ISO/TS 22318:2021 pdf download – Security and resilience — Business continuity management systems — Guidelines for supply chain continuity management.
1 Scope This document gives guidance on methods for understanding and extending the principles of business continuity embodied in ISO 22301 and ISO 22313 to the management of supplier relationships. It enables an organization to develop and document the strategy to be better prepared to manage supply chain continuity. This document is generic and applicable to all organizations. It is applicable to suppliers of products, services and resources, both upstream and downstream. Supply chain continuity management (SCCM) specifically considers the issues faced by an organization which relies on the continuity of supply of resources as well as the ability to continue delivery of its products and services. The objective of SCCM is to protect the organization’s business activities from supply chain disruption.
2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Security and resilience — Vocabulary ISO 22301, Security and resilience — Business continuity management systems — Requirements ISO 22313, Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301
4.2.3 Benefits and opportunities Potential benefits for all parties of effective SCCM include: — better understanding of the supply chain and the impact of potential disruptions; — improved supplier relationship management to reduce the impact of supply chain disruption; — improved response to supply chain disruptions resulting from effective collaboration with suppliers; — identification and mitigation of supply chain risks; — improved planning, due diligence, assurance and working relationships with suppliers; — competitive advantage over competitors who do not have effective SCCM. SCCM presents several opportunities, including: — improved ability to provide management with information to make effective decisions to allocate necessary personnel and resources to maintain SCCM; — effective integration of SCCM responsibilities across the organization through the SCCM owner (see 4.4); — understanding the suppliers ’ continuity capabilities and their requirements of the organization; — establishment of performance metrics; — engagement to enhance understanding and strategy relating to suppliers beyond Tier 1.
4.3 Risk ownership The organization owns and retains the risk that it is not always able to deliver its products and services to its customers as a consequence of a disruption in its supply chain. It is responsible for mitigating this risk by being prepared to respond to a supply chain disruption. Customers hold the organization, not its suppliers, responsible for failure to deliver products and services. For example, an organization’s brand and reputation are at risk of damage if there is a problem within its supply chain.
4.4 SCCM ownership The organization should identify those with responsibility for supplier relationship management and for securing and monitoring supply chain continuity assurance. SCCM ownership should be delegated to personnel responsible for contracting and purchasing operations. The responsibility should be closely linked to the wider arrangements for business continuity within the organization.
5.2.4 Performance evaluation programme Top management should establish a performance evaluation programme (see 7.3) guiding the organization to establish and maintain a strategy to build a more resilient supply chain by: — embedding SCCM in all applicable processes of the organization; — engaging with suppliers; — ensuring contractual obligations have been met and are being monitored; — ensuring complete assessment of supply chain continuity risks for new products and services and new suppliers. The performance evaluation should: — specify what is to be evaluated; — identify how, when and by whom the evaluation should be performed; — set performance metrics, including qualitative and quantitative measurements; — facilitate subsequent corrective action analysis, if needed.
5.3 Promulgate business continuity principles throughout the supply chain The organization should promulgate its business continuity principles throughout its supply chain to promote awareness and improve effectiveness. This can be achieved by: — including compliance with continuity requirements in suppliers ’ contracts; — establishing required supplier compliance levels based on their disruptive impact; — developing methodologies to monitor compliance; — requiring that the organization’s suppliers also promulgate business continuity principles throughout their own supply chain.
