Bci Supply Chain Resilience REPORT 2018

BCI SUPPLY CHAIN
RESILIENCE
REPORT 2018
1
Contents
PAGE 7
Executive Summary
Supply Chain Disruption Page 11
Conclusions Page 30
Annex PAGE 32
2
BCI Supply Chain Resilience Report 2018
Foreword,
BCI
Supply chains are often exposed to risks and
threats brought by natural or man-made
disasters. In addition, these challenges are
becoming more dynamic as organizations
are increasingly interconnected through
global networks. While a wider outreach
can be beneficial, as it provides more options for choosing materials,
employing talent and reducing costs, such growing complexity can also
mean increased vulnerability to disruptions. Hence, it is important to
maintain a resilient supply chain to keep performances at high levels.
Business continuity professionals play a key role in mitigating incidents

in the supply chain. In its tenth year, the Business Continuity Institute,
supported by Zurich, is releasing its Supply Chain Resilience Survey
2018. The 589 professionals who responded to the survey name the
top five causes of disruptions their organizations faced in the past 12
months and they indicate what type of mitigation measures they
are implementing.
Through the years, we have seen higher levels of awareness and

adoption of best practices, as the majority of the organizations this
year acknowledge the importance of reporting disruptions (73%). An
upward trend is also observed in terms of emergency preparedness
as more professionals report insuring financial losses compared to the
previous year (49% to 53%). In addition, there are more organizations
that have business continuity arrangements in place in dealing with
supply chain (74% to 76%) compared to last year. This tends to have
a positive impact on areas such as supply chain visibility and top
management commitment.
Although we are moving towards more resilient supply chains

each year, opportunities for refinement are still there. Strong top
management commitment, one of the main keys to ensuring resilience,
declines from last year by 7% (41% to 33%). Further, more respondents
also admit that they do not analyse the full extent of their supply chain
in case of disruption compared to last year (from 22% to 30%).
Collaboration among networks is an essential element in keeping

the supply chain intact. In the same way, this report is made possible
thanks to the help of all the organizations and professionals who
answered the survey. It is with collective efforts in monitoring
disruptions, disseminating knowledge, and increasing awareness
that we can overcome challenges and reduce vulnerabilities for
supply chains.
David Thorp,
Executive Director, BCI
3
FOREWORD
Foreword,
Zurich
The balance between risk and reward is the
very essence of business: you have to take
risks in order to generate returns and high
returns involve greater risks. However, there
is a difference between risks taken as a
result of careful judgement and those taken
unwittingly. This report will help you to answer
the questions around careful judgement of supply chain risks.
In a world of increasing complexity and uncertainty, the risk of

supply chain disruption has become one of the most fundamental
risks that organizations face across virtually all sectors in today’s
global and increasingly interdependent economy.
Companies need to manage all the risks they face more rigorously
than ever and in many cases can be overwhelmed by the size
and difficulty of the task. Many risks are identifiable and can be
managed reasonably easily, but more worryingly there are risks that
cannot easily be spotted and catch an organization’s unawares.
Often supply chain risks fall into this latter category, particularly for
large multi-national operations where there can be many hundred
suppliers at primary, secondary and even tertiary level. In many
cases it would appear many businesses do not really know who is
supplying their key components and materials beyond tier one and
have no practical contingency plans in place to deal with a disaster
should it occur.
A sustained interruption to a supply chain will result in reputational

issues, loss of market share and in many instances make it very hard
for a company to remain sustainable in what is already a volatile
environment.
Following extensive research and survey’s by the BCI, the purpose

of this report is largely to answer a number of key questions for
organizations around the resilience of their supply chain, in terms
of what are the current key risks and how risk and supply chain
managers can identify, assess and practically improve the
scenarios they face.
As with all risks you need to be prepared and expect

the unexpected!
Jean-Pierre Krause,
Global Head of Risk Engineering,
Zurich Insurance Company Ltd.
4
Foreword,
Commercial Risk Europe
Opportunity from risk
We at Commercial Risk Europe are delighted

to work with the Business Continuity
Institute on this excellent and highly
regarded survey that continues to grow in
scale and significance and this year generated almost 600 responses
from 76 countries.
Supply chain is arguably where the business continuity and risk

management professions meet in prefect unison.
As once again underlined by this survey over half of those companies

that took part suffered a supply chain disruption in the last 12 months
and over half of these events were with Tier 1 suppliers.
These are significant and regular fundamental business risks that will
and do occur. And yet, as also shown by this year’s survey a shockingly
high number of affected companies (just under third) do not analyse
the source of their supply chain disruptions and only about one half of
the losses suffered are actually insured.
This reveals a potentially serious problem: While companies know they

are exposed and do suffer supply chain disruptions it does not appear
that systems are in place to identify, measure, properly manage and
ultimately transfer those risks where possible.
This could also, however, also be identified as an opportunity because

this shows that there remains great potential for risk and insurance
managers and business continuity professionals to work more
effectively together to focus on supply chain risk and deliver a far
improved service for their companies.
We all know that cyber risk will only grow in significance, IT outages will
be an ever-present threat and weather risk can only grow – these are
the main supply chain threats based on this survey.
This means that risk and business continuity professionals need to

