On March 20, my colleague Amy Hanan, Chief Marketing Officer at LRN, and I hosted a roundtable dinner event at the House of Lords in partnership with Business Reporter, bringing together 20 senior supply chain professionals to discuss one of the most pressing issues facing compliance and procurement leaders today: how to mitigate third-party risks and build true operational resilience.
We focused on three core challenges:
• Mitigating third-party risks through stronger due diligence and risk mapping
• Training suppliers to uphold compliance obligations and ethical standards
• Stress-testing operational systems to prepare for disruptions before they strike
And then, hours later, the real-world test arrived.
This morning, March 21, Heathrow Airport faced widespread delays after a fire at a nearby electrical substation disrupted the airport’s power supply. Border Force systems went down. Thousands of passengers were left stranded. And once again, a localized infrastructure failure triggered cascading disruption across one of Europe’s busiest airports.
Events like this echo the lessons of last year’s CrowdStrike outage, which I covered in a blog post on why supply chain due diligence and operational resilience must go hand in hand. That disruption, caused by a flawed software update, impacted hospitals, airports, and corporations worldwide. You can read the article here.
The common thread between these incidents? Systems dependency. Whether it’s power infrastructure, a third-party software vendor, or a critical data center, organizations increasingly rely on external parties to deliver their most important business services. And when those third parties fail, due to fire, cyberattacks, or operational error, the fallout is immediate and widespread.
That’s exactly why the FCA’s Operational Resilience rules are so vital. With the final compliance deadline fast approaching at the end of this month, the UK’s financial regulator already expects firms to have identified important business services that, if disrupted, could cause intolerable harm to consumers and markets:
- Set impact tolerances for the maximum tolerable disruption to their important business services without causing harm to consumers, firms, or markets.
- Uncover any vulnerabilities in their operational resilience through testing and be on track to remediate.
- Conduct lessons learnt exercises to identify, prioritize, and invest in their ability to respond and recover from disruptions as effectively as possible.
- Develop internal and external communications plans for when important business services are disrupted.
But while the rules currently apply to financial services, the principle should naturally apply across all sectors. Operational resilience can’t stop at your firewall, it must extend across your supply chain, your infrastructure partners, and your digital ecosystem.
We discussed all these topics, amongst other, at last night’s roundtable event, and everyone agreed that this requires a shift in mindset.
Third-party risk managers and supply chain teams should be partnering with compliance, procurement, and IT to run scenario-based stress tests and provide evidence of business continuity plans to account for upstream and downstream dependencies. Additionally, we talked about how more companies are also providing targeted compliance training to critical vendors, and ensuring this training is verified to align trust and values.
Because in the world we now live in, it’s not a matter of if disruption will occur, but when.
Whether it’s a fire in a substation or a line of code gone wrong, the question every organization must answer is: Are we ready?