Planning for business continuity with critical vendors has been an area of focus for many third-party risk management professionals as of late. And rightly so. A trio of health, economic and geo-political events have created massive strains on supply chains and increasing concerns about cyber-attacks. And as companies shore up their own business continuity plans, they must consider the impact critical vendors have on those plans.
Ensuring business continuity with your critical vendors requires not only responding to (and potentially recovering from) a continuity event, but also ensuring you have the right plan, controls and oversight in place to ensure stability for the long haul.
Here are 19 best practices to manage business continuity with your critical vendors.
Response Activities
These are the immediate activities you undertake to assess risks with your vendors when a continuity event has occurred.
- Identify your critical vendors. These should have already been identified through your own business continuity planning.
- Review their contractual provisions to refresh your understanding of service level agreements, payment terms, potential legal risks and, in case needed, termination provisions.
- Send due diligence questionnaires (or conduct interviews) to understand how their business is being impacted by the event, and how near term (and mid-term) impacts to their company may impact your operations.
- For certain vendors you should dive deeper into their business continuity and disaster recovery plans – especially for those performing outsourced functions or supporting core systems and technologies. Understand whether their plan is comprehensive enough to ensure stability of your products/services, and whether they have implemented the plan.
- If the vendor has access to your systems or data, assess their approach to work from home and the security protocols they have implemented for data protection.
- Assess your own business continuity plans to ensure you have addressed how you will handle continuity in each operational area that you rely on critical vendors.
- Establish a communication plan with your internal vendor relationship managers, and key contacts at your vendors, to ensure consistent and open communication. Make sure you identify the who, what and how often.
Recovery Activities
Recovery includes all of the steps you need to take to address risks and/or operational problems with your vendors from the response phase. Consider the following activities when you identify a critical vendor that is under distress.
- Integrate secondary vendors into the operational activity to reduce the risk and increase the speed at which you can pivot if needed.
- Evaluate your ability to insource certain functions, at least for the short term, and establish plans when feasible.
- Consider on-site visits to get a first-hand look into the vendor’s operations.
- Enhance your continuous monitoring activities to track information about the vendor’s corporate health and/or cybersecurity practices.
- Modify contractual provisions to address exposure beyond your risk tolerance.
- In worst-case scenarios, terminate the agreement and transition to a new vendor.
Prevention Activities
Prevention focuses on taking steps to lessen the chance (in the future) that you will have continuity issues with your critical vendors, and ensuring you have the right mitigation strategies in place to lessen the impact when an incident does happen. Some of the important prevention activities include:
- Consolidate and eliminate risky vendors from your supply base.
- Build out alternative supplier capabilities where needed.
- Create/update contingency plans for critical vendors, including plans for insourcing when feasible.
- Establish and/or strengthen vendor risk monitoring tools to be more predictive in monitoring the health and cybersecurity of your high-risk vendors.
- Audit your vendor contracts to identify gaps when compared to your own standard contractual provisions, and amend existing contracts to comply with the contractual standards.
- Review your vendor management system to ensure it is accurate and complete with the vendor information, contracts and assessment tools you need -are at your fingertips – regardless of where you are working from.
One additional note.
As you think about business continuity with your vendors, you should plan as if you are going to have multiple ‘response’ phases. Or even better, ensure you have a really good continuous monitoring and communication process in place that becomes part of your regular vendor management process.
Using a systematic approach to manage business continuity with critical vendors is the best way to ensure consistency in vendor management activities both now and into the future. If you’re looking for additional information on business continuity standards, here’s a link to an article on ISO 22301 which is a recognized international standard for business continuity management systems.