Why Supply Chain BCM Matters
Your BCP is only as strong as your suppliers' BCPs. ISO 22301 Clause 8.3 requires you to identify external dependencies and address supply chain risks. The 2021 Suez Canal blockage and the 2022 Yogyakarta earthquake demonstrated how supply chain disruption cascades: when a single logistics provider or port becomes unavailable, businesses that depend on it face catastrophic delay, regardless of their internal continuity capability.
Identifying Critical Suppliers
Start with the BIA. Which suppliers are essential to the delivery of critical activities? A single-source supplier with no alternative is highest risk. A supplier whose disruption would breach RTO or RPO thresholds is critical. Develop a supplier criticality assessment that classifies suppliers into tiers based on their impact on critical activities. Review this assessment annually and whenever supply chain structure changes.
Supplier BCM Classification
Not all suppliers require the same level of BCM rigor. Use a tiered approach:
| Tier | Criticality | BCM Requirement | Assessment Frequency |
|---|---|---|---|
| Tier 1 Critical | Single-source, no alternatives, immediate BCP impact | Full BCM questionnaire + evidence review | Annual |
| Tier 2 Important | Replaceable but significant disruption to switch | BCM questionnaire | Annual |
| Tier 3 Standard | Easily replaceable, minimal BCP impact | BCM clause in contract | Bi-annual |
Contractual BCM Requirements
Include explicit BCM language in supplier contracts. Require the supplier to maintain a BCP that addresses disruptions affecting delivery to your organization. Specify that the supplier will notify you immediately of any disruption event. Define notification timelines—critical suppliers should provide notice within the first hour of impact. Request a copy of the supplier's BCP (or a summary) and require annual attestation that the BCP is current. Include contractual obligations for participation in joint exercises, if applicable. Distinguish between contractual BCM requirements (enforceable) and voluntary best practices (advisory).
Supplier BCM Assessment
Develop a BCM due diligence questionnaire for suppliers. Assess whether they have a documented BCP; whether the BCP covers the specific services they provide to you; how often they exercise the plan; what their RTO and RPO targets are; and whether they have tested recovery in conditions similar to those your organization depends on. Common findings: no BCP exists; BCP exists but only covers head office operations, not the delivery site where your work is performed; BCP is untested. When a critical supplier fails initial assessment, require a remediation plan with specific milestones.
What to Do When a Critical Supplier Has No BCM Program
This is a material risk scenario. The appropriate responses depend on alternatives available:
| Scenario | Options | Timeline | Risk |
|---|---|---|---|
| Supplier acknowledges gap, willing to develop BCM | Support with templates, set remediation milestone | 6–12 months | Managed |
| Supplier sees no need for BCM | Contractual requirement, consider sourcing alternative | 12–24 months | High |
| Supplier has BCM but won't share evidence | Request summary only, treat as unverified | Ongoing | Medium |
| No viable alternative supplier exists | Document risk, implement compensating controls (stockpiling, pre-positioning) | Immediate | Very High |
Joint Exercises with Critical Suppliers
Including suppliers in exercises tests whether your BCP assumptions about supplier capability are correct. Conduct a communication drill: call the supplier and ask them to confirm their disaster response contact and verify they can reach their team. Run a functional drill where the supplier participates in confirming their response procedures. The challenge is managing supplier engagement—not all suppliers will participate readily. Document clearly what participation you expect and when exercises will occur. Supplier non-responsiveness in an exercise often reveals that the supplier lacks actual BCM capability despite contract language.
| KEY IDEA | ISO 22301 does not require you to certify your suppliers, but it does require you to ensure that your reliance on external parties does not create unmanaged continuity risk. Evidence that you have assessed critical supplier BCM maturity is required. |
| IMPORTANT | A single-source critical supplier with no BCM program is a material business continuity risk. The appropriate response is either to impose BCM requirements contractually, develop alternative sourcing, or document compensating controls—not to ignore the gap. |
| BITLION INSIGHT | Indonesian organizations often have higher supply chain concentration risk than their counterparts in larger markets. Local supplier markets for specialized technology, logistics, and professional services are smaller, making supplier BCM assessment and dual-sourcing strategies particularly important. |