the supply environment which could jeopardize the BCM
539 arrangements;

540 • effects on contract of not achieving required BCM criteria, including escalation process and
541 potential contract termination; and

542 • excluding force majeure clauses which can be easily invoked by the supplier instead of
543 implementing effective BCM arrangements.

544 NOTE Force Majeur is a common clause in contracts that essentially frees both parties from liability or
545 obligation when an extraordinary event or circumstance beyond the control of the parties, such as a war, strike,
546 riot, crime, or an event described by the legal term act of God (such as hurricane, flooding, earthquake,
547 volcanic eruption, etc.), prevents one or both parties from fulfilling their obligations under the contract. In
548 practice, most force majeure clauses do not excuse a party's non-performance entirely, but only suspends it for
549 the duration of the force majeure.

550 6.4 Ownership of SCCM

551 The organisation should identify those with responsibility for supplier management and for
552 securing/monitoring supply chain continuity assurance. It should also be closely linked to the wider
553 arrangements for BCM within the organisation.

554 Those who bought the products or services (purchasing) should hand over the responsibility for
555 managing the SCCM to those who are going to manage the contract or run operations. It is
556 important to ensure that the control measures put in place do not degrade over time, e.g. having
557 secured two suppliers to achieve resilience, it is important to guard against the potential for the
558 number of suppliers to be reduced to one as a cost-saving measure at some time in the future.

© ISO 2013 – All rights reserved 15

 ISO/DTS 22318

559 6.5 Key points of Clause 6: Considering options: developing strategies

560 1) There is a range of potential strategies for building greater resilience in the supply chain. The
561 choice of the best strategy(s) depends on identifying and highlighting the most critical suppliers.

562 2) Where cost–effective, choose strategies which allow the organisation to reduce the impact of
563 disruption independently of the supplier, e.g. setting up more than one source of supply and/or
564 increasing stockholding of critical resources.

565 3) Where it is not possible to mitigate the impact, a continuity solution should be developed in
566 cooperation with the supplier.

567 4) The requirement for suppliers to put in place an effective business continuity solution for
568 themselves and their supply chain needs to be incorporated within the supply contract. Critical
569 suppliers need to provide evidence of this both at the time the contract is awarded and as part
570 of ongoing assurance.

571 5) The contract/agreement needs to define information exchange and plan invocation procedures
572 to be used between suppliers and customers.

573 6) It is necessary to recognize that it will take time to implement the best possible approach and
574 that it might be necessary to accept partial solutions to mitigate the risk in the short to medium
575 term.

576 7 Managing a disruption in the supply chain

577 7.1 Introduction

578 This clause assumes that appropriate analysis has been done of the supply as defined in clause 5
579 and appropriate strategies put in place in accordance with clause 6. However, threats to the supply
580 chain still exist and the organisation needs to have in place the processes required to manage an
581 incident. It is important to maintain engagement with critical suppliers to ensure continuity
582 management arrangements are available and effective. This is best achieved by ensuring regular
583 and open discussion between the parties to create a partnership between the organisation and the
584 supplier.

585 It is easy to make assumptions about how each side will respond in the event of an incident; these
586 assumptions need to be validated.

587 7.2 Before an incident happens

588 Business continuity plans should include:

589 • Details of any limitations on the organisation arising from supplier disruption; e.g. breaks in
590 supply of goods or services whilst recovery takes place.

591 • Supplier expectation of support the organisation may provide them.

592 • Action plan for the organisation’s immediate response.

593 Exercise integration. If possible, inviting the suppliers to take part in BC exercises that relate to the
594 products/services they supply will allow the suppliers to understand the criticality of their supply. It
595 would also enable the suppliers to identify any delivery issues that they could experience in
596 supplying to an alternative site. It is also valuable for the organisation to be able to attend supplier
597 exercises relating to the products/services supplied to it. The organisation can gain objective
598 assurance of the supplier’s ability to continue to supply in the event of an interruption.

© ISO 2013 – All rights reserved 16

 ISO/DTS 22318

599 Make use of horizon scanning to alert the organisation to emerging risks which may affect the
600 supply chain. Disruptions might arise due to the indirect effect of external events, such as transport
601 disruption caused by a fuel shortage brought on by industrial action or movement restrictions
602 imposed by a disease outbreak. The time taken for a supplier to identify a problem and notify the
603 organisation of the potential impact could cost the organisation potentially valuable response time.

604 7.3 Incident detection and notification

605 Early detection of a disruptive event enables an effective and appropriate response. This requires
606 that the relationship between the organisation and each supplier is open and suppliers feel
607 confident that they can raise issues with the organisation.