combine their knowledge, skills and resources in a more coherent
manner than ever before. They also need to challenge the insurance
market to come up with more comprehensive, reliable and fairly priced
risk transfer solutions and related services to help out too.
Research such as this report and events such as our Supply Chain
conference in London in November in partnership with UK risk
management association AIRMIC provide a great platform to take this
partnership further and make a real difference.
Adrian Ladbury,
Director and Co-owner at Commercial Risk
5
FOREWORD
Foreword,
CIPS
Given the basic necessity of businesses trying
to get the right goods, to the right places on
time, this report delivers both predictable
and startling results about how resilient our
supply chains really are.
The old adage, “fail to plan and you plan to fail,” is never more true
than in the management of supply chains. Supply chains are more
interconnected, and will become more global than ever despite the
transactional and ideological separations opening up rifts in some
regions of the world.
The less surprising failures could be called the usual suspects such
as IT outages and weather disruption. Though there is much we can
do to plan for how we will ensure continuity of supply chains in such
instances , we can’t ultimately control the weather for example or the
increasingly sophisticated operations of scammers. We must always
consider risks, anticipate some kind of disruption, plan the actions
to mitigate risks and be comfortable with implementing a different
strategy at a moment’s notice.
Another cause of disruption highlighted in the report is around skills

and talent development. As the largest professional body in the
world for procurement and supply management we are advocates for
continuing professional development at all stages of a career, striving
to guide our members to what’s on the horizon. This means more
strategic thinking as automation takes hold, and the need for stronger
relationship management with both suppliers and other business
disciplines.
Managing supply chains cannot be a sole pursuit. Procurement

professionals must not only work more closely with suppliers but with
risk and business continuity professionals to understand the landscape
we are now operating in. Supply chain risk will continue to be a growing
challenge, and it should be given bigger strategic focus in any business.
Research like this is an invaluable guide.
We know that risk can come in many forms, and not always a bolt
from the blue. Risks of disruption can be identified, anticipated
and mitigated against. So how high on your business agenda is the
mitigation of the key risks to your particular business?
Malcolm Harrison,
Group CEO, CIPS
6
Executive
Summary
7
Executive Summary
Executive Summary
Final number of respondents Number of countries
589 76
56% 52% 30%

suffered a supply chain of disruptions do not analyse the
disruption in the past occur at source of their supply
12 months Tier 1 chain disruption
Top causes of disruption
IT Adverse Cyber attacks

outages weather and data breaches
Loss of talent/skills Transport network disruption
8
Health and safety

incidents rank 8th
from 21st last year
Consequences of disruption:
Financial Logistics Reputation

impact impact impact
76% 33%
have BC arrangements in place to report strong top management
deal with supply chain disruptions commitment (-8% from last year)
9
Executive Summary
Future threats (12 months) Future threats (5 years)
Cyber attacks and data breaches Cyber attacks and data breaches
IT outages IT outages
New laws or regulations Adverse weather
Adverse weather New laws or regulations
Loss of talent/skills Act of terrorism
10
Building Cyber Resilience
Supply Chain
Disruption
11
Supply Chain Disruption

Reporting of supply chain disruptions (Table 1) has increased by 3% compared to last year (from 70% to
73%). Overall, the majority of organizations have consistently shown high levels of reporting through
the years (68% on average). On the other hand, more than one in four (27%) do not report supply chain
disruptions at all, even though this is an improvement from last year’s 31%.
Reporting within
Year Firm-wide reporting No reporting
certain departments
2018 30 43 27
2017 32 38 31
2016 34 38 28
2015 28 37 35
2014 27 40 33
2013 23 40 37
2012 25 39 39
Table 1. Levels of reporting supply chain disruptions, in % (2012-2018). Based on Q6: Do you
record, measure, and report on performance-affecting supply chain disruptions? (N=521)
As for last year, organizations appear reluctant towards the adoption of more advanced solutions in
the supply chain, with only 38% saying they employ technology to predict, monitor, record, measure
and report on disruptions (Figure 1). However, it is worth noting that organizations that have business
continuity arrangements are much likelier to embed technology into their supply chain (46%)
compared to those who do not have them (14%).
38%
Yes
62%
38%
No
Do you use
Figure 1. Q7. Do you use technology
technology?
62 %
(e.g. risk analytics indicators) to

predict, monitor, record, measure,
and report on performance-affecting
supply chain disruptions? (N=518)
12
The software of choice for professionals using technology in the supply chain remains Excel (46%),
with a 5% increase from last year (Figure 2). BCM software rises from fourth to second place (14%)
compared to 2017, revealing a small but noticeable improvement in the uptake of technology in
business continuity. Segmenting the data per industry sector, it can be observed that sectors such
as finance & insurance make a higher use of BCM software (19%). Differently, incident response data
(33%) seems to be more popular in public administration and defence.
2 %1%1% 46% 14%

4% Excel spreadsheets BCM software
5%
13% 8%
6%
Incident Financial
response data solvency models
8%
46%
6% 5%
Third party due Others
diligence solution
What types of
indicators do 4% 2%
you rely on?
13%
Social media/news Geopolitical

tracking devices models
1% 1%
14% Geospatial Environmental
models models
Figure 2. Q8. What types of indicators do you rely on to predict, monitor, record,
measure, and report on performance-affecting supply chain disruptions? (N=232)
13
The number of organizations suffering a disruption in the past twelve months (Figure 3) has decreased
from 65% to 56%. However, it should be noted that the number of those not knowing whether they
suffered a disruption or not has increased by 6% (10% to 16%).
%
16
28%
28
0 (We have not had any disruption in
%
%
our supply chain in the past 12 months.)

