Red Flags within Your Vendor’s Business Continuity Plan
Significant events, including natural disasters and massive cybersecurity breaches, will not only impact your vendor’s operations, but yours as well. Your data could be lost, your processes can be slowed or stalled, and your reputation could be hurt. To protect your organization and stay proactive, you need to understand a vendor’s Business Continuity Planning (BCP) and Disaster Recovery (DR), their processes of creating systems of prevention and recovery to deal with potential threats.
To do so, your organization should be reviewing the vendor’s BCP annually as part of your ongoing monitoring after you’ve selected and contracted with them, to determine if there are any concerning red flags. But what would be considered a red flag?
Recognizing a Vendor in Crisis
You need to recognize the signs of a vendor in crisis. Here’s a list of common red flags to be aware of when performing risk assessments of your vendor’s BCPs:
- Disproportionate net sales to the amount of time a vendor has been in business
- A lack of IT disaster recovery focus
- No record of staff training documentation
- Lack of updates or tests over a substantial period
- Little attention to complaint management and tracking or remediation
- No oversight of fourth-party vendors
- BCPs that don’t address products/services that are applicable to your relationship with the vendor
- Inconsistent or non-existent Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)
A BCP also documents and demonstrates the process of how a business will recover from a declared disaster scenario with DR. DR is more reactive than BCP and zeroes in on technology infrastructure and concentrates on accessing data easily following a disaster. It comprises specific steps an organization must take to resume operations following an incident, with response times ranging from seconds to days.
This DR plan incorporates the fundamental principles of RTOs and RPOs. The RTO is the duration of time within which a business process must be restored after a disruption to avoid unacceptable consequences. The RPO is the interval of time during a disruption before the quantity of data lost during that period exceeds the maximum allowable tolerance.
Both RTOs and RPOs quantify what losses might ensue if critical services are disrupted and set targets for re-establishing services based on mitigating potential losses. It’s key that your organization work together with vendors to define realistic RTO and RPO goals.
VendorInsight® Does the Hard Work for You
When it comes time to review your vendor’s BCP/DR plan, let VendorInsight® — the easy-to-use vendor risk management software — do the work for you:
- Our senior analysts submit, retrieve and review a completed Business Continuity and Disaster Recover Questionnaire, and we request and receive your vendors’ private documents under an open Letter of Authorization
- A summary view of BCP/DR planning and testing for each vendor is then created that describes the risk analysis and findings
- Our analysis, final report and the vendor’s native documents are uploaded into VendorInsight® into your electronic vendor folders
- You receive a notice when the task is complete and can review everything at your leisure
VendorInsight® can also fully integrate with BCP-INSIGHT™ to give you unlimited control, visibility and risk management. BCP-INSIGHT™ allows for cross reference of any disaster or recovery scenario against all your plans, documents, people, locations, resources and vendors. This helps identify what is relevant and most useful to your recovery effort.
Rest easy knowing VendorInsight® will get your critical vendor reviews completed on time, each and every year!
Don't ignore the red flags. Verifying that your vendors align with your organization’s strategic and operational goals can prevent a disaster, or at least help with recovery.
To see how your vendor’s BCP/DR is functioning, request a demo of VendorInsight® today.