Implementing best practices to manage business continuity with critical vendors has been a major focus as of late. And rightly so. As organizations have been evaluating the efficacy of their own business continuity plans, they are also assessing the continuity of their critical vendors.
In talking to our clients and colleagues across multiple industries, we’ve found that most have been actively assessing business continuity risks with both their critical and high-risk vendors. While due diligence seems to vary, I’m finding that there are four common questions that companies are asking about vendor business continuity:
- What gaps or issues exist in our vendors’ business continuity plans that may present risks to our own operational continuity?
- How well are our vendors continuing to protect our data, especially with regard to controls over information security for their remote workforce?
- Which of our key vendors is experiencing financial instability now, and which may be experiencing it in the next 6-12 months due to second-order impacts such as market volatility or declines in revenue due to reduced economic activity?
- Do we have a good handle on all of our fourth parties, and our vendors providing adequate monitoring of them?
Ensuring business continuity with your critical vendors requires not only responding to (and potentially recovering from) a continuity event (like COVID-19), but also ensuring you have the right plan, controls and oversight in place to ensure stability for the long haul.
Here are 19 best practices to manage business continuity with your critical vendors.
Response Activities – These are the immediate activities you undertake to assess risks with your vendors, and deal with unplanned disruptions in operations, when responding to a business continuity event.
- Identify all of your vendors that are fundamental to your critical operational activities. Hopefully they have already been identified through your own business continuity planning.
- Review their contractual provisions to refresh your understanding of service level agreements, payment terms, potential legal risks and, in case needed, termination provisions.
- Send due diligence questionnaires (or conduct interviews) to understand how their business is being impacted by the event, and how near term (and mid-term) impacts to their company may impact your operations.
- For certain vendors you should dive deeper into their business continuity and disaster recovery plans – especially for those performing outsourced functions or supporting core systems and technologies. Understand whether their plan is comprehensive enough to ensure stability of your products/services, and whether they have implemented the plan.
- If the vendor has access to your systems or data, assess their approach to work from home and the security protocols they have implemented for data protection.
- Assess your own business continuity plans to ensure you have addressed how you will handle continuity in each operational area that you rely on critical vendors.
- Establish a communication plan with your internal vendor relationship managers, and key contacts at your vendors, to ensure consistent and open communication. Make sure you identify the who, what and how often.
Recovery Activities – Recovery includes all of the steps you need to take to address risks and/or operational problems with your vendors from the response phase. Consider the following activities when you identify a critical vendor that is under distress.
- Integrate secondary vendors into the operational activity to reduce the risk and increase the speed at which you can pivot if needed.
- Evaluate your ability to insource certain functions, at least for the short term, and establish plans when feasible.
- Consider on-site visits to get a first-hand look into the vendor’s operations.
- Enhance your continuous monitoring activities to track information about the vendor’s corporate health and/or cybersecurity practices.
- Modify contractual provisions to address exposure beyond your risk tolerance.
- In worst-case scenarios, terminate the agreement and transition to a new vendor.
Prevention Activities – Prevention focuses on taking steps to lessen the chance (in the future) that you will have continuity issues with your critical vendors, and ensuring you have the right mitigation strategies in place to lessen the impact when an incident does happen. Some of the important prevention activities include:
- Consolidate and eliminate risky vendors from your supply base.
- Build out alternative supplier capabilities where needed.
- Create/update contingency plans for critical vendors, including plans for insourcing when feasible.
- Establish and/or strengthen vendor risk monitoring tools to be more predictive in monitoring the health and cybersecurity of your high-risk vendors.
- Audit your vendor contracts to identify gaps when compared to your own standard contractual provisions, and amend existing contracts to comply with the contractual standards.
- Review your vendor management system to ensure it is accurate and complete with all of the vendor information, contracts and assessment tools you need -are at your fingertips – regardless of where you are working from.
One additional note that is very relevant to this current pandemic. There is a strong chance that there may be the potential for successive waves of COVID-19. As you think about business continuity with your vendors, you should plan as if you are going to have multiple ‘response’ phases. Or even better, ensure you have a really good continuous monitoring and communication process in place that becomes part of your regular vendor management process. Using a systematic approach to manage business continuity with critical vendors is the best way to ensure consistency in vendor management activities both now and into the future.
Author: Tom Rogers
Job Title: CEO
Organization: Vendor Centric