%1
3% 2
41% 9%
1-5 6-10
How many supply chain
9%
incidents would you estimate 3% 2%

your organization 11-20 21-50
experienced in the
past 12 months? 1% 16%
51+ I don’t know
41%
Figure 3. Q9. How many supply chain incidents would you estimate your organization
experienced in the past 12 months that caused a significant disruption? (N=499)
14
More organizations than last year report supply chain disruptions among their Tier 1 suppliers (from
44% to 52%). In addition, more respondents admit that they do not analyse the full extent of their
supply chain in case of disruption (from 22% to 30%) compared to the previous twelve months
(Figure 4). It is worth noting that this last figure improves for those organizations adopting
technology, as only 18% of them do not fully analyse disruptions to their suppliers. The three main
types of software that practitioners use to track incidents are excel spreadsheets, BCM software
and financial solvency models.
With our immediate

52%
supplier (TIER 1).
With our supplier’s

23%
supplier (TIER 2).
Much lower down the supply

11%
chain (i.e. TIER 3, TIER 4, etc.).
We do NOT analyze the full

supply chain to identify original 30%
source of the disruption.
% 0 10 20 30 40 50 60
Figure 4. Q10. Considering the supply chain incidents that you are aware of in the last
12 months, which of the following apply in your experience? The predominant source of
disruption across all events was: (N=409)
The threat landscape for supply chains has somewhat changed in the past twelve months (Figure
5). While unplanned IT or telecommunications outages (53%) remain the most common cause of
disruption, adverse weather (41%) follows up, rising from sixth place last year. The top five is then
completed by cyber attacks and data breaches (33%), loss of talent/skills (30%) and transport
network disruption (27%). It is worth pointing out that cyber attacks and loss of talent/skills might be
connected, as organizations struggle to find qualified professionals to employ in their cyber security
functions1. It is also worth highlighting how health and safety incidents (19%) make it to the top
ten (in eighth place) from twenty-first last year. This reflects increased efforts by organizations and
institutions to crack down on the circulation of dangerous substances in the supply chain23.
1 www.csoonline.com/article/3247708/security/research-suggests-cybersecurity-skills-shortage-is-getting-worse.html
2 www.coindesk.com/walmart-kroger-nestle-team-with-ibm-blockchain-to-fight-food-poisoning
3 www.foodmanufacture.co.uk/Article/2018/07/11/BSI-revises-global-safety-standard 15
Unplanned IT or
53%
telecommunications outage
Adverse weather 41%
Cyber attack and data breach 33%
Loss of talent/skills 30%
Transport network disruption 27%
New laws or regulations 23%
Outsourcer failure 19%
Health & Safety incident 19%
Currency exchange rate volatility 15%
Fire 15%
Human illness 14%

Energy scarcity (i.e. loss of
14%
supply or rapid price increase)
Product quality incident
13%
(e.g. product recall)
Insolvency in the supply chain 13%
Civil unrest/conflict 11%

Business ethics incident
10%
(e.g. human rights,corruption)
Act of terrorism 9%
Environmental incident
9%
(e.g. pollution, waste management)
Intellectual Property violation 9%
Earthquake/tsunami 8%
Industrial dispute 7%
Lack of credit 5%
Animal disease 2%
% 0 10 20 30 40 50 60
Past 12 months
Figure 5. Q11.a. Looking at the following threats, please tell us whether they caused any
significant disruption to the supply chain of your organization in the past twelve months.
(N=376)
16
Organizations tend to suffer mostly in financial terms (62%) when it comes to disruptions to their
supply chain (Figure 6). However, the majority of professionals also report logistics and reputation
impacts (54%) as consequences of an incident. Filtering the data, it can be observed how different
disruptions lead to different types of costs. Adverse weather events tend to aggravate particularly
logistics costs (62%), while cyber attacks are worse for financial (70%) and reputation damage
(60%). Differently, health and safety incidents exacerbate all three categories (financial impact 68%,
reputation impact 68%, logistics impact 64%).
Financial impact 62%
Logistics impact 54%
Reputation impact 54%
% 50 52 54 56 58 60 62 64
Figure 6. Q12. Which of the following impacts or consequences arose from the incidents/
disruptions experienced in the last 12 months? Tick as many as applicable. (N=330)
More than one in ten (14%) of the respondents surveyed suffered losses for more than one
million euros (Figure 7), confirming the positive trend registered in 20174. Looking at the levels of
preparedness and their relation to cost, organizations with business continuity or disaster recovery
arrangements tend to suffer similar levels of losses (16%).
52% 22%
%1%
4% 1 Less than €50,000 €50,001-250,000
8% 12% 8%
€250,001-500,000 €1-10 million
4% 1%
12%
€11-50 million €51-100 million
1%
What was the approximate €101-250 million
52 %
financial cost of your

cumulative supply chain
incident in the last
Figure 7. Q13.1. What was the
12 months? approximate financial cost of your
22
cumulative supply chain incident in the

