A clear and bold header

Red Flags within Your Vendor’s BCP | VendorInsight®

Posted by Rachel McKenzie on Jun 3, 2019 11:14:38 AM

Red Flags Red Flags within Your Vendor’s Business Continuity Plan

Significant events, including natural disasters and massive cybersecurity breaches, will not only impact your vendor’s operations, but yours as well. Your data could be lost, your processes can be slowed or stalled, and your reputation could be hurt. To protect your organization and stay proactive, you need to understand a vendor’s Business Continuity Planning (BCP) and Disaster Recovery (DR), their processes of creating systems of prevention and recovery to deal with potential threats.

To do so, your organization should be reviewing the vendor’s BCP annually as part of your ongoing monitoring after you’ve selected and contracted with them, to determine if there are any concerning red flags. But what would be considered a red flag?

Recognizing a Vendor in Crisis

You need to recognize the signs of a vendor in crisis. Here’s a list of common red flags to be aware of when performing risk assessments of your vendor’s BCPs: 

  • Disproportionate net sales to the amount of time a vendor has been in business
  • A lack of IT disaster recovery focus
  • No record of staff training documentation
  • Lack of updates or tests over a substantial period
  • Little attention to complaint management and tracking or remediation
  • No oversight of fourth-party vendors
  • BCPs that don’t address products/services that are applicable to your relationship with the vendor
  • Inconsistent or non-existent Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)

A BCP also documents and demonstrates the process of how a business will recover from a declared disaster scenario with DR. DR is more reactive than BCP and zeroes in on technology infrastructure and concentrates on accessing data easily following a disaster. It comprises specific steps an organization must take to resume operations following an incident, with response times ranging from seconds to days.

This DR plan incorporates the fundamental principles of RTOs and RPOs. The RTO is the duration of time within which a business process must be restored after a disruption to avoid unacceptable consequences. The RPO is the interval of time during a disruption before the quantity of data lost during that period exceeds the maximum allowable tolerance. 

Both RTOs and RPOs quantify what losses might ensue if critical services are disrupted and set targets for re-establishing services based on mitigating potential losses. It’s key that your organization work together with vendors to define realistic RTO and RPO goals.


VendorInsight® Does the Hard Work for You

When it comes time to review your vendor’s BCP/DR plan, let VendorInsight® — the easy-to-use vendor risk management software — do the work for you:

  • Our senior analysts submit, retrieve and review a completed Business Continuity and Disaster Recover Questionnaire, and we request and receive your vendors’ private documents under an open Letter of Authorization
  • A summary view of BCP/DR planning and testing for each vendor is then created that describes the risk analysis and findings
  • Our analysis, final report and the vendor’s native documents are uploaded into VendorInsight® into your electronic vendor folders 
  • You receive a notice when the task is complete and can review everything at your leisure 

VendorInsight® can also fully integrate with BCP-INSIGHT™ to give you unlimited control, visibility and risk management. BCP-INSIGHT™ allows for cross reference of any disaster or recovery scenario against all your plans, documents, people, locations, resources and vendors. This helps identify what is relevant and most useful to your recovery effort. 

Rest easy knowing VendorInsight® will get your critical vendor reviews completed on time, each and every year!

Learn More

Don't ignore the red flags. Verifying that your vendors align with your organization’s strategic and operational goals can prevent a disaster, or at least help with recovery.

To see how your vendor’s BCP/DR is functioning, request a demo of VendorInsight® today.

Request Demo


Topics: vendor reviews, Cybersecurity, Business Continuity, BCP, Experts, RTO, RPO, Business Continuity Plans, Recovery, Breaches, Disaster Recovery

VendorInsider Blog

Insight into Vendor Management Best Practices, Challenges, Solutions and Trends from Industry Insiders

As one of the longest running and most advanced vendor management software solutions, the helpful people of VendorInsight® have a unique perspective on third-party risk, compliance and management.  In the VendorInsider Blog, we share our insights on timely and relevant issues facing vendor managers.  You can subscribe using the button below, or contact us with questions.

Subscribe to Our Blog

Recent Posts

Posts by Topic

see all