Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

4 Big Things to Watch Out for in Your Vendor's Business Continuity Plan

8 min read
Featured Image

A vendor business continuity plan (BCP) is a vital component of an organization’s business strategy. A BCP will help ensure that your vendors will continue to provide products and services to your organization at an accepted level of availability, amid a business disrupting event. This is usually predetermined in your vendor contract, through a detailed service level agreement (SLA).

Your vendor’s business continuity plan should initially be reviewed during the vendor vetting and selection stage of the relationship, as well as on an annual basis through your ongoing monitoring duties. It’s important to continually monitor your vendor after you’ve selected and contracted with them to keep informed of any concerning changes. So, what exactly should be a concern as you’re reviewing a vendor business continuity plan?

Things to Watch Out for in Your Vendor’s Business Continuity Plan 

Here are 4 things to watch out for in a vendor’s BCP: 

  1. BCPs that are limited to IT disaster recovery information. Some vendors do not differentiate between business continuity (e.g., people, processes and facilities) and IT disaster recovery (e.g., information systems, data and networks). 
  2. BCPs that haven’t been updated or tested within the last 12 months, or within the time range defined by the vendor in their plans. Regular testing of your vendor’s BCP will ensure that it will operate as expected when a disaster strikes. It should also be updated to reflect any changes within the organization.
  3.  BCPs that don’t address products/services that are applicable to your organization. Your vendor may have multiple BCPs for different products lines, so it’s important that the plans you review are written specifically for the products/services used by your organization.
  4. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) aren’t defined or don’t align with your recovery needs. If RTOs and RPOs are outside of your needed timeframe to provide products/services to your customers, then additional measures may be needed. Understanding what level of service you should expect after a business impacting event at your vendor will ensure you’re prepared to handle any dip in service, availability or functionality. 

Note: It’s important to understand that RTO refers to an “established level of service” and doesn’t necessarily mean a recovery to full operations. 

Keep in mind, any of the following are also cause for concern: 

  • Applicable RTOs weren’t met or adjusted. 
  • Applicable RPOs weren’t met or adjusted. 
  • There are no remediation plans established for issues identified. 

2 Best Practices to Help You with These Issues 

Now that you understand a few areas to watch out for, let’s review a few best practices to help protect against them. Unfortunately, there’s no universal template to use when writing a vendor business continuity plan. Every vendor’s plan will be different, but it’s helpful to take the following steps:

  • Understand your vendor's role: Prior to beginning your review of a vendor’s BCP, it’s important to fully understand the vendor’s role in assisting with the services your organization provides. Understanding this will give you further insight into how much scrutiny you should give to the vendor’s BCP. The more critical the vendor is to operations, the more scrutiny.  
  • Enlist the help of a subject matter expert (SME): Not all plans are created equally, and not all plans are easy to understand. For that reason, an expert should be reviewing the plan. The expert can be someone internal, such as a Certified Business Continuity Professional (CBCP) or Certified Information Systems Security Professional (CISSP), or you can outsource to an external expert if needed.

It Can Be Complex, But Fully Understood Plans Help Avoid Risk 

Reviews won’t always go smoothly, but well tested plans can help make the bumps in the road of business a lot easier to handle. Verifying that your critical vendors align with your organization’s strategic and operational goals will guarantee you won’t hit an unforeseen problem in your road to recovery. 

With an increase in high-profile data breaches, it's critical to be prepared. Download the infographic now. 
New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo