Red Flags within Your Vendor’s Business Continuity Plan

Significant events, including natural disasters and massive cybersecurity breaches, will not only impact your vendor’s operations, but yours as well. Your data could be lost, your processes can be slowed or stalled, and your reputation could be hurt. To protect your organization and stay proactive, you need to understand a vendor’s Business Continuity Planning (BCP) and Disaster Recovery (DR), their processes of creating systems of prevention and recovery to deal with potential threats.

To do so, your organization should be reviewing the vendor’s BCP annually as part of your ongoing monitoring after you’ve selected and contracted with them, to determine if there are any concerning red flags. But what would be considered a red flag?

Why Having a User Group Matters

Have you ever wished that a piece of software could be updated and tailored as your organization’s needs change? Most industries today are constantly evolving as technology is accepted and integrated. This is why choosing a vendor management software tool that has a user group is so important. User groups provide valuable insight into customer needs and improve the software for everyone involved.

Custom Reports:

If You Collect Data on It, You Can Create a Report for It

No two companies are exactly alike – in the way they operate or in the way they manage their vendors. The same is also true of a company’s reporting needs. One leadership team may have a different priority or consider a different metric to be mission critical. Regulatory teams or auditors may ask for data based on their current priorities.

In April 2016, the American Institute of Certified Public Accountants (AICPA) announced an updated standard. This Statement on Standards for Attestation Engagements 18 (SSAE 18) is set to supersede the widely known SSAE 16 report that has been a mainstay with vendor management organizations tracking vendor adherence to defined controls since 2010.

The new SSAE 18 will be effective for reports produced after May 1, 2017, but organizations can adopt it earlier.

The new standard will require companies to monitor service organizations’ subservice organizations—or in vendor management terms, fourth-party providers. Essentially, the SSAE 18 will expand on the existing SSAE 16 standard to include validation of effective vendor management, as practiced by your vendors for their contracted fourth-party providers. This includes fourth-party monitoring beyond the initial vetting and selection process, just as required of FIs.

In early 2016 VendorInsight® implemented features to track, capture, and monitor risks associated with fourth-party vendors.

While the new standard is required for reports after May 1, 2017, many of the reports generally available from vendors supporting the financial services industry tend to cover an audit period from the late third or early fourth quarter. As such, we would expect the vast majority of 2017 vendor reports to report on audits completed prior to the start of the new SSAE 18 standard.

When fully deployed in 2018, this new standard offers the promise of added visibility to key vendor fourth-parties that today may not be easily discerned. It will also shine a light onto the vendor management practice of your vendors who have historically kept this discipline out of sight and away from detailed review. We see this as an important next step for the evolution of industry best practices for vendor risk management, and we are already equipped and prepared for this expanded tracking within our solutions and service offerings. To learn more about the new standard, follow the links below to download our FREE SSAE 18 eBook or speak with a VendorInsight Team Member about how your organization can prepare for the new standard.

A few years ago we were asked by a customer to help them develop some performance metrics for one of their vendor relationships. We helped them establish some inventory and delivery metrics that would measure how well the supplier was supporting a critical part of their business. Our customer's business requirements required some slight changes compared to how the suppliers typically handled business so they were very interested in finding a supplier that could support their needs well. These measures were important to our customer. The competing proposals were close and the vendor's willingness to engage in designing performance metrics that could be tracked was a differentiating factor.

As the data started coming in over the first few weeks there were a few hiccups caused by changes that weren't obvious but were affecting performance - a managerial change here, a software update there. You get the idea. The customer had objective data about the performance level and could approach the supplier so they could collaborate on how to remedy the problem. Our customer even jumped in and offered short term manpower resources one time. Our customer also had some unique subject matter expertise and when they shared this with the vendor the vendor soon adopted this knowledge into their own processes.

Soon the transition performance measures were tracking steadily and it was time to introduce two new performance measures. These would measure different aspects of the vendor's performance and would help our customer attain the strategic objectives they were targeting over the next two years.

This little anecdote illustrates an important point. Managing vendors and their business performance - especially in outsourcing relationships where they are performing critical functions - is as equally important as managing risk. We all know that the risk of a vendor failure is very high but research suggests that the risk of an underperforming vendor relationship is even higher. An underperforming vendor relationship consumes massive amounts of manpower and results in significant productivity losses. Often, inefficient exception management processes consume and overtake the normal process of management-to-goals.

So, what's the good news, you ask. With VendorINSIGHT you can get access to experts that can help you define good performance measures for your vendors and ones that are appropriate for the phase of relationship you are in. With these in place, the VendorINSIGHT system takes care of the rest - delivering the automation and workflow tools you need to capture performance metrics, monitor trend and performance and remediate underperformance. Check out the links below to read about these features and whether they might make sense for you.