%
last 12 months (loss of revenue and/or

increased cost of working)? (N=228)
4 In last year’s report, the number of respondents reporting losses for more than one million decreased from 34% to 22%. 17
% 2%
2%1
9%
62% 15%
Less than €50,000 €50,001-250,000
9%
9% 9%
€250,001-500,000 €1-10 million
What was the approximate

2% 1%
financial cost of your most €11-50 million €51-100 million
significant supply chain
62%
15%
incident in the 2%
last 12 months? Greater than €500 million
Figure 8. Q13.2. What was the approximate financial cost of your most significant
supply chain incident in the last 12 months (loss of revenue and/or increased cost
of working)? (N=114)
Improvement is seen as more than half of the respondents (53%) report insured losses (Figure 9), a
slight increase from last year’s 49%. On the other hand, the value for those organizations that fully
insure their losses remains at 13%. This shift reveals growing preparedness among organizations;
although efforts must be sustained to achieve more resilient supply chains.
13%
47%
0%, losses were uninsured
4%
17% 9%
1-25% 26-50%
10%
47%
10% 4%
How much of the 51-75% 76-99%
financial impact
was insured?
9%
13%
100%, losses were fully insured
17%
Figure 9. Q14. How much of the financial impact was insured? (N=220)
18
Out of those respondents that do not fully insure their losses, the majority (52%) do not know
the reason for this. This part of the sample includes professionals from business continuity, risk
management and supply chain management. Furthermore, 19% mentioned that they were happy
to take the rest of the financial impact and 15% reported that they only covered traditional physical
damage events. Nevertheless, 7% were not aware of available coverage of non-damage supply chain
insurance plans (Figure 10).
19%
You were happy to take the
7% rest of the financial impact
19
%
15%
You had only covered traditional
physical damage events
7%
You were not aware of new non
Where your insurance damage supply chain covers
15%
coverage did not cover the

full financial impact, was 52%
this because... Do not know
52
%
7%
%
7
Other
Figure 10. Q15. Where your insurance coverage did not cover the full financial
impact of disruptions, was this because... (N=333)
5 BCI Cyber Resilience Report 2018 19

Cyber attacks and data breaches (55%) and IT outages (54%) top the chart with nearly equal consensus
from the respondents (Figure 11). Previous BCI research shows how these two types of disruptions
might be connected, as IT outages are often considered a secondary effect of cyber attacks5. Adverse
weather (41%) can only be found in fourth position even though it was the second most disruptive
event in the past year (Q11a). It is also interesting to highlight a concern for health, as human illness
(25%) and health and safety concerns (24%) both feature in the top ten.

Unplanned IT or
54%
Adverse weather 41%
Human illness 25%
Act of terrorism 23%

22%
Fire 22%

20%
19%
19%
Lack of credit 11%
Animal disease 5%
% 0 10 20 30 40 50 60
Next 12 months
Figure 11. Q11.b. Looking at the following threats, please tell us whether
they are a cause of concern for the next twelve months. (N=376)
20
Cyber attacks and data breaches (49%) are the most concerning challenge for professionals over the
next five years (Figure 12). Following, IT outages (41%) and adverse weather (39%) rank respectively
second and third. These threats can often be connected to one another, as IT outages can be a
consequence of both cyber attacks or extreme weather events. This year, new laws or regulations
(36%) appear less worrying to respondents in the long term, as they drop from second to fourth place.
Interestingly, act of terrorism (34%) makes the top five, unlike in 2017 when it ranked seventh.

Unplanned IT or
41%
Adverse weather 39%
Act of terrorism 34%
Human illness 30%
Fire 28%

26%
24%

23%
Lack of credit 20%
Animal disease 19%

18%
% 0 10 20 30 40 50 60
Next 5 years
Figure 12. Q11.c. Looking at the following threats, please tell us whether
they are a cause of concern for the next five years. (N=376)
21
Through the years, this study has emphasised the importance of top management in developing
supply chain resilience. Top management buy in and leadership are key enablers to the facilitation of
good practices in the supply chain. However, this year high top management commitment (Figure 13)
dropped by 8% from the previous report (41% to 33%). In addition, the number of large businesses
with high top management support declined from 44% to 34%. Interestingly, small and medium sized
enterprises (SMEs) reported greater involvement of top management than that of large businesses at
41% compared to 34% (Table 4).
2%
2018 33% 44% 21%
3%
2017 41% 30% 26%
1%
2016 27% 43% 29%
2%
2015 33% 42% 23%
3%
2014 29% 39% 29%
% 0 10 20 30 40 50 60 70 80 90 100
High Medium Low None
Figure 13. Q16. How would you assess your organization’s top management
commitment to managing supply chain risk? (N=370)
22
Almost three-quarters of organizations (76%) report having business continuity arrangements in place
to deal with supply chain disruptions; this is slightly higher (+2%) than last year’s figure. Furthermore,
this year’s results show that 95% of the respondents are aware of the presence or absence of business
continuity measures in their organization, the highest figure reported since 2012 (Table 2). This shows
the growing interest and commitment to business continuity in supply chain management.
Year Yes No Don’t know N