608 Where the relationship is less transparent the supplier may be reluctant to inform their customers of
609 a disruption, or potential disruption due to optimism about its ability to resolve the disruption without
610 impact to the organisation. The impact of delayed notification potentially increases the risk of a
611 minor problem becoming a major issue for the organisation. This is particularly true if the supplier
612 does not have a full understanding of their importance to the affected activity.

613 7.4 During an incident

614 Factors to consider during an incident are:

615 • Coordinated incident management. If the disruption experienced by the critical supplier impacts
616 the operation it is important to coordinate the incident management of both organisations. This
617 reduces the likelihood of wrong assumptions and minimizes the impact to the organisation.

618 • Impact of supplier’s operating location with respect to geography, cultural and political
619 differences.

620 • Regular communication with the supplier about the current situation and the potential return to
621 normal working is essential throughout the incident.

622 • External communications: It is essential that the organisation understands the approach that the
623 supplier will have to external communications to avoid “mixed messages” and the consequential
624 reputational damage.

625 • Recognise this is a reciprocal arrangement; if the organisation is the source of the incident
626 suppliers need to be engaged to manage both their business operations which may be affected
627 by disruption and/or to provide valuable support to facilitate the organisation’s recovery.

628 7.5 Return to business as usual

629 A combined approach is required to facilitate recovery to business as usual; this will take time and
630 may require co-ordination with many suppliers whose operations have been affected.
631
632 After any disruption, there is an opportunity to learn lessons and improve matters so that similar
633 events in the future will have less impact on both the supplier and the organisation. These might
634 result in improvements in the organisation or the supplier’s operations, or to the information flows
635 between suppliers and the organisation. However, a supplier could be reluctant to share full details,
636 especially where other suppliers are involved in the review. In addition to managing concerns about
637 sharing sensitive information, suppliers might be reluctant to accept follow-up actions without
638 changes to contracts and charges. If possible, the organisation should be allowed to see any
639 actions resulting from the incident and be able to track the status toward their completion.

640 7.6 Key points of clause 7: Managing a disruption in the supply chain

641 1) Include details of supply chain continuity management arrangements into BC Plans

© ISO 2013 – All rights reserved 17

 ISO/DTS 22318

642 2) Exercise with suppliers to improve co-ordination and understanding of each other’s issues.

643 3) Ensure there is an agreed procedure in place for suppliers to alert the organisation to incidents
644 or potential incidents as early as possible

645 4) During an incident ensure that command and control is integrated

646 5) Co-ordinate external communications plans.

647 6) Post event conduct a thorough, shared review of what happened and the lessons to be learnt.

648 8 Performance evaluation

649 8.1 Introduction

650 Performance evaluation covers the ongoing management of the SCCM including monitoring,
651 verification, validation and review of SCCM arrangements stimulates continuous improvement and
652 provides assurances in the supply chain.

653 Ongoing management and review is a proactive and dynamic process which should be reviewed at
654 agreed intervals with the organisation’s critical suppliers. This process monitors and acts as an
655 early detection mechanism for any changes in a supplier’s business, e.g. organisational changes,
656 reporting processes, manufacturing location and outsourcing. It should be included as part of the
657 routine management of the contract.

658 Monitoring and review help to ensure that critical suppliers continue to have in place robust
659 business continuity arrangements by:

660 a) utilizing the regular meetings with suppliers to gain an early understanding of any changes to
661 the supplier’s operation or their continuity plans that relate to the goods or services provided;

662 b) monitoring supply chain performance and identifying potential issues;

663 c) establishing escalation triggers and procedures for suppliers to report failures;

664 d) identify any “hidden” risks with its critical suppliers in the event that they suffer a disruption; and

665 e) facilitate the alignment of suppliers’ RTOs and SLAs with those of the organisation.

666 8.2 Engaging with suppliers

667 BCM assurance should be introduced and accepted as a business-as-usual item for discussion
668 through:

669 a) inclusion as an agenda item for supplier update meetings;

670 b) shared education and training tools;

671 c) the procurement and contracts process;

672 d) monitoring of performance metrics.

673 e) testing of incident plans and well-rehearsed triggers and escalation plan;

674 f) shared understanding of command and reporting structures in the event of an incident;

675 g) collaborative exercise programme

© ISO 2013 – All rights reserved 18

 ISO/DTS 22318

676 8.3 Implementing a SCCM performance evaluation programme

677 To implement a SCCM assurance programme, the following need to be maintained:

678 a) The organisation’s criteria for the SCCM capability required from suppliers; this will depend on
679 the assessment of criticality and the chosen BCM strategy for each supplier.

