Unforeseen natural disasters and unexpected events can wreak havoc on any business, but particularly for commercial real estate developers. Not only do developers need to worry about the physical building, but also the safety of occupants and operational continuity. To remain prepared, commercial real estate developers must establish a robust and comprehensive business continuity plan (BCP) and ensure their vendors have done the same.
Business continuity planning plays a vital role in safeguarding developers' interests, ensuring client satisfaction, and facilitating seamless business operations. But what happens if the business-disrupting event is with a critical service provider or third-party vendor? Developers must be able navigate disruptions and crises effectively, even when the supply chain is disrupted.
Let’s cover the basics of business continuity planning and third-party risk management, how to integrate the two together, and key third parties to include.
Third-party risk management is a comprehensive approach to identifying, assessing, managing, and monitoring risks associated with outsourcing to third-party vendors or service providers. It considers various operational, financial, legal, compliance, and reputational risks.
Effective third-party risk management is a crucial component for relationships with contractors, suppliers, and other third parties. It helps ensure the quality of work, timeliness, compliance with regulations, and overall stakeholder satisfaction. By integrating third-party risk management into their business strategy, real estate developers can strengthen resilience, protect business interests, and navigate disruptions and crises more effectively.
Business continuity planning is the process of creating a plan that ensures business operations continue if a disruption occurs. It involves identifying potential risks, developing strategies to mitigate those risks, and creating a plan to implement during a crisis. By implementing solid business continuity plan, developers can minimize disruptions and continue to operate smoothly during and after a disruptive event.
Vendor business continuity planning is verifying your vendors have plans in place to ensure products and services continue to be delivered, even during a business-disrupting event. It should be reviewed before contracting with the vendor and then on an annual basis through ongoing monitoring. The plan should include personnel loss and planning, facility loss contingencies, breach/disruption notification procedures, and annual testing results.
It's important to consider all critical third parties and suppliers when it comes to continuity planning. These third parties’ service disruptions can directly and significantly impact business operations. An easy way to identify your critical third parties is to ask the following questions:
If you answer yes to any of these three questions, you’re likely dealing with a critical third party.
Integrating third-party risk management into business continuity planning strengthens developers’ resilience, protects business interests, and ensures both third parties and developers are able to respond quickly to disruptions.
Step 1: Risk assess each third-party engagement at the product or service level. Use a rating scale of low, moderate, and high risk to categorize your third-party inventory. Understanding the types and amounts of risks present in each engagement can help your organization better identify which risks are significant and require remediation.
Step 2: Identify which of your third parties are critical to your operations or its customers. While all third parties are important, every organization has a subset that is truly critical to their operations. Ask the three questions listed above to determine which third parties or suppliers are critical to your operations.
Step 3: Conduct risk-based due diligence to validate the third party’s risk practices and controls. Consider their financial stability, operational reliability, information security and privacy, and compliance with industry standards and regulations when evaluating third-party vendors.
Step 4: Ensure critical third parties have robust business continuity plans. This includes understanding their recovery strategies and procedures during a disruption. Review their business continuity plans and ensure these are regularly updated and tested. Maintaining open communication and fostering collaboration with your third parties is vital in this process to ensure expectations are aligned and responsibilities are clearly defined.
Step 5: Test third-party vendors’ business continuity plans. Conduct regular drills to ensure both parties are familiar with the response plans and procedures in case of a disruption. Regularly monitor the performance of your third parties to ensure compliance with expectations laid out in the business continuity plan.
Step 6: Monitor and review third-party vendors’ business continuity plans. Stay vigilant for any changes in the business environment that may pose risks or disruptions. Ensure adherence to compliance standards and update business continuity plans accordingly to reflect these changes. Conduct regular reviews with your third parties to discuss any modifications.
Step 7: Continually improve third-party risk management practices. Once you've completed reviews and tests with your third-party vendors, use the insights gathered to refine your third-party risk management practices. This will create a dynamic and resilient strategy that adapts and grows with your organization and its third-party relationships.
By taking these steps, your organization can ensure business continuity planning is a robust component of your third-party risk management practices.
Effective third-party risk management, which includes comprehensive business continuity planning, is an indispensable practice that empowers commercial real estate developers to boost their resilience, ensure operational continuity, and safeguard their reputation and financial well-being.