4 Big Things to Watch Out for in Your Vendor's Business Continuity Plan

A vendor business continuity plan (BCP) is a vital component of an organization’s business strategy. A BCP will help ensure that your vendors will continue to provide products and services to your organization at an accepted level of availability, amid a business disrupting event. This is usually predetermined in your vendor contract, through a detailed service level agreement (SLA).

Your vendor’s business continuity plan should initially be reviewed during the vendor vetting and selection stage of the relationship, as well as on an annual basis through your ongoing monitoring duties. It’s important to continually monitor your vendor after you’ve selected and contracted with them to keep informed of any concerning changes. So, what exactly should be a concern as you’re reviewing a vendor business continuity plan?

Things to Watch Out for in Your Vendor’s Business Continuity Plan 

Here are 4 things to watch out for in a vendor’s BCP: 

1. BCPs that are limited to IT disaster recovery information. Some vendors do not differentiate between business continuity (e.g., people, processes and facilities) and IT disaster recovery (e.g., information systems, data and networks). 
   
2. BCPs that haven’t been updated or tested within the last 12 months, or within the time range defined by the vendor in their plans. Regular testing of your vendor’s BCP will ensure that it will operate as expected when a disaster strikes. It should also be updated to reflect any changes within the organization.
3.  BCPs that don’t address products/services that are applicable to your organization. Your vendor may have multiple BCPs for different products lines, so it’s important that the plans you review are written specifically for the products/services used by your organization.
   
4. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) aren’t defined or don’t align with your recovery needs. If RTOs and RPOs are outside of your needed timeframe to provide products/services to your customers, then additional measures may be needed. Understanding what level of service you should expect after a business impacting event at your vendor will ensure you’re prepared to handle any dip in service, availability or functionality. 

Note: It’s important to understand that RTO refers to an “established level of service” and doesn’t necessarily mean a recovery to full operations. 

Keep in mind, any of the following are also cause for concern: 

• Applicable RTOs weren’t met or adjusted. 
• Applicable RPOs weren’t met or adjusted. 
• There are no remediation plans established for issues identified. 

2 Best Practices to Help You with These Issues 

Now that you understand a few areas to watch out for, let’s review a few best practices to help protect against them. Unfortunately, there’s no universal template to use when writing a vendor business continuity plan. Every vendor’s plan will be different, but it’s helpful to take the following steps:

• Understand your vendor's role: Prior to beginning your review of a vendor’s BCP, it’s important to fully understand the vendor’s role in assisting with the services your organization provides. Understanding this will give you further insight into how much scrutiny you should give to the vendor’s BCP. The more critical the vendor is to operations, the more scrutiny.  
• Enlist the help of a subject matter expert (SME): Not all plans are created equally, and not all plans are easy to understand. For that reason, an expert should be reviewing the plan. The expert can be someone internal, such as a Certified Business Continuity Professional (CBCP) or Certified Information Systems Security Professional (CISSP), or you can outsource to an external expert if needed.

It Can Be Complex, But Fully Understood Plans Help Avoid Risk 

Reviews won’t always go smoothly, but well tested plans can help make the bumps in the road of business a lot easier to handle. Verifying that your critical vendors align with your organization’s strategic and operational goals will guarantee you won’t hit an unforeseen problem in your road to recovery. 

With an increase in high-profile data breaches, it's critical to be prepared. Download the infographic now.