Four Business Continuity Considerations for Vendors
Whether you're shopping around for new outsourced providers/business partners or just reevaluating them, it’s always important to consider the vendor’s approach to continuity and how that could impact your business. If your firm has a comprehensive business continuity plan in place and you conduct regular BCP tests, you might think your responsibility ends there. However, if the service providers that you engage with do not also have proper disaster recovery systems and business continuity plans and test said plans regularly, they are exposing your firm to serious risk and may be the weakest link in your continuity or recovery.
To properly conduct review and discussion with vendors and business partners, firms should have a series of questions and discussion points ready. Four critical areas you may want to review include continuity program activities, disaster recovery system details, business continuity procedures, and communication practices.
Continuity Program Activities: This would include ensuring that the vendor or business partner regularly reviews and updates necessary plans and procedures. Do they conduct ongoing tests of their disaster recovery systems? They should also be testing and exercising their business continuity plan. Lastly, it’s also critical that they provide employees with necessary training on these plans, both at the outset of the plan implementation and at least annually.
Disaster Recovery Systems: During vendor discussions and evaluations, ensure your business partners are identifying the location or locations where data is backed up. They should also identify recovery time objectives (RTO) related to that data and compare that desire with the RTO outlined within the existing plan. This is important as it relates to recovery time, since it will outline at which point after a disaster you are expected to have access to critical systems and data. If RTOs are unclear, you run the risk of being unable to work or access data or information you need, potentially disrupting clients and even violating contracts or regulations.
Business Continuity Procedures: Firms should discuss comprehensive continuity strategies and procedures with all third-party vendors. Service providers should be able to explain how, even in the face of various interruptions, they will continue to provide the contracted level of service stated in the contract.
Communication Practices: Firms should confirm with vendors or business partners that they have both an internal and external communication plan. Additionally, firms should discuss the process that outlines how your fund would be notified if a disruption were to occur with your service. Finally, confirm who from your firm is going to be contacted during unplanned downtime or when issues arise.
Reviewing these four key areas with your vendors at least on an annual basis is important to ensure your continuity extends as areas of your business, including those managed by outsourced third parties. Following the review discussions, your firm's internal continuity team should meet and evaluate any deficiencies noted and determine the comfort level with any identified risks. If concerns are high, you’ll need to determine next steps. Relay your concerns to the vendor to validate the deficiencies and understand if they are willing and able to take steps and correct them. If not, you can look for other vendors whose continuity practices reduce or eliminate any risks or concerns you may have.