Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

4 Big Things to Watch Out for in Your Vendor's Business Continuity Plan

11 min read
Featured Image

Business continuity planning (BCP) is the process in place for companies to ensure that their key operations and products/services continue to be delivered at an accepted level of availability. That is typically predetermined in a service level agreement (SLA) as a part of your organization’s contract with the vendor 

Your organization should be reviewing the vendor’s BCP during vendor vetting, but also annually as part of your ongoing monitoring after you’ve selected and contracted with them, to determine if there are any concerning changes. What would be considered a concern?  

Things to Watch Out for in Your Vendor’s Business Continuity Plan 

Here are 4 things to watch out for in a vendor’s BCP: 

  1. BCPs that only contain IT disaster recovery information. Some vendors do not differentiate between business continuity (e.g., people, processes and facilities) and IT disaster recovery (e.g., information systems, data and networks). 

  2. BCPs that haven’t been updated or tested within the last 12 months, or within the time range defined by the vendor in their plans. BCPs that aren’t updated to reflect changes in the company won’t be of use when disaster strikes. 

  3. BCPs that don’t address products/services that are applicable to your relationship with the vendor. Ensure that if your vendor has multiple BCPs, the plans you review are applicable to the products/services you’ve contracted for. This can sometimes be difficult when a vendor has a multitude of product lines. 

  4. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) aren’t defined or aren’t in line with your recovery needs. If RTOs and RPOs are outside of your needed timeframe to provide products/services to your customers, then additional measures may be needed. Understanding what level of service you should expect after a business impacting event at your vendor will ensure you’re prepared to handle any dip in service, availability or functionality. 

Note: It’s important to understand that an RTO is the time to recovery to an “established level of service and may not be a total recovery to full operation. 

Keep in mind, any of the following are also cause for concern: 

  • Applicable RTOs weren’t met or adjusted. 
  • Applicable RPOs weren’t met or adjusted. 
  • There are no remediation plans established for issues identified. 
  • Plans haven’t been tested, meaning they can’t be trusted in times of distress. 

2 Best Practices to Help You with These Issues 

Now that we have some background on issues to be on the lookout for, let’s dive a little deeper into best practices to assist you with locating these issues. First of all, I must be frank, theres unfortunately no universal format for writing a BCP. Every vendor’s plan will be slightly different. However, keep the following in mind: 

  • Prior to beginning your review of a vendor’s BCPs, it’s important to fully understand the vendor’s role in assisting with the services your organization provides. Understanding this will give you further insight into how much scrutiny you should give to the vendor’s BCP. The more critical the vendor is to operations, the more scrutiny.  
  • Not all plans are created equally, and not all plans are easy to understand. For that reason, an expert should be reviewing the plan. The expert can be someone internal who is a Certified Information Systems Security Professional (CISSP), for example, or you can outsource to an external expert if needed.  

It Can Be Complex, But Fully Understood Plans Help Avoid Risk 

Reviews won’t always go smoothly, but well tested plans can help make the bumps in the road of business a lot easier to handle. Verifying that your critical vendors align with your organization’s strategic and operational goals will guarantee you won’t hit an unforeseen hole in your road to recovery. 

With an increase in high-profile data breaches, it's critical to be prepared. Download the infographic now. 
New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo