Supplier Business Continuity Planning: Ensuring Operational Resilience

Business continuity planning (BCP) within third-party risk management (TPRM) has emerged as a crucial focus area in recent years. Regulators are prioritizing operational resilience, and there have been numerous recent examples of extensive disruptions and outages stemming from supplier-related issues.

Assessing a supplier's business continuity plan (BCP) can present challenges, but it’s a crucial skill that can pinpoint vulnerabilities within your supply chain. However, many organizations encounter difficulties obtaining required information from their suppliers, who may be hesitant to provide necessary documentation. This blog aims to provide guidance on the BCP assessment process and offer tips for addressing common challenges.

How to Assess Supplier Business Continuity Planning and Example Scenarios  

Assessing a supplier's BCP requires a comprehensive evaluation of multiple elements with the guidance of a qualified subject matter expert (SME), such as an IT professional, BCP professional, or another certified individual. By carefully examining these elements, it’s possible to gain invaluable insights into the supplier's ability to sustain service to your organization during a business-disrupting event. 

Here are essential supplier BCP elements to scrutinize, along with illustrative scenarios:  

1. Ensure the supplier has a documented BCP – Some suppliers may use different terms when referring to a BCP. Look for documentation that uses phrases such as business continuity management or operational resilience. Whatever term is used, the plan should be formally documented and available for review.
   
   Example: During initial due diligence, you request evidence of a formal BCP from a critical supplier. The supplier’s management doesn’t approve disclosing its BCP and instead submits a completed BCP questionnaire that contains yes/no questions. A questionnaire can be a good first step, but the answers must be validated by reviewing the documented BCP. When it comes to supplier due diligence, the concept of “trust but verify” should always be a standard practice. 
2. Review the strategy for personnel loss – This is essentially the succession plan that describes how the supplier will handle personnel loss, whether because of retirement or other unexpected departures. Is there evidence of cross-training, job rotation, or usage of staffing agencies? Cross-training involves teaching an employee skills outside of their primary role, while job rotation is a complete shift in an employee’s duties and responsibilities. Suppliers may use one or more of these strategies, depending on their industry, organization size, and other unique risk factors.
   
   Example: Your supplier has a policy that addresses employee education and training, with a dedicated section on job rotation for personnel loss. This supplier has fewer than 50 employees, with a cybersecurity team of five individuals. A job rotation strategy could create additional risk if half of the cybersecurity team was required to shift their duties to a different department. 
3. Determine if the BCP addresses pandemic contingencies or mass absenteeism – Agencies like the Center for Disease Control (CDC) or local and state governments can issue orders that prevent employees from working in person. If employees are unable to work because of health guidelines or other local mandates, how will the supplier continue to maintain operations? Does the supplier have alternate work strategies, quarantine guidelines, and procedures for employee and client communication? BCPs should address these details, which might be found in other documents like remote access plans or pandemic plans. 
   
   Example: A supplier’s pandemic plan outlines the process for communicating with its critical vendors and customers and ensuring remote access for its employees. However, the plan doesn’t provide oversight details such as responsibilities and timing for reviewing, updating, and approving the process. Pandemic plans can become ineffective because of new operating systems, a change in management, or new guidelines, so they should be reviewed at least annually and updated as needed.
4. Identify relocation plans – A supplier may need to relocate because of severe weather events or unanticipated renovations and repairs. If the supplier’s primary location is unavailable, do they have a secondary office facility or remote work capabilities? Relocation plans should describe the supplier’s assets and equipment, as well as a remote access strategy. Also consider the alternate location’s preparedness level, which is generally described as cold, warm, or hot. A cold location is empty and requires significant preparation, while a warm location requires minimal preparation. A hot location is fully prepared, with all necessary equipment that enables the supplier to operate as usual, or at an acceptable level. 
   
   Example: Your critical supplier’s main facility is in a region that has experienced three significant weather events in the past two years. Each event caused widespread power outages that lasted longer than 72 hours. The supplier’s BCP includes a cold location that’s located within the same region as its main facility. This scenario could expose you to high levels of business continuity risk because the alternate location requires significant preparation and is still vulnerable to the same weather events. 
5. Review the supplier’s breach/disruption notification policy – You’ll want to ensure there’s a clear communication plan in place during a disrupting event, whether your supplier experiences a cyber incident or an outage. This policy should detail the timing of when the supplier will notify your organization after an incident and the point of contact for any updates. Consider any regulatory requirements your organization must follow regarding breach notifications, and make sure your supplier’s policy aligns with these requirements.
   
