Vendor Risk — It’s not Just for Cyber Security Anymore
This week we learned that Ford will be suspending production of its highest sales volume vehicle. A fire at a plant that produces cast magnesium parts for the F-150 had a fire and just like that, no more F-150 parts means no more F-150 production.
The Vendor’s name is Meridian Magnesium. The question that needs to be asked is whether or not Ford knew that Meridian was a single point of failure that could halt production of its cash cow for weeks?
Thankfully, nobody was seriously injured in the fire at the Meridian plant.
F-150 monthly sales bounce around between 60,000 and 90,000. Let’s just say that’s 75,000 per month on average. That average is close, since Ford sold just shy of 900,000 F-150s last year. Therefore, on average, Ford cranks out about 18,750 of those little cash machines every week. The comparison of those numbers to Tesla will have to wait for another article.
Some reports say that per-unit profit on the F-150 may be as high as $13,000. For the sake of simplicity, let’s just be conservative and assume the per-unit profit is $10,000. That would mean a one month shutdown could cost Ford a $750,000,000 hit to the bottom line, maybe as much as $1,000,000,000. That’s just profit. Now throw in the expenses related to the startup/shutdown of the plants, the cost to furlough the workers, the loss of goodwill from those workers for laying them off for a month, and the general brand reputation damage caused by the headlines.
When talking about third party/vendor management, the top concern is frequently around cyber security. That makes sense since nobody wants their company’s name in the headline as the latest breach victim that turns out to be the result of a vendor’s mistake.
This incident demonstrates a very real side of third party/vendor risk management that addresses business continuity. In other words, how could a disruption at a vendor create a risk for your business. This is nowhere near limited to suppliers of physical parts. What if you are a SaaS and your payment system went down? What if your slick iPhone app relied on Google Maps data and that became unavailable? What if there was an outage at your cloud provider? Or a DDoS attack on your DNS provider? The list goes on.
Now what if I told you that Meridian has 4 casting plants in North America. In other words, it seems perfectly reasonable to think that this entire incident could have been avoided if Ford had required Meridian to build some redundancy into their system. In this case that would simply mean the capability to produce F-150 parts at more than one plant.
If Ford had a time machine, would they go back and re-negotiate the deal with Meridian to require redundant production capabilities? If building that commitment into the deal cost more, which I expect it would, how much do you think Ford would be willing to spend in order to ensure that they don’t have to shut down F-150 production for a month? I would guess that since this is going to be a billion dollar problem for Ford, they would have happily spent a good chunk of change to avoid it. Maybe even enough to build another casting factory at least 100 miles from the first like we have to when we build redundant data centers.
At ProcessBolt, our mission is to modernize the way enterprises do third party/vendor risk management so that they never end up with a billion dollar problem like Ford. Let’s start by replacing your Excel spreadsheet based assessments with a SaaS platform that makes the assessment process manageable. Contact us today to see how we can help.
