An organisation has to determine, first and foremost, whether they need to rely on externally provided products and services. And they need to identify all those externally provided products and services, what risk they bring to the business, and what controls they have in place associated to that.
Products and services are provided by an external provider for incorporation into the organisation's own products and services.
This could be you're buying raw material.
In terms of your control over that maybe slightly less in terms of the impact it could have on the business. Yes, delays could have a significant impact, but you've got quite a significant amount of control in terms of when that product or service comes in and you use it as part of your products or services, the level of control you require will be specific to that.
Products and services that are provided directly to your customers on behalf of you.
This may be as part of a service you provide; you subcontract that service as a whole and it's provided directly to your client.
The level of control you have is the degrees of separation have increased, and therefore your level of control on that might have to be enhanced so that you have confidence that when they are providing goods directly to your customer on your behalf you know that there's going to be successful.
How do we go about controlling these external products and services?
Consider doing a risk analysis on your external provided products and services, what impact they can have on your business in terms of risk?
If it’s a raw material, the risks may be very much associated to availability, and of the correct specification or standard, and that might be it. Your controls will be very much around how you control the arrival of that material ready for your production planning.
Or it could be that these externally provided services bring about additional health and safety risks. You could be bringing organisations that you subcontract on to your site to do for example, confined space activities, heavy lifting activities, other activities that are bringing about additional risk.
Now if you're simply permitting that area to them, and they are taking controls, and you've demonstrated that they have the controls in place, then your degree of separation is a little bit more.
But if they are working on your site that you are in control of, then you have to take a much greater level of responsibility in terms of what controls are in place, how you verify those controls and how you regularly manage them.
Let's think about the potential impact of these externally provided processes products and services on your organisation, and what impact they can have to you, your workforce, your customers, visitors, etc. so other people within your facility, what impact they might have.
You have to communicate also to your external providers around your requirements. If you have specific requirements within your management systems about how you will release the products and services that they give to you, how you will control them? How you will verify them in terms of health and safety and other risks? and what interactions will there be?
Let's take emergency response. If you're bringing an organisation to a site, that's your responsibility, will they fall into your emergency response requirements?
Or what about if they're coming to work alongside you, and you're not on site at that time, what emergency response requirements shall take precedence?
It's important that you have to consider that there may be an integration of some sort of bridging or interface associated to that, of who takes control or who takes precedence?
Another thing you have to think about, if it's associated to a service, you might have to consider the competence of these people that are coming to the site.
Can you put all the reliance on your suppliers to demonstrate competence?
Or is it possible you may have to be there to verify that competence, in particular that may be associated to a new company that you started working with.
You may go on site and do some of your internal auditing on site, on your suppliers, and you may want to think about what controls and monitoring you might do.
· Would you have regular communication with them?
· Would you have meetings or conference calls with them?
· What type of reporting would you expect from them so that you can monitor and measure them?
· What about in terms of if they have issues and they are communicating to you.
What way are you communicating back and forth?
what impact has that on your business?
Likewise, if you raise a non-conformance or an issue with them, what you expect of them, how you expect them to control that, and put improvements in place, and part of your internal audit may be that you do a verification on those corrective actions that they put in place.
Many organisations, can put corrective actions in place, believing that they are long term actions, where in fact they are short term containment, and people do not follow through necessarily to ensure they're preventative.
How to identify what supplier highs and the significant negative or positive impact in your business.
· What is the impact on risk of these companies?
· To what degree - is it health and safety, environmental, quality, business?
· What is the impact on cost?
If things go wrong, could it have an impact on costs?
And how will that happen?
· Could it be that the impact could result in poor quality?
· Could it result in late deliveries?
· Could it result in penalties on your contract?
· What about operational performance?
If the products they provide you are not to the standard you expect what impact would that have on your performance?
· What about the services they provide?
If the services they provide that you then have to go in the back of are not to the standard you expect, what impact could have?
Could it be that you have to recall them back to the site to do the work again?
It's good to think about the impact on your business as a whole from the use of externally provided products and services, and what method you use and to ensure that the correct attention is given in these areas to protect your business.
Some companies would use tiering system or a category of supplier, it could be a low risk, a high risk, medium risk, it could be a tier 1, 2, 3.
What we generally mean there is, you want to put your focus of management and control in the areas that can bring about the greatest risk to your business. Remember, when we talk about risk, it can mean anything associated to health and safety, environment, quality, or business.
Identify what those risks are and why they’re important to you.
What would be the greatest method of control that you would use?
Is it sufficient to do as a desktop exercise to control and verify, maybe seeing test reports or verification?
Could it be that you have to go further and visit their site and see what's going on, visit another location and audit them before they come to your site.
What you’ve got to think about is contingency planning. What if things go wrong that are outside of your control?
If you are requiring a subcontractor to deliver a service on your behalf, what if things go wrong? You're not on the site. You're not there to control it, so how do you put in place the correct contingency measures so that you think you've got enough control with that subcontracted service?
What about the evaluation of bringing someone new on?
Do you rely on a questionnaire? Do you rely on their certificates that they have?
Bearing in mind, sometimes a certificate can just be an evidence of some documented information that they have in place, it depends on the certification company, and it depends upon who the auditor was.
Would you want to see about more than that?
Would you want to see their internal audit process? Would you want to see examples of their risk management procedures?
How about their process control or their QC procedures, and test results?
There's no right or wrong thing in what to do in terms of externally provided products and services. It's got to be designed around the rest of your business, and it's got to be followed through. You've got to be able to show evidence that, if this is the way you're setting out your control of your externally provided products and services, that you've followed through with that.
If you've identified higher risk suppliers, then what are you doing to demonstrate the control you have over them?