   Example: Regulators such as the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and state legislators have set standards on how quickly an organization must report certain data breaches. The FTC requires a report within 30 days of discovery, while the SEC shortens the timeline to four business days. Your supplier’s policy states that it notifies its customers of a data breach within four business days to ensure compliance with the SEC’s final rule, as well as applicable state laws. This policy would provide valid evidence of the supplier’s compliance, though it’s still recommended that any breach notification procedures be documented in the contract.
6.  Evaluate the supplier’s business impact analysis (BIA) – This describes how the supplier’s operations might be impacted by a business-disrupting event. The BIA should be reviewed so the following three data points meet your expectations: 
   
   • Recovery time objectives (RTO) – The RTO is the length of time the supplier must restore the process after a disruption to avoid an unacceptable consequence.
   • Recovery point objectives (RPO) –The RPO is the amount of data the supplier expects to lose in a worst-case scenario. RPO also defines how much time can pass during a disruption before the data loss is unacceptable.
   • Maximum tolerable downtime (MTD) – The MTD is the third component in the BIA, which describes how much downtime the supplier can endure before the disruption causes a material loss.
   Example: A BIA is generally customized to an organization’s needs, which can vary based on industry standards and internal resources. Let’s say your organization has developed a BIA, with an RTO of three hours. The supplier’s BIA states that its RTO is to restore its system within four hours after a disruption. This one-hour difference will need to be evaluated by the SME, who can advise your organization on next steps, such as seeking formal risk acceptance from senior management or requiring the supplier to improve its RTO before signing the contract.
7. Verify the testing procedures – Having a formal, comprehensive BCP is just one piece of the puzzle. The plan should also be tested to provide evidence that it’s viable. This can be achieved through testing types such as tabletop, simulated, or functional. The supplier should perform testing at least annually and maintain documented results. Testing results often contain confidential information, so it’s generally acceptable to review a redacted document. If there were any issues found during testing, your organization should follow up with the supplier to confirm whether they’ve been remediated. 
   
   Example: Your supplier provides a summary of its BCP testing results, which doesn’t specify the methodology or the date of the most recent test. The summary states that the testing was performed internally, and no significant issues were identified. You should follow up with the supplier to verify the date of the testing and what the methodology was.
8. Determine frequency of ongoing maintenance – The supplier should review and approve its BCP at least annually and update it when the supplier experiences any significant changes within its operations or infrastructure. Typically, the BCP will have a revision history at the beginning or end of the document and state who approved the document. Review these details to verify it aligns with what the supplier reports. 
   
   Example: The supplier provides a BCP questionnaire that states their plan is reviewed and approved annually by senior management or the board. However, the BCP doesn’t contain a revision history, so your organization can’t verify whether this statement is true. Whether this oversight was intentional or not, it’s important to follow up with the supplier for further review. 
9. Obtain a documented assessment from the SME – Once the SME completes the assessment of the supplier’s BCP, those results should be formally documented along with an overall rating. This assessment should typically include a detailed description of each BCP component that was reviewed and the SME’s opinion on whether the plan components are effective. The SME should also provide recommendations on how to proceed with the supplier. This may include requesting additional documentation from the supplier or implementing stronger controls within your organization.
   
   Example: If you receive an assessment of your vendor's BCP that includes a high-risk rating, it should include a clear description of what elements were missing and what controls were lacking. This allows you to follow up on the appropriate controls and risk factors so you can determine whether the BCP meets your organization’s needs and/or whether their responses are consistent with their documentation. Any unmitigated components should be re-assessed to determine whether your organization can mitigate the risk, accept the risk, or decline the relationship.

Navigating Challenges With Supplier Business Continuity Plans 

Assessing a supplier’s BCP is challenging enough, but it’s not uncommon to face additional issues along the way. Some suppliers may be hesitant to share BCPs because of their confidential nature, while other suppliers don’t respond to document requests at all.

Here are three common challenges and how your organization can address them: 

1. Supplier refuses to provide a BCP – This may happen because the information is too sensitive or confidential to share with your organization. Check with the supplier to see if they’d be willing to send a heavily redacted version that still provides sufficient evidence. You can also try suggesting a meeting with the supplier’s BCP stakeholders to discuss planning and testing results. 
2. BCP is unrelated to the product/service your organization is using – You might discover that the supplier’s BCP is too generic or doesn’t address the specific product or service that your organization uses. First, check that the supplier doesn’t have multiple BCPs for different product lines. If they only have one BCP, consult with your SME and legal team to determine how to move forward. It’s possible that some elements of the BCP can still be reviewed, and your organization can include contract provisions to address any gaps or weaknesses.
3. Supplier hasn’t tested or updated the BCP in over a year – Even if your supplier’s BCP is comprehensive and has all the right elements, it should still be tested and updated regularly. This can help ensure the supplier’s BCP is adapting to changing technology and new vulnerabilities. When a supplier isn’t testing and updating its BCP, it’s important to communicate the issue and develop a plan to remediate. Depending on the supplier’s response and cooperation, you may need to reconsider the relationship to protect your organization.  

As more organizations continue to rely on a broad network of vendors and suppliers for goods and services, it’s increasingly important for organizations to have processes in place to conduct thorough business continuity planning assessments on their vendors and suppliers, especially those critical for supporting day-to-day operations. Although navigating through this process can be challenging, it will significantly contribute to strengthening your organization's operational resilience in the face of potential disruptions.