How to Manage a Business Continuity Vendor: Best Practices

If your business needs assistance in creating a BCDR strategy, it won’t be alone in hiring a business continuity vendor. The SEC’s National Examination Program (NEP) considers it good practice to use a third-party service provider to annually review your BCP and make recommendations.

Reliance on business continuity vendors continues to gain more traction in the industry. The goals to improve efficiency, stimulate growth, and enable operational transformation tip the scale in the decision-making process. Is your organization monitoring your critical vendors’ resiliency and recovery abilities? If not, are critical operations at risk of being hindered by a combination of unprepared vendors and insufficient internal resiliency and contingency planning?

Often, organizations take a siloed approach to their resiliency and recovery needs around business interruption risk. The more complex is the structure of the business, and the more it evolves (e.g., IT and supply chain management), the higher the number of internal and external processes and technology interdependencies required to reduce the operational and financial impacts associated with business interruptions.

Further, the entirety of a company’s resiliency and recoverability needs are often overlooked, with no structures or mechanisms to allow for integrated testing and verification. As a result, leadership has very little understanding of the organization’s real business interruption needs and capabilities.

Even when a vendor shares an overview of their BC plan, businesses struggle to understand how a vendor’s continuity program aligns with their own resiliency strategy. Only that organization that has developed and implemented its own BCM processes will have insight into the vendor’s recovery capabilities. An actual interruption event can demonstrate where your business is on a vendor’s priority list compared to other companies. Not getting proper attention and support will damage your market share, your brand, and reputation as if the disaster had directly affected your operations.

Evaluation Your Vendor’s Business Continuity Plan

To verify that all adequate regulations are in place, review the following six areas of your vendor’s BCP:

1. Personnel loss and planning
2. Relocation strategy
3. Remote access availability
4. Facility loss contingencies
5. Crisis communication strategy
6. Testing procedures that include:
   1. Annual testing
   2. Addressing testing results demonstrating room for improvement

Business continuity plans should also detail your vendor’s business impact analysis (BIA). Your organization needs to make sure a BIA is conducted annually or when any major changes or incidents occur.

Four Drawbacks of a Vendor’s BCP

Here are 4 things to keep a close eye on in a vendor’s BCP: 

1. BCPs that solely cover IT disaster recovery. Some vendors do not distinguish between business continuity (e.g., people, processes, and facilities) and IT disaster recovery (e.g., information systems, data, and networks). 
2. BCPs that haven’t been reviewed or tested in the last 12 months. Any business is an evolving entity, so it a BCP and should closely reflect those changes.  
3. BCPs that don’t cover products/services that are pertinent to your relationship with the vendor. If your vendor developed various BCPs, make sure you only review a plan that applies to the services and products for which you’re paying. 
4. Unclear Definition of Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). If RTOs and RPOs do not meet your requirements, your business may need to take additional measures. Agreeing on a level of service and priority for your organization that you can expect after a business interruption will ensure you’re prepared to handle any disruption. 

Note: An RTO is the time to recovery to an “established level of service” and doesn’t cover total recovery to full operation. 

Additionally, the NEP recommends to consider the following points in reviewing a business continuity vendor:

1. Keep an updated contact list of vendors and other important contacts. If the time comes crisis communication, or activate your business continuity plan, you’ll want to be sure your assigned client success team is there on standby.
2. Prepare and test your processes as if you cannot rely on servers in your building, and consult with vendors on external servers in multiple geographic locations or in the cloud to ensure redundancy.
3. When it comes to your vendor’s technology, review the IT infrastructure of your service providers to ensure they store your documents in a cloud-based system with multiple backup servers.
4. As your vendor should be aware of your company’s business requirements for continuity of operations, they must be prepared to make relocation recommendations if you cannot access your building, whether it’s working from home, in another one of your firm’s offices, or even reserve rooms in advance at a local hotel.