Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

What Happens When a Critical Third-Party Vendor Doesn’t Have a Good Business Continuity Plan?

6 min read
Featured Image

Unexpected business disruptions are a fact of life. At this point, we’re all aware of how global pandemics can negatively impact every type of business. Or how a cyberattack can affect a supply chain. Buildings and infrastructure can suffer severe damage. Employees may face dangerous working conditions or displacement due to natural disasters like floods, earthquakes, and fires. 

The impact of these events can vary, from the suspension of core operations to the need for millions of employees to work from home, or the necessity to completely restructure a business model. And while it’s not possible to control these business-interrupting events, it is possible to plan for them.

Business continuity and disaster recovery planning (BC/DR) involves developing, testing, and maintaining plans to ensure the resilience of a business and establish a protocol for restoring operations in the event of a man-made or natural disaster.

It’s crucial to prioritize business continuity and disaster recovery planning within your organization and set it as an expectation for your vendors. You should also validate your third parties' business continuity and disaster recovery plans and testing results, especially for critical third-party vendors!

What steps can you take to ensure that your vendors are taking Business Continuity and Disaster Recovery seriously, and have robust and thoroughly tested plans in place?

7 BC/DR Elements Your Third-Party Vendor Should Have

Here's a simple checklist of 7 elements your third-party vendor should be able to provide you if they're taking BC/DR planning seriously:
  1. Risk Assessments
    A business continuity risk assessment identifies, analyzes, and evaluates the business's disruption risks, including vulnerability to threats and existing safeguards. 
  2. The Business Impact Analysis
    A business impact analysis is a process that forecasts the potential outcomes of disruptions and collects relevant information for devising recovery strategies.
  3. Recovery Strategies
    Recovery strategies are backup plans to restore operations after a disruption, which are based on established recovery time objectives.
  4. Business Continuity Plans
    A business continuity plan is a document that outlines how an organization will continue to function during and after an emergency or event.
  5. Disaster Recovery Plans
    A third-party disaster recovery plan describes how a business can quickly resume operations after an unplanned event.
  6. Pandemic Plans 
    A pandemic plan is the organization's strategy for providing essential services in the event of an outbreak of an infectious disease.
  7. Testing & Exercises
    Testing ensures that the strategies, plans, and procedures that have been put in place are fully understood by all concerned and are fit for purpose on an ongoing basis. Testing is accomplished by undergoing tabletop or live scenario exercises.

critical third party vendor doesnt have good business continuity plan

What Happens If a Critical Third-Party’s Plan Is Insufficient?

Consider this scenario: You requested a business continuity plan from your critical third-party vendor, and all they've sent you is a one-page BC/DR summary. Or maybe they can't provide one at all. If this is truly a critical third-party vendor, you have a problem. Like financial and SOC reporting, documented evidence of BC/DR is a must-have for every critical vendor.

Faulty BC Plans could result in the following ripple effects:
  • Unless a vendor is prepared for business-disrupting events, they risk major delays in resuming uptime.
  • You may experience more downtime than allowed in your own BC/DR plans due to the operational delays of your critical vendor.
  • Your critical vendor may lose or not be able to recover some of your data.
  • Your organization may experience unplanned costs and lost revenue.
  • You may ultimately have to worry about your organization's reputation if your critical vendor lacks a solid BC plan. Customers will assume your organization is at fault for any delays or interruptions.

Considerations For Resolving BC/DR Issues

If a critical vendor isn’t capable or willing to produce an adequate business continuity plan, there are steps you can take to address the situation.

If the vendor is unwilling to share a BC/DR plan, make sure you understand why. BC/DR plans often contain sensitive information such as backup data sites or employees' personal contact information. Additionally, your vendor may not want to share information regarding any system, operational, or physical vulnerabilities that could potentially be exploited during an unexpected event. 

If the vendor has these concerns, consider asking for a highly redacted version of their BC/DR documents. That approach may allow you to see the structure and necessary elements of the plan without revealing confidential vendor details.

What if the vendor is still unwilling to share

Fortunately, it’s not the end of the road. Here are three other routes you could take with your vendor:

  1. Request a copy of the vendor's business continuity and disaster recovery policy
  2. Ask the vendor to provide a written attestation that their BC/DR plans meet your organization's documented expectations and requirements. 
  3. Increase the frequency of periodic risk assessments and monitoring and enhance your ongoing monitoring by adding vendor risk monitoring and alert services.

Don’t forget the vendor contract 

Make sure that BC/DR is included in the contract. It’s a best practice to ensure that the vendor is legally obligated to meet your documented business continuity and disaster recovery expectations and requirements. 

At a minimum, the contract should include:  

  • The vendor's agreement to ensure that it has adequate business continuity measures in place to avoid disruption and mitigate risk in the event of an unforeseen incident
  • A requirement for the vendor to immediately notify your organization of any interruption to its business or unavailability of any site
  • The definition of business interruptions and failures 
  • Documented required recovery time objectives (RTOs) 
  • A description of the vendor's responsibility for back-up and record protection
  • A requirement for the vendor to test plans regularly and provide results to your organization

What if my vendor's third-party vendor's business continuity and disaster recovery plans have gaps or deficiencies? 

In that case, your organization must determine if the risks presented by the situation are within your risk tolerance. After all, critical vendors, by definition, will seriously impact your organization or its customers should they fail. And critical vendors with poor BC/DR plans can turn a bad situation into a worst-case scenario. 

There may be circumstances in which it’s not wise to pursue or continue doing business with that critical vendor. However, there may be times when the gaps and weaknesses in the critical vendor's BC/DR plan are not "deal-breakers" and may be successfully remediated over time with enough effort. 

If remediation is the goal, then be sure to do these 9 steps:

  1. Ensure that the gaps and deficiencies are clearly documented.
  2. Request remediation actions and timeframes from the vendor to improve or implement plans.
  3. Document all agreed-upon remediations and timeframes.
  4. Amend or add language to the contract (whenever possible) detailing the remediation and timeline.
  5. Get regular updates from the vendor on the remediation process.
  6. Hold the vendor accountable and track all issues until they are successfully remediated.
  7. Require evidence of testing and results of remediated BC/DR plans 
  8. Seek a formal risk acceptance from your senior management or the board to ensure appropriate transparency and approval for an exception to the required BC/DR standards until the issue can be remediated.
  9. Increase the occurrence of your periodic risk assessments and monitoring practices. Also consider enhancing your ongoing monitoring by using vendor risk monitoring and alert services.

Third-party business continuity and disaster recovery plans are essential for your organization and its critical vendors. Poorly developed or missing vendor BC/DR plans should not be taken lightly, especially regarding your critical vendors. If your current vendor is unable to meet your business continuity and disaster recovery needs, it may be time to shop around for a new one.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo