What to check for in Vendors' Business Continuity and Resilience?

Business is not done in a vacuum. There is high dependency on external parties. Our Project Manager, Atique Shaikh, in this blog highlights vendors' areas to check to ensure your business continuity

You have Business continuity plans to ensure continuity of products and services during a business interruption. Business continuity test exercises are done to check the efficacy of the plan, but there is more to it. You may have dependencies on the external parties like vendors, suppliers or consultants in the business process, for which there might be agreement in place. But does it give you confidence that your external parties will resume with the same level of service as you?? 

Here are some of the important areas to check for your vendors business continuity

1. Identifying the interface between your department/function and vendor.

Your function may be dependent on the external vendor. How is the interface between you and your vendor? 

1. Are Vendors using your premises for operations? 

Consider the case where the vendor has to be operational from your office on a daily basis during working hours. They use your Infrastructure and have access to a specific network for executing the tasks assigned to them. The communication between you and your vendor happens in person and on emails.

During a disaster situation, you have a strategy to work from home in case the disaster renders the office site unusable. How will the vendor operate?

• Do they have the option to work from home?
• Can they still connect to the specific network while working from home?
• Does email as a communication channel between you and the vendor suffice?

For such critical vendors, the business team should have a plan documented and communicated to the vendor.

2. Are Vendors using their own office/location? 

In the Business as usual state, when the vendors are using their own premises for operations, a site-level disaster might not impact their operations.

However, if they are connecting to your office network for operations, you might have to consider how they would connect if you are working from an alternate site or disaster recovery site.

3. Are you using Hardware/Software that requires support from Vendor for migration or restoring activities during disaster?

You may have hardware that is supported by Vendor. Let's take an example of the Hardware server at your primary site. Vendors have access to perform administrative tasks. 

In case of disaster, you have to migrate your data to an alternate site. This might require support from the vendor. Even though a vendor is not critical for routine operations, but is required to perform activities, if not done, then it may impact your recovery objectives.

Such Vendors should be identified and arrangement should be planned. They should also participate in the tests/drills along with the team. The detailed activities done by such vendors should be documented and reviewed more frequently.

2. Checking Vendor’s Business Continuity

Your vendor may have Business continuity in place, however, this still may not be sufficient, check for the following when the vendor claims that BCP is in place.

1. Are the services provided to you covered in the Vendor's BCP plan?
2. What is the frequency of the BCP test done by the Vendor?
3. Are you informed about such tests in advance?
4. Is the Vendor's Recovery Time Objective (RTO) aligned with the RTO of your services?
5. Has the Vendor tested BCP and what were the results? 
6. Any Business continuity related high risks identified?

3. Considering Secondary Vendor

Having the option of a secondary vendor for critical services mitigates the risks of Single point of failure. The secondary vendor(s) may increase the cost but it can avoid disruption of services. These secondary vendors can also be used during the normal course of business by distributing the load of the services as applicable.

Conclusion:

Given that the vendor has agreed to provide the services, it is vital to check the above areas to ensure that the processes are recovered in the event of a disaster.