2012 58% 25% 17% 442
2013 75% 19% 6% 405
2014 72% 22% 6% 375
2015 68% 25% 7% 323
2016 73% 25% 7% 358
2017 74% 16% 10% 285
2018 76% 19% 5% 383
Table 2. Tracking supply chain business continuity arrangements, 2012-2018. Based on

Q17: Does your organization have its own business continuity arrangements in place to
deal with supply chain disruption? (N=383)
Organizations with business continuity arrangements are three times more likely to report greater
supply chain visibility (36% compared to 12%). They are also more likely to insure supply chain losses
(+7%) and almost six times more likely to receive top management support in strengthening good
practice (Table 3).
Business continuity No business continuity

Indicator arrangements present arrangements
(Q17) (Q17)
Firm-wide reporting of supply
36% 12%
chain disruption (Q6)
Insuring supply chain losses (Q14) 55% 48%

High top management commitment
41% 7%
to supply chain resilience (Q16)
Table 3. Comparing practices between organizations with or without supply chain

business continuity arrangements
23
Large
76% 19% 5%
businesses
SME’s 71% 25% 5%
% 0 10 20 30 40 50 60 70 80 90 100 120
Yes No Don’t know
Figure 14. Q17. Does your organization have its own business continuity
arrangements in place to deal with supply chain disruption? (N=383)
Large businesses perform better than small and medium enterprises when arranging business
continuity practices in dealing with supply chain disruptions (Figure 14). It must be noted, however,
that more SMEs are accepting business continuity arrangements to build greater supply chain
resilience than last year (from 67% to 71%). Further, SMEs have outperformed large enterprises in
terms of firm-wide reporting of supply chain interruptions and high top management commitment
(Table 4).
Indicator SMEs Large businesses

Firm-wide reporting of supply
33% 29%
chain disruption (Q6)

41% 34%
Table 4. Comparing practices SMEs and large enterprises
24
The majority of the respondents (72%) reported asking their new and existing suppliers about their
business continuity arrangements (Figure 15). The figures show that making sure suppliers have
business continuity measures in place has a positive relationship with firm-wide reporting, and high
top management commitment (Table 5).
5%
72%
%
Yes
23
23%
Do you or your organization No
ask key suppliers whether
they have business 5%
continuity arrangements Don’t know
in place?
%
72
Figure 15. Q18. Do you or your organization ask key suppliers (new/existing) whether
they have business continuity arrangements in place? (N=376)
Asking key NOT asking key

suppliers about suppliers about
Indicator
business continuity business continuity
arrangements (Q18) arrangements (Q18)
Firm-wide reporting of supply chain
36% 17%
disruption (Q6)

41% 10%
Table 5. Comparing practices between organizations as to asking key suppliers about

business continuity arrangements
25
Almost half of the respondents (47%) claim that more than 60% of their suppliers have business
continuity in place to deal with supply chain disruptions (Figure 16). In addition, roughly a quarter
of the organizations (23%) report that 80% or more of their suppliers have business continuity
arrangements in place.
23% 24% 23%

18%
12%
0% - 20% 21% - 40% 41% - 60% 61% - 80% 81% - 100%
Figure 16. Q19. Considering your key suppliers, what percentage of them would
you say have business continuity arrangements in place to address their own
needs? (N=358, Median = 60)
More than two-thirds (65%) of the respondents recognise the importance of a sound business
continuity plan for their key suppliers (Figure 17), followed by the certification or alignment against
industry standards (51%). In addition, organizations asking about their key suppliers’ business
continuity management (BCM) programmes (44% to 51%) have increased, similarly to those complying
with good practice such as the BCI Good Practice Guidelines (42% to 46%).
A business continuity plan and

65%
who holds responsibility for it
Certification or alignment
to a recognised standard 51%
(e.g. ISO 22301).
A BCM program not just a

51%
business continuity plan.
Compliance with recognised

good practice (e.g. BCI’s 46%
Good Practice Guidelines).
A program that is
relevant to the product/ 42%
service we are buying.
% 0 10 20 30 40 50 60 70
Figure 17. Q20. What information do you seek in order to better understand the
business continuity arrangements of key suppliers? We look for: (N=349)
26
Organizations rely on various methods to obtain assurance from their key suppliers (Figure 18).
Administering self-assessment questionnaires is still the most common technique (60%) trailed by
requiring copies of supplier documentation (53%), while there is a slight drop in the percentage of
the organizations that do not collect any information (from 14% to 11%).
Provide them with a self-

60%
assessment questionnaire.
Require copies of supplier

53%
documentation.
Audit them. 38%
Request an independent audit. 12%
Don’t collect any information. 11%
% 0 10 20 30 40 50 60 70
Figure 18. Q21. How do you collect this information? We... (N=347)
Validating supplier’s business continuity is one of the key processes in business continuity and supply
chain management, especially as an increasing number of organizations require business continuity
management in bidding and procurement6. This essential step, however, remains a challenge for
many organizations. Consistently with last year’s report, 47% of the organizations do not check their
suppliers’ business continuity arrangements (Figure 19).
Have NOT checked/

