July 1st, 2014
The reliance on third party vendors providing or supporting your business is continuing to grow. These external providers may help with improving efficiency, accelerating growth, and enabling operational transformation but are they just providing a service or are they reliable partners?
Many regulations and contracts document the need for vendor resilience— the need for you to ensure the vendors provide for continuation of the business function in the event of problems affecting their operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks. They may also stipulate their responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans.
You know what? When an incident happens your customers don’t care if the problem was caused by you or your vendor!
You are in a relationship with your vendor to provide a service. Treat your vendor like one of your own. This means to perform all the same evaluation processes you would use when reviewing your own recovery plans. Following the Business Continuity Management best practices, here is my list of how it applies to vendors:
- Risk Evaluation and Control
- Many regulations expect your company to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships.
- Who has responsibility for vendor assessments in your organization? Work with any other department that has a connection to the vendor such as Risk Management, Vendor Management, Legal, Compliance or the Business Process Owner and IT.
- Business Impact Analysis (BIA)
- Perform a BIA on the vendor. Use the same impact criteria you would use on your own processes. A vendor’s disaster will affect your brand image and your financials too. What is the resulting criticality level? More comprehensive and rigorous oversight and management of third-party relationships are needed with venders that involve critical activities. What is the resulting Recovery Time Objective (RTO) from your analysis? Is it the same as the Service Level Agreement (SLA) in your vendor contract?
- Business Continuity Strategies
- Assess the third party’s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber-attacks. Determine whether the third party maintains disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. Review the third party’s telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities.
- If you were creating these strategies, is this what you would do?
- Emergency Response and Operations
- Ensure that the vendor provides you with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. These should Include specific time frames for business resumption and recovery that meet the your requirements, and when appropriate, regulatory requirements.
- Maintaining and Exercising Business Continuity Plans
- How do you know if a plan is any good? You test it! Will your vendor share their test results with you? Better yet, will they let you test with them?
- Review the results of business continuity testing and performance during actual disruptions.
- Stipulate whether and how often you and the third party will jointly practice business resumption and disaster recovery plans.
- Have a process to keep up with changes that happen to you or the vendor that may affect your recovery strategies.
- Public Relations and Crisis Communications
- Review the third party’s incident reporting and management programs to ensure there are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents. Ensure that the third party’s escalation and notification processes meet your expectations and regulatory requirements.
Subcontracting; What! They have a relationship with someone else?
Many vendors also outsource to other parties. You will need to include this in your review process. Ask your vendor about reporting on the subcontractor’s conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations. What is the third party’s liability for activities or actions by its subcontractors and which party is responsible for the costs and resources required for any additional monitoring and management of the subcontractors?
Ensuring vendor resilience with these ideas in mind will help you have a beautiful (more than just friends) relationship.
If you have any thoughts you’d like to share with the group, please comment below. If you found the post useful, please bookmark or share so others can benefit as well.