Business Continuity (BC) and Disaster Recovery (DR) Planning are the processes of developing, testing and maintaining plans to sustain business resiliency as well as normalize operations should a business be disrupted by either a man-made or natural disaster.
Disruptions are always unexpected. Natural disasters like floods, earthquakes and fires are events that can destroy buildings and potentially harm a workforce. And, of course, we’re all familiar with how a global pandemic can disrupt every type of business. Or, a cyber attack that affects supply chain. Whether it forces millions of people to work from home or completely restructures a business model, no organization is immune to the effects.
Make it a priority to validate your third parties’ BC and DR plans. Especially your critical third-party vendors! What should you be doing to ensure your third parties are taking BC/DR seriously and have well-developed, fully tested BCPs in place?
7 BC/DR Elements Your Third-Party Vendor Should Have
Here’s a simple checklist of 7 elements your third-party vendor should be able to provide you if they’re taking BC/DR planning seriously:
- Risk Assessments
- The Business Impact Analysis
- Recovery Strategies
- Business Continuity Plans
- Disaster Recovery Plans
- Pandemic Plans
- Testing & Exercises
What Happens If a Critical Third-Party’s Plan Is Insufficient?
Consider this scenario. You request a business continuity plan from your critical third-party vendor and what they send you is a one-page BC/DR summary. Or, maybe they can’t provide one at all. If this is truly a critical third-party vendor, you have a problem. Just like financial and SOC analyses, documented evidence of BC/DR is a must-have for every critical vendor.
Faulty BCPs could result in the following ripple effect:
- If the critical vendor isn’t prepared for a business disrupting event, they risk major delays when trying to resume uptime.
- Your critical vendor’s operational delays may interfere with your organization’s operations, causing more downtime that’s allowed in your own BC/DR plans.
- Also, your critical vendor may lose, and not be able to recover, some of your data.
- Ultimately, your organization’s reputation may be at risk because of your critical vendor’s weak BCP. Your customers will think that any delays are directly caused by you!
6 Steps to Take to Resolve BC/DR Issues
The following are steps you can take to resolve any BC/DR issues, before they happen, if a critical vendor can’t or won’t produce an adequate business continuity plan:
- Make sure BC/DR are part of your contract. Do this with every critical third-party vendor.
- Remind the vendor of their responsibility. If providing evidence of an adequate BC/DR program is part of your contract, and they still can’t provide it, remind the vendor of their responsibility. Most vendors will honor their contractual obligations.
- Use your lines of defense. Your first line has direct contact with the vendor on a daily basis. Have them ask for resolution of any BC planning problems.
- Request a copy of the vendor’s BC planning policy. If you left BC/DR out of the contract, then request a copy of the vendor’s BC planning policy to suffice in the meantime. You’re seeking a board approved policy.
- Ask for a copy of the business continuity plan itself. Vendors may be hesitant to share the details. That’s fine if you can see evidence of the seven checklist items mentioned earlier.
- Go to your fourth-party vendor, if needed. The critical third-party vendor may have outsourced the product or service to a vendor (a fourth-party vendor to your organization). If that’s the case, it’s time to take it a step further and ask the fourth party to provide the documentation you need.
A solid BCP is essential. Some vendors may rise to the occasion and implement a comprehensive BCP that aligns with your policy, while others will fall short. If your third-party vendor’s BCP doesn’t meet your standards, you may need to begin the process of finding a vendor that does.
Dive deeper into what to know about your vendor's business continuity plan. Download the eBook.