47%
validated their plans.
Documented outcome
36%
reports and action plans.
Ran exercises (e.g. desktop

26%
or joint exercises).
Held workshops and/

13%
or awareness campaigns.
% 0 10 20 30 40 50
Figure 19. Q23. How have you checked/validated that key suppliers’ business
continuity arrangements might work in practice? We: (N=351)
6 Supply Chain Resilience Report 2017 27

Over a third of the respondents (40%) review business continuity requirements with key suppliers
at contract renewal, a slight increase from 39% last year (Figure 20). However, the percentage of
organizations that never review suppliers’ business continuity arrangements has increased from
13% to 14%.
At contract renewal 40%
Scheduled review meetings

34%
with key suppliers
Ad hoc 32%
A major change event

21%
at our or their end
A new, significant external

18%
risk/threat is identified
Never 14%
% 0 5 10 15 20 25 30 35 40 45
Figure 20. Q24. How often do you review your business continuity requirements with
key suppliers and their capability to meet them? Tick as many as applicable. (N=352)
28
The percentage of the organizations that always provide client assurance through business continuity
arrangements (Figure 21) when tendering for a new contract has slightly dropped from the last report
(15% to 11%).
11%
11%
11%
Every tender/proposal (100%)
12%
20% 17%
20 %
Majority (51-99%) Sometimes (25-50%)
When tendering for new
business clients, how often 20% 9%
Rarely (1-24%)
9%
Not at all (0%)

have you had to provide
assurance to clients that
12% 11%
your own business Don’t know Not applicable
continuity?
%
20 17
%
Figure 21. Q25. When tendering for new business clients over the past 12 months,
how often have you had to provide assurance to clients that your own business
continuity? (N=356)
Although business continuity has been repeatedly mentioned in dealing with suppliers, only 36%
of the organizations report that business continuity is integrated in their procurement process,
a decrease from last year’s 43% (Figure 22). In addition, the number of organizations that do not
mention business continuity in supplier discussions has increased from 18% to 20%.
%
20 36%
Yes, it is an integral part of our procurement
process from the startal (100%)
36
%
31%
Yes, but only where the contract
risk is deemed high
Does business continuity

13%
13%
feature as part of your Yes, but after the purchase decisions
supplier contractual have essentially been taken
discussions? 20%
No
31%
Figure 22. Q22. Does business continuity feature as part of your supplier contractual
discussions? (N=350).
29
Conclusions
30
A minority of organizations employ technology to analyse disruptions in their

supply chain. In addition, those who do adopt it tend to rely on traditional software
such as Excel, rather than more advanced systems. However, those organizations
that utilise technology solutions have more success in analysing incidents among
their suppliers.
There is an upward trend regarding organizations that have insurance coverage.

On the other hand, it is worth noting that most of those who report not having
insurance do not know the reason why this is the case. This reveals an awareness
gap that can be rather costly for organizations. Business continuity arrangements
can help have a better visibility of issues such as this one as well as helping
professionals obtain better insurance deals through reduced risks.
Non-physical threats, such as cyber attacks or IT outages, are the main threat to
supply chains both in the short and long-term. Other challenges such as adverse
weather, terrorism and human illness affect the supply chain, which is especially
worrying as one disruption can trigger more. For instance, a hurricane might lead to a
power cut-off and disease outbreaks, while a cyber attack could damage IT systems.
The uptake of business continuity arrangements experiences an upward trend.

An increasing number of organizations embed business continuity to protect their
supply chains, which also has a positive impact on other areas such as insurance and
top management commitment.
Strong top management commitment declines from last year, even though it
stays within the average value for the past five years (33%). While it is a positive
sign that this value has been quite consistent through the years, there is room for
improvement as top management support is key to ensuring resilience.
31
Annex
32
1. Demographic information
a. Functional Role of Respondents b. Geographical Base
1% 1%
%1% 5%
2 1
%
3% 5%
3%
%
6%
4
5%
45%
9%
8%
4 8%
Which of the following
9%
Which country are

10%
best describes your
you based in?
functional role?
13
%
17%
19%
45% 19% 48%

Business Continuity Risk Management Europe
13% 9%
Other IT Disaster Recovery 17%
/ IT Service Continuity North America
8% 5% 10%
Supply chain/ Quality/Business Asia
logistics Improvement
4% 3% 9%
Emergency Cyber and Sub Saharan Africa
Planning Information Security
3% 2% 6%
Health & Safety Crisis Australasia
management Management
1% 1% 5%
Physical Security Communications CALA
1% 1% 5%
Human Resources Facilities Management MENA
Q1. Which of the following best Q2. Which country are you based in?
describes your functional role? (N=589) (N=589)
33
ANNEX
c. Industry Sector d. Number of employees

%1%
3% 2 6%
3%
3%
22
% 6% 23
%
%
3
3%
14%
4%
4%
Please indicate the primary
7%
activity of your organization Approximately how many
6%
using the SIC 2007 15% employees work at your

categories given organization?
13%
9%
7%
below.
10
%
14% 22%
22% 15%
Financial & Professional 23%
Insurance Services Services 0-250
14% 10%
IT & Public Administration 7%
Communications & Defense 251-500
7% 6% 9%
Manufacturing Others 501-1,000
4% 4%
Energy & Education 22%
Utility Services 1,001-5,000
3% 3%
13%
Retail & Wholesale Health & Social Care
5,001-10,000
3% 3%
Transport Engineering 14%
& Storage & Construction 10,001-50,000
3% 2%
6%
Support Life Sciences /
50,001-100,000
Services Pharmaceuticals
1% 6%
Media & Entertainment Greater than 100,000
Q3. Please indicate the primary activity Q4. Approximately how many
of your organization using the SIC 2007 employees work at your organization?
categories given below. (N=589) (N=589)
34
e. Approximate Annual Revenues
16%
%
20
11%
5%
If you are a working in a private

sector organization, please let
8%
us know the approximate %

annual revenues of
10
your business.
13
%
%
10
7%
16%
Less than €1 million
11%
€1-10 million
10%
€11-100 million
10%
€101-500 million
7%
€501 million-€1 billion
13%
€1-10 billion
8%
€11-50 billion
5%
Greater than €50 billion
20%
I don’t know
Q5. If you are working in a private

sector organization, please let us know
the approximate annual revenues of
your business. (N=422)
35
ANNEX
2. Causes of disruption
a. By Region/Country
Rank Europe North America Australasia CALA

Unplanned IT or Unplanned IT or Unplanned IT or
Adverse weather
1 telecommunications telecommunications telecommunications
(68%)
outage (69%) outage (68%) outage (79%)
Adverse weather Adverse weather Transport network Adverse weather

2
(61%) (59%) disruption (62%) (68%)
Transport Unplanned IT or
Loss of talent/skills Outsourcer failure
3 network disruption telecommunications
(53%) (64%)
(51%) outage (50%)
Cyber attack and Cyber attack and Health & Safety Transport network
4
data breach (47%) data breach (43%) incident (50%) disruption (56%)
New laws or Product quality Industrial dispute Loss of talent/skills

5
regulations (41%) incident (42%) (50%) (56%)
Rank MENA Sub-Saharan Africa Asia UK

Health & Unplanned IT or Unplanned IT or
Adverse weather
1 Safety incident telecommunications telecommunications
(54%)
(43%) outage (68%) outage (74%)
Unplanned IT or Unplanned IT or
Energy scarcity Adverse weather
2 telecommunications telecommunications
(60%) (72%)
outage (41%) outage (53%)
Loss of talent/ Loss of talent/ Loss of talent/ Transport network

3
skills (29%) skills (59%) skills (46%) disruption (64%)
Currency exchange Currency exchange Transport network Health & Safety

4
rate volatility (27%) rate volatility (52%) disruption (43%) incident (53%)
Energy Transport network Fire Currency exchange

5
scarcity (25%) disruption (48%) (38%) rate volatility (50%)
Rank US India Canada Australia

Adverse weather Adverse weather
1 telecommunications telecommunications
(69%) (78%)
outage (68%) outage (67%)
Unplanned IT or Health &

Adverse weather Loss of talent/skills
2 telecommunications Safety incident
(62%) (58%)
outage (68%) (57%)
Unplanned IT or
Loss of talent/skills Civil unrest/conflict Adverse weather
3 telecommunications
(51%) (58%) (45%)
outage (50%)
Cyber attack and Transport network Outsourcer failure Human illness

4
data breach (50%) disruption (56%) (44%) (50%)
Fire Fire Insolvency in the Energy scarcity

5
(44%) (46%) supply chain (43%) (50%)
36
b. By industry
Financial & Insurance

Rank Professional Services IT & Communications
Service
Adverse weather
1 telecommunications outage telecommunications outage
(65%)
(71%) (58%)
Unplanned IT or
Adverse weather Adverse weather
2 telecommunications outage
(50%) (47%)
(62%)
Loss of talent/skills Loss of talent/skills Transport network disruption

3
(50%) (51%) (45%)
Cyber attack and data breach Currency exchange Loss of talent/skills

4
(46%) rate volatility (48%) (44%)
Transport network disruption Transport network disruption Cyber attack and data breach
5
(39%) (44%) (39%)
Rank Public Administration Manufacturing Retail & Wholesale

Transport network disruption
1 telecommunications outage telecommunications outage
(60%)
(71%) (88%)
Unplanned IT or Transport network

Adverse weather
2 telecommunications outage disruption
(67%)
(59%) (88%)
Transport network disruption Health & Safety incident Product quality incident
3
(53%) (54%) (86%)
Cyber attack and Loss of talent/skills Currency exchange

4
data breach (44%) (53%) rate volatility (80%)
5 Act of terrorism (43%) Adverse weather (53%) Health & Safety incident (71%)
c. By Size of Business
Rank SMEs Large Enterprises

1
telecommunications outage (54%) telecommunications outage (68%)
2 Adverse weather (51%) Adverse weather (58%)
3 Transport network disruption (45%) Loss of talent/skills (50%)
4 Currency exchange rate volatility (44%) Transport network disruption (48%)
5 Energy scarcity (42%) Cyber attack and data breach (46%)
37
further reading
About the Authors
Gianluca Riglietti CBCI

(BCI Research & Insight Manager)
Gianluca has a Masters in Geopolitics, Territory and Security from
King’s College London. He has experience writing academic and
industry publications, speaking at international conferences, and
delivering projects for companies such as BSI, Everbridge, Zurich and
Sungard AS. His previous professional experience includes working for
the Italian Presidency of the Council of Ministers.
He can be contacted at [email protected].
Lucila Aguada
(BCI Research & Insight Analyst)
Lucila is a licensed psychometrician with expertise in quantitative
and qualitative research. She has a Masters degree in Psychology
from the University of the Philippines. She has conducted research
on behalf of non-profits, pharmaceutical and healthcare clients. She
is also a qualified teacher with more than seven years of experience,
specialising in early childhood and special needs education.
She can be contacted at [email protected].
Acknowledgements
The BCI would like to thank Zurich, Commercial Risk Europe and CIPS
for their support with this report.
38
About the BCI

Founded in 1994 with the aim of promoting a more resilient world, the Business Continuity Institute
(BCI) has established itself as the world’s leading Institute for business continuity and resilience. The
BCI has become the membership and certifying organization of choice for business continuity and
resilience professionals globally with over 8,000 members in more than 100 countries, working in
an estimated 3,000 organizations in the private, public and third sectors. The vast experience of the
Institute’s broad membership and partner network is built into its world class education, continuing
professional development and networking activities. Every year, more than 1,500 people choose BCI
training, with options ranging from short awareness raising tools to a full academic qualification,
available online and in a classroom. The Institute stands for excellence in the resilience profession and
its globally recognised Certified grades provide assurance of technical and professional competency.
The BCI offers a wide range of resources for professionals seeking to raise their organization’s level
of resilience, and its extensive thought leadership and research programme helps drive the industry
forward. With approximately 120 Partners worldwide, the BCI Partnership offers organizations the
opportunity to work with the BCI in promoting best practice in business continuity and resilience.
The BCI welcomes everyone with an interest in building resilient organizations from
newcomers, experienced professionals and organizations. Further information about the BCI is
available at www.thebci.org.
Contact the BCI

Marianna Pallini - Communications Executive
+44 118 947 8215 | [email protected]
10-11 Southview Park, Marsack Street, Caversham, RG4 5AF, United Kingdom.
About Zurich
Zurich is a leading multi-line insurer that serves its customers in global and local markets. With about
53,000 employees, it provides a wide range of property and casualty, and life insurance products
and services in more than 210 countries and territories. Zurich’s customers include individuals, small
businesses, and mid-sized and large companies, as well as multinational corporations.
39
Business Continuity Institute
10-11 Southview Park, Marsack Street,
Caversham, Berkshire, UK, RG4 5AF
[email protected]
www.thebci.org
Correct as of August 2018
40

Bci Supply Chain Resilience REPORT 2018

Uploaded by

Copyright:

Available Formats

Bci Supply Chain Resilience REPORT 2018

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bci Supply Chain Resilience REPORT 2018

Uploaded by

Copyright:

Available Formats

BCI SUPPLY CHAIN

Supply Chain Disruption Page 11

Business continuity professionals play a key role in mitigating incidents

Through the years, we have seen higher levels of awareness and

Although we are moving towards more resilient supply chains

Collaboration among networks is an essential element in keeping

In a world of increasing complexity and uncertainty, the risk of

A sustained interruption to a supply chain will result in reputational

Following extensive research and survey’s by the BCI, the purpose

As with all risks you need to be prepared and expect

We at Commercial Risk Europe are delighted

Supply chain is arguably where the business continuity and risk

As once again underlined by this survey over half of those companies

This reveals a potentially serious problem: While companies know they

This could also, however, also be identified as an opportunity because

This means that risk and business continuity professionals need to

Another cause of disruption highlighted in the report is around skills

Managing supply chains cannot be a sole pursuit. Procurement

Final number of respondents Number of countries

56% 52% 30%

Top causes of disruption

IT Adverse Cyber attacks

Loss of talent/skills Transport network disruption

Health and safety

Financial Logistics Reputation

Future threats (12 months) Future threats (5 years)

New laws or regulations Adverse weather

Adverse weather New laws or regulations

Loss of talent/skills Act of terrorism

Supply Chain Disruption

(e.g. risk analytics indicators) to

2 %1%1% 46% 14%

Social media/news Geopolitical

our supply chain in the past 12 months.)

incidents would you estimate 3% 2%

With our immediate

With our supplier’s

Much lower down the supply

We do NOT analyze the full

Cyber attack and data breach 33%

Loss of talent/skills 30%

Transport network disruption 27%

New laws or regulations 23%

Outsourcer failure 19%

Health & Safety incident 19%

Currency exchange rate volatility 15%

Human illness 14%

Civil unrest/conflict 11%

Financial impact 62%

Logistics impact 54%

Reputation impact 54%

€11-50 million €51-100 million

financial cost of your

cumulative supply chain incident in the

last 12 months (loss of revenue and/or

What was the approximate

coverage did not cover the

5 BCI Cyber Resilience Report 2018 19

Cyber attack and data breach 55%