What Happens When a Critical Third-Party Vendor Doesn’t Have a Good Business Continuity Plan?

Unexpected business disruptions are a fact of life. At this point, we’re all aware of how global pandemics can negatively impact every type of business. Or how a cyberattack can affect a supply chain. Buildings and infrastructure can suffer severe damage. Employees may face dangerous working conditions or displacement due to natural disasters like floods, earthquakes, and fires. 

The impact of these events can vary, from the suspension of core operations to the need for millions of employees to work from home, or the necessity to completely restructure a business model. And while it’s not possible to control these business-interrupting events, it is possible to plan for them.

Business continuity and disaster recovery planning (BC/DR) involves developing, testing, and maintaining plans to ensure the resilience of a business and establish a protocol for restoring operations in the event of a man-made or natural disaster.

What steps can you take to ensure that your vendors are taking Business Continuity and Disaster Recovery seriously, and have robust and thoroughly tested plans in place?

7 BC/DR Elements Your Third-Party Vendor Should Have

Here's a simple checklist of 7 elements your third-party vendor should be able to provide you if they're taking BC/DR planning seriously:

1. Risk Assessments
   A business continuity risk assessment identifies, analyzes, and evaluates the business's disruption risks, including vulnerability to threats and existing safeguards. 
2. The Business Impact Analysis
   A business impact analysis is a process that forecasts the potential outcomes of disruptions and collects relevant information for devising recovery strategies.
3. Recovery Strategies
   Recovery strategies are backup plans to restore operations after a disruption, which are based on established recovery time objectives.
4. Business Continuity Plans
   A business continuity plan is a document that outlines how an organization will continue to function during and after an emergency or event.
5. Disaster Recovery Plans
   A third-party disaster recovery plan describes how a business can quickly resume operations after an unplanned event.
6. Pandemic Plans 
   A pandemic plan is the organization's strategy for providing essential services in the event of an outbreak of an infectious disease.
7. Testing & Exercises
   Testing ensures that the strategies, plans, and procedures that have been put in place are fully understood by all concerned and are fit for purpose on an ongoing basis. Testing is accomplished by undergoing tabletop or live scenario exercises.

What Happens If a Critical Third-Party’s Plan Is Insufficient?

Consider this scenario: You requested a business continuity plan from your critical third-party vendor, and all they've sent you is a one-page BC/DR summary. Or maybe they can't provide one at all. If this is truly a critical third-party vendor, you have a problem. Like financial and SOC reporting, documented evidence of BC/DR is a must-have for every critical vendor.

Faulty BC Plans could result in the following ripple effects:

• Unless a vendor is prepared for business-disrupting events, they risk major delays in resuming uptime.
• You may experience more downtime than allowed in your own BC/DR plans due to the operational delays of your critical vendor.
• Your critical vendor may lose or not be able to recover some of your data.
• Your organization may experience unplanned costs and lost revenue.
• You may ultimately have to worry about your organization's reputation if your critical vendor lacks a solid BC plan. Customers will assume your organization is at fault for any delays or interruptions.

Considerations For Resolving BC/DR Issues

If a critical vendor isn’t capable or willing to produce an adequate business continuity plan, there are steps you can take to address the situation.

If the vendor is unwilling to share a BC/DR plan, make sure you understand why. BC/DR plans often contain sensitive information such as backup data sites or employees' personal contact information. Additionally, your vendor may not want to share information regarding any system, operational, or physical vulnerabilities that could potentially be exploited during an unexpected event. 

If the vendor has these concerns, consider asking for a highly redacted version of their BC/DR documents. That approach may allow you to see the structure and necessary elements of the plan without revealing confidential vendor details.

What if the vendor is still unwilling to share? 

Fortunately, it’s not the end of the road. Here are three other routes you could take with your vendor:

1. Request a copy of the vendor's business continuity and disaster recovery policy
2. Ask the vendor to provide a written attestation that their BC/DR plans meet your organization's documented expectations and requirements. 
3. Increase the frequency of periodic risk assessments and monitoring and enhance your ongoing monitoring by adding vendor risk monitoring and alert services.

What if my vendor's third-party vendor's business continuity and disaster recovery plans have gaps or deficiencies? 

In that case, your organization must determine if the risks presented by the situation are within your risk tolerance. After all, critical vendors, by definition, will seriously impact your organization or its customers should they fail. And critical vendors with poor BC/DR plans can turn a bad situation into a worst-case scenario. 

There may be circumstances in which it’s not wise to pursue or continue doing business with that critical vendor. However, there may be times when the gaps and weaknesses in the critical vendor's BC/DR plan are not "deal-breakers" and may be successfully remediated over time with enough effort. 

If remediation is the goal, then be sure to do these 9 steps:

1. Ensure that the gaps and deficiencies are clearly documented.
2. Request remediation actions and timeframes from the vendor to improve or implement plans.
3. Document all agreed-upon remediations and timeframes.
4. Amend or add language to the contract (whenever possible) detailing the remediation and timeline.
5. Get regular updates from the vendor on the remediation process.
6. Hold the vendor accountable and track all issues until they are successfully remediated.
7. Require evidence of testing and results of remediated BC/DR plans 
8. Seek a formal risk acceptance from your senior management or the board to ensure appropriate transparency and approval for an exception to the required BC/DR standards until the issue can be remediated.
9. Increase the occurrence of your periodic risk assessments and monitoring practices. Also consider enhancing your ongoing monitoring by using vendor risk monitoring and alert services.

Third-party business continuity and disaster recovery plans are essential for your organization and its critical vendors. Poorly developed or missing vendor BC/DR plans should not be taken lightly, especially regarding your critical vendors. If your current vendor is unable to meet your business continuity and disaster recovery needs, it may be time to shop around for a new one.