10 Ways to Verify Your Vendors Are Prepared for a Disaster

If 2020 proved anything, it was that like it or not, business impacting events can – will – happen. No organization is immune. Of course, the pandemic we’re experiencing today is a worst-case scenario, but these can be unexpected natural or man-made disasters such as a hurricane, power outage, flood or fire.

It’s critical to understand the importance of business continuity and disaster recovery planning and to verify your vendor is implementing strong business continuity and disaster recovery practices that align with your own plans.

Why Is Reviewing Your Vendor’s Disaster Recovery Plan Important?

First and foremost, before digging further into the bones of a disaster recovery plans, let’s understand why reviewing a vendor’s business continuity and disaster recovery plan is so important. What can go awry if you don’t? It’s important to remember: no organization is immune to widespread business effects of a disaster.

Typically, disaster recovery​ plans cover short-term events including fire, floods or large-scale accidents such as gas leaks or chemical explosions, and the absence of comprehensive disaster recovery plan can lead to long-term problems. Some which may include:

• Unprepared vendors
• Operational delays
• Data loss
• Reputational hits

With a proper plan in place, you’re better able to protect yourself from the above by ensuring there are:

• Preventative measures in place to reduce the risk of an accident, and plans for natural events which are unavoidable
• Defined measures and protocols for quickly uncovering and mitigating controllable elements
• Tested data/operational recovery plans which will allow operations to resume in the aftermath of a disaster

The bottom line is the absence of necessary infrastructure and planning for critical situations can lead to a cascade of failures, resulting in a breakdown of processes and an interruption of supplies and services. Additionally, knowing your vendors, especially your high-risk and critical vendors, have a disaster recovery plan in place is crucial for protecting your employees, customers and your overall business operations. ​

How to Ensure Your Vendor’s Disaster Recovery Plan Is Adequate and They’re Prepared

To reiterate, disaster recovery planning keeps your organization informed regarding what the appropriate response to a business impacting event should be based on the event type that occurred.

So, what steps should you take to ensure your vendors are prepared for a disaster?

The following 10 ways will help you verify vendors are prepared:

1. Verify an overall plan is in place. Make sure the vendor has a disaster recovery plan in place that is readily available to staff in the event of a disaster and addresses data loss and system availability.

2. Ensure there’s a strategy for addressing personnel loss. This is considered a succession plan and should account for cross training, staffing agencies, etc.

3. Check whether criteria is defined and in place for declaring a disaster. Without defined internal communication and an incident management program, employees may not know when a disaster has been formally declared. You want your business units to be attempting to fix the business impacting event and have a coordinated communications channel and plan instead of simply being heads down fixing the problem.

4. Verify loss coverage. Consider if the plans cover availability and potential loss of equipment, data and the data center/server room. Does their plan fit your cybersecurity and availability requirements? Look at how their data is stored, the location and status of the recovery information systems.

5. Check if the plan accounts for a secondary data center. Is it readily available in the event of a disaster? Then, ensure it’s sufficiently geographically separated so that a regional impacting event won’t affect the vendor’s production and recovery sites simultaneously. 

6. Review data center configuration. Analyze the vendor’s data center recovery locations to assess the adequacy of recovery capacity to meet your business needs.

7. Ensure there’s a communication plan. Determine if there’s a set client notification processes in place and that these processes meet your organization’s requirements. When disaster incidents or cybersecurity incidents occur, communication can save a relationship. Verify that the vendor’s notification timeline meets any requirements you have, including regulatory requirements.

8. Review critical IT functions. Does your vendor outsource to another third party? If they do, ensure communication plans exist with subcontractors (aka your fourth parties).

9. Look at the vendor’s testing procedures. Make sure the testing is at least annual and ask to see the actual or redacted test results. Has the vendor successfully performed a full disaster recovery test? If not, why not? Any testing results showing room for growth should be followed up on.

10. Analyze the vendor’s ongoing disaster recovery maintenance. Plans should be reviewed annually and after any significant organization changes as part of the vendor’s routine policy maintenance.

As you review and ensure your vendors are prepared, don’t be afraid to reach out to the vendor to discuss any findings and next steps.

Implementing practices around vendor disaster recovery review isn’t necessarily difficult, but it does require a lot of work. However, the hard work pays off by protecting your organization, operations, customers and reputation... Something we could all make sure we do.

Dive deeper into how to review both your vendor's business continuity and disaster recovery plans. Download the eBook.