Let’s start with chickens. For my 56 chickens, I need 6 bags of feed every 2 weeks. But if they’re locked in quarantine and can’t forage - or if it’s snowing - that suddenly turns into 7 bags per week. Yes, a huge difference*
(*Disclaimer: And to understand that, farmers must collect real data from their own fields, their own chicken breeds, and their own conditions. I have heritage, oriental, exotic foraging breeds, and only a few industrial ones - so my numbers would look completely different from another farm’s)
So, the point is - that’s why the feed supplier is an essential supplier for me.
And like any business, I start with risk assessment. Not for the supplier, but for my own process and my main product. Disclaimer: my main product isn’t eggs - it’s chicken health. Read my other articles to know why.
risk assessment - the chicken edition
Main risks:
- Feed stored in wrong conditions → gets moldy → poisons chickens.
- Impact: 10
- Likelihood: 5
- RPM: 50
- Feed quality issues → chickens don’t like it, throw it on the ground → turns into expensive bedding.
- Impact: 3
- Likelihood: 6
- RPM: 18
- Feed not balanced → wrong ratio of fats, carbs, fiber, or protein (poor amino acid profile).
- Impact: 5 (long-term)
- Likelihood: 6
- RPM: 42
So we clearly see that the most urgent and highly impactful risk is that had RPM 50 but if we can also solve other 2 that would be the most effective solution.
mitigation strategy - don’t rely on one source
Chickens are highly opportunistic eaters and smart omnivores. Their food-recognition instincts are strong - if they have a choice.So the main risk mitigation strategy is simple: variety of food. I mix 3–4 different feeds, so they can choose what they need.
Then I observe. Which feed ends up on the floor? Which one disappears first? That’s my data. Chickens, if you organize the process properly, are excellent quality testers - and their results are instant. In data collection for the animal feed the CCTV cameras are the most important tools, animals do not behave naturally in our presence. Unless those are house cats who never care 😂
lessons from 25+ years of auditing
In more than 25 years of auditing, I’ve learned one thing: no matter how reliable or reputable the brand, every production process has flaws. Every strong quality always will have a faulty bad batch.
Even the best feed supplier can have storage or transport issues - or miss a faulty ingredient batch. And since animals can’t file complaints, moldy feed can go unnoticed until it’s too late. If chickens have only that feed and no alternatives, it can be lethal.
So, even though I can’t exactly audit my feed suppliers (can I? Pleeease…), I manage risk on my side by having multiple suppliers and sources for critical items. That’s one of the best and most realistic strategies for small farms and for large enterprises.
now - let’s apply it to ISO and information security
The same logic works for ISO systems - whether you focus on quality, security, business continuity, or environmental standards, supplier management is at the heart of your success.
Good practices:
Have multiple tiers of suppliers.Evaluate critical suppliers and review them annually.
Understand their challenges and where they struggle - don’t push them to “save money” at the cost of stability.Never rely on a self-assessment questionnaire alone - it’s the worst possible method for supplier evaluation and never works in B2B.
Now imagine you’re running a SaaS company or have built a great app. Everything you own is stored in a single cloud - AWS or Azure - with no backup or Plan B. Yes, AWS or Azure are reliable. But keeping all your data in one basket isn’t smart and not a risk based approach.
You also need to check if your vendors rely on the same cloud provider. Because if AWS or Azure goes down - or there’s a disruption - your entire supply chain collapses.
That’s the ISO lesson from my chicken coop: Supplier diversification isn’t a luxury. It’s risk mitigation. Whether you’re feeding hens or hosting data, the principle is the same - never rely on one source and never assume “it won’t happen.”
This post also can be a very light intro to ISO 28000 family and ISO 27036: both crucial for AI security