680 b) The assurance process should include:

681 i. maintaining the analysis, see 8.4;

682 ii. key performance indicators (KPIs)/metrics for ongoing monitoring;

683 iii. design of questionnaires/checklists/self-evaluations;

684 iv. escalation process for suppliers who do not meet the criteria;

685 v. review of organisational process from procurement to BCM team;

686 vi. review of contract and schedule clauses for use by procurement/supply chain
687 management.

688 8.4 Maintaining the analysis

689 The supply chain and the risks it faces are constantly changing so it is important to establish a
690 process to keep the analysis up-to-date and identify opportunities for continuous improvement. The
691 organisation should:

692 a) implement a rolling review process to monitor supply chain changes, implementation of
693 improvements, etc.;

694 b) identify individuals responsible for this ongoing work, incorporating it into the existing supplier
695 management process wherever possible;

696 c) build supplier requirements into tender/procurement processes; and

697 d) include the supplier SCCM assurance process into the scope of BCM audits.

698 8.5 Outcomes of performance evaluation

699 Performance evaluation should be outcome focussed. When assessing a supplier’s ability to meet
700 the organisation’s requirements, the following should be examined:

701 a) supplier’s documented BIAs, risk assessments and business continuity plans;

702 b) documented processes for maintaining and updating suppliers’ continuity plans;

703 c) supplier’s exercise plans and post-exercise and post-incident reports;

704 d) documented notification process is in place that includes key organisations likely to be
705 impacted; and

706 e) documented communications plan that includes joint communications and statements that take
707 into consideration the organisations impacted.

708 The benefits of the process are:

709 a) greater confidence in the supply chain (i.e. better understanding of the risks and controls);

© ISO 2013 – All rights reserved 19

 ISO/DTS 22318

710 b) evaluation of whether each supplier/partner meets the organisation’s BCM requirements;

711 c) early indication of changes likely to affect the supply relationship;

712 d) identification of gaps in capability which the supplier needs to address; and

713 e) supplier monitoring and performance measurement against targets.

714 If there are significant issues with a supplier’s BCM provision then the organisation can review the
715 relationship and/or the SCCM strategy, see Clause 6.

716 In conducting performance evaluation the following should be considered:

717 a) a supplier may have many customers who wish to validate their BCM and this could be both
718 costly and disruptive to the supplier;

719 b) performance evaluation is an indicator, not a guarantee. It is only a snapshot at a particular

720 point in time. Situations can change, so the programme needs to be reviewed regularly;

721 c) the performance evaluation process and implementing remedial actions could result in
722 increased costs; and

723 d) the right to carry out performance evaluation should be included in the contract/agreement. If
724 the right to undertake performance evaluation is not in the agreement it should be added, if
725 possible.

726 8.6 Key points of Clause 8: Performance management

727 1) The onus is on the organisation to ensure that SCCM provisions required to protect its critical
728 activities or processes are maintained.

729 2) Owners of supplier relationships need to have appropriate triggers and escalation pathways in
730 place to alert and deal quickly with changes to critical supplier performance.

731 3) Regular engagement with suppliers through update meetings or calls, is essential to
732 maintaining supplier relations.

733 4) Including suppliers in exercises can highlight previously unknown risks which can be added to
734 an action log for both to work through.

735 5) Performance evaluation includes monitoring, verification, validation and review of SCCM
736 arrangements, stimulates continuous improvement and provides assurances in the supply
737 chain.

© ISO 2013 – All rights reserved 20

 ISO/DTS 22318

Bibliography
For dated references, only the edition cited applies. For undated references, the latest edition of
the referenced document (including any amendments) applies.

[1] ISO 28000 Specification for security management systems for the supply chain

[2] ISO 28002 Security management systems for the supply chain – development of resilience
in the supply chain – Requirements with guidance for use

[3] ISO 22301 Societal Security - Business Continuity Management Systems - Requirements

[4] ISO 22313 Societal security - Business Continuity Management Systems – Guidance

[5] ISO 31000 Risk Management – Principles and guidelines

[6] BS PAS 7000: 2014 Supply chain risk management – Supplier prequalification

[7] BS 65000:2014 Guidance on organisational resilience

[8] BS 13500: 2013 Code of practice for delivering effective governance of organisations
ISO/TS 22318 – Societal Security – Business continuity management – Guidance on supply
chain continuity

© ISO 2013 – All rights reserved 21