We are told that that there will be further consolidation in the
IT supplier market - what should I do to insure myself against one
of my main suppliers being bought out or closed down?
In this case, big is usually better
The short answer is that you cannot. Rarely, if ever, does the
situation arise wherein a user is totally stranded because of a
supplier ceasing to trade.
Every contract you have with a supplier must contain clauses that
protect you in the event of takeover or merger. Your contract gives
liabilities that have to be shouldered by those acquiring the
business - which is what due diligence is all about.
Do take care that your supplier does not have the right to
renegotiate if you change your company name. This has happened
several times in the past. The IT contractual implications in the
event of a merger or a takeover on the user's side must also be
taken into account.
With small suppliers there is more of a risk; generally written
into the contract are the rights to source code if the supplier
ceases to trade. This is particularly important if such software is
integrated into the total infrastructure and its loss leads to a
major lack of functionality.
Generally, it has to be said there is a clear benefit from using
major suppliers that operate on a global basis. If it is
straightforward hardware such as PCs etc, clearly buying in a
market where there is competitive compatibility is essential, and
should be routine nowadays.
Robin Laidlaw, president, Computer Weekly 500
Club
Have a contingency plan ready
If your organisation recognises the importance of supplier support
and relationships, you should already have a contingency plan in
place as part of your business continuity strategy.
However, unless you are a major business with money to spare, it is
unlikely that you will have carried out a detailed risk assessment.
What you need is a "risk analysis" where you list all your IT
suppliers and consider the probability of supplier failure and the
likely impact. By using a simple rating system of probability and
impact, and by multiplying these together, you can identify the
areas where action is needed.
Any preventative action is largely dependent on your organisation's
attitude to risk and the budget you have for mitigating actions.
Even with no additional budget, there are still some options, for
example, for high-risk areas:
- Understand your supplier's financial position, goals, vision
etc. Is its order intake increasing, is it recruiting? This should
help to establish supplier security and confirm your risk analysis
assumptions
- If things are not looking bright, consider other suppliers now
and make sure you also analyse their financial position
- If you are tied in with a particular supplier, arrange a
meeting to discuss the situation and let them suggest ways of
safeguarding their position
- Look at alternative ways within the organisation of reducing
the impact, such as changing reliance on certain technologies -
remember internal mail and fax?
Being aware of high-risk areas and the ensuing scenarios is vital
to survival in any area.
Gary Cairns, Certus
Check the supplier's stability
You need to take a careful look at the stability and financial
position of the supplier. Ask to see the product roadmap and
identify any vulnerabilities. Consider its competitors and read the
business and computer press for company announcements and analyst
views.
To minimise risk, choose a technology that is robust and insist
that any tailoring and modifications are well documented. Arrange
for an escrow agreement, so that in the event of a supplier closing
down, you will have access to documented code, giving you the
ability to manage and maintain the product (this is a worst-case
scenario which you do need to plan for). If the supplier is bought
by another company, it is most likely it will want to keep its new
client base happy, and will either take over the maintenance or
offer a suitable migration path.
For major investments you can also protect yourself at contract
level. Suppliers can be required to provide a surety, such as a
performance bond, which can be drawn down upon insolvency. The bond
can help you to cover your losses as you stabilise your
business.
Roger Rawlinson, the NCC
Group
Perform risk analysis
You can perform a risk analysis to identify the threat to your
business, helping to form the basis of your response. Ask
yourself:
- How many supplier relationships do you have? Do you really know
every one? A central view of suppliers/alliances is an important
step to knowing the task ahead
- What are your supplier dependencies?These will vary for each
arrangement, but this should help you prioritise your risk
assessment
- Is your due diligence up-to-date? A lot of effort typically
goes into reviewing new partners and their suitability, but this
rarely gets updated - the best source for information is often the
supplier
- Do you have exit plans? Some may only encompass a statement of
intent to cover a supplier/alliance failure but others could
contain more detailed planning and contingencies
- Ask not what your supplier can do for you, but what you can do
for your supplier. Moving your supply elsewhere will crystallise
your fears and quicken the demise of some useful providers. You may
be able to direct some additional business to smaller suppliers to
aid their position.
David Hughes, Deloitte and
Touche
Concern yourself with the essentials
The issue that concerns you is how to ensure continued provision of
essential services. This can be considered a classic application
for risk management, in that you need to identify potential threats
and appropriate counter actions.
The range of actions can be considered in three groups:
- Practical - taking specific action to reduce supplier
dependency, for example dual-sourcing critical services
- Contractual - formalising your legal protection in the event of
changes in supplier status
- Strategic - establishing formal policies to assess
supplier-related risk.
Planning these actions through a risk evaluation should be an
important component of preparing your organisation's continuity
plan.
It is important to be realistic when assessing this type of
supplier risk - it is an area that has caused much concern but
relatively few major problems over the years. A much greater
problem has been that of poor supplier performance in delivering
services. I expect this situation to continue.
Andrew Davies, visiting professor in
information systems, Cranfield School of Management