Does Your Critical Vendor Have an Effective BCP Plan?

Business continuity planning allows for businesses to ensure that their key operations, products and services continue to be delivered either in full or at a predetermined level of availability. This is often outlined in a Service Level Agreement (SLA) as a part of your vendor contract.

There’s no doubt you have your own Business Continuity Plan (BCP). However, since you are likely joined at the hip with more than a few vendors, their preparedness should meet or exceed your own plan. In order to understand your critical vendor's BCP, you have to know what to look for and what key points should always be included. This information can help provide assurance that your vendor is prepared for a disruption.

13 Items to Look for In Your Critical Vendor's BCP

When assessing your critical vendor's business continuity plan, you want to make sure it includes the following items and administrative controls: 

1. Personnel loss and planning
2. Relocation plans
3. Remote access availability
4. Facility loss contingencies
5. Pandemic contingencies
6. Breach/Disruption notification procedures
7. Testing procedures 
   • Testing should be done at least annually
   • Testing results showing room for growth should be reviewed and addressed during plan updates
8. Copies of the plan are held offsite in secure locations and are readily available
9. The plan is reviewed, tested and updated regularly (at least annually and after changes to plan impacting systems and personnel event)
10. The plan has senior management or board approval and involvement
11. Sub-service vendor communication plans if critical functions are outsourced
12. SLAs and contractual obligations for outsourced systems
13. Geographically diverse failover or backup locations that are:
    • Within reasonable distance to enable timely data replication
    • Far enough to prevent disasters common to the area (natural) effecting both locations
    • Far enough to prevent man-made disasters from effecting both locations.

Business continuity plans should include information on your vendors Business Impact Analysis (BIA). Ask yourself:

1. Is a BIA performed?
2. How often is it reviewed and updated?

The Business Impact Analysis Should Include These 3 Items

1. Recovery Time Objectives (RTO) – This is the targeted duration of time which a business process must be restored after a disruption in order to avoid unacceptable consequences associated with a break in business continuity.
2. Recovery Point Objectives (RPO) – This is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system or network goes down as a result of a disruption. Or how much data you expect to lose in a worst-case scenario.
3. Maximum Tolerable Downtime (MTD) – Specifies the maximum period of time that a given business process can be inoperative before the organization's survival is at risk.

You should ensure that your vendor’s BIA information meets or exceeds your needs for RTO, RPO and MTD.

Regular reviews, along with plan exercises, assure that the vendor is prepared and able to respond to whatever situations arise and allow the corresponding plans to be improved to minimize the impact of the event.

Once you’ve reviewed the plan, it’s important to have a qualified expert write up an analysis documenting any gaps and the overall findings. A qualified expert will usually have certified credential levels such as a Certified Information System Security Professional (CISSP). Once the analysis is written up and signed off on, reach out to the vendor to discuss the findings and next steps to mitigate any risk.

There are a few other key vendor risk management concepts that must be understood, documented and, most importantly, put into practice to have an effective third party risk management program. We call these the pillars of third party risk management. Download the infographic here.