Assessing Third Party Business Continuity Risk

Here’s a tale of two third parties, business continuity edition:

New York City-based data center operator Telx Group has two facilities in New Jersey. In anticipation of Superstorm Sandy back in 2012, Telx moved its New Jersey operations onto generator power before the storm.

It also called in additional employees to work during the storm, stocked up on nonperishable food to feed them, and topped off each data center’s fuel supply well in advance. Not a single one of its customers experienced a data center outage either during or after the hurricane.

At the same time, Internet service provider Datagram was taking similar precautions. However, the basement of its New York City office building (where the fuel tank pumps were located) was quickly flooding, taking the generators offline. The problem eventually shut down the entire building. Many of Datagram’s customers were impacted by significant downtime as a result of the disaster—with some still offline more than 20 hours after the outage began.

When it comes to business continuity risks, examples like these highlight the gamble your company takes every time it relies on a third party provider for an essential part of the business—whether it’s for payroll services, call center operations, production facilities, IT services, or anything else. Service providers are an extension of your company and multiply your chances for a disruption.

So if your critical vendors don’t take business continuity as seriously as you do—and have a plan in place to show for it—then it may be time to reassess those relationships.

Are your business recovery plans up to par? Use this free guide to ensure they address all four common categories of disruptions.

How To Assess Third Party Business Continuity Risk

Third party risk can be assessed and managed, but the process needs to start early in the relationship. Follow these steps to ensure that your vendors continually stay on top of their business continuity risk:

1. Add business continuity language to your service contracts. To hold your critical providers accountable, add specific language to the contract to ensure that they have a valid business continuity program in place and you have the right to evaluate it annually. Then, if at some point down the road either of those factors falls into question, it constitutes breach of contract. The Continuity Advisor, an online resource for free business continuity learning materials and resources, provides a useful template for supplier business continuity clauses.
2. Identify which service providers are critical to your business mission. There’s no need to assess all of your service providers—only those that are critical to the mission of your company. Use a Business Impact Analysis to help determine your critical external dependencies.

1. Identify a point of contact for business continuity for each critical vendor. Have each point person’s contact information organized and easily accessible.

1. Create and send a business continuity questionnaire.
2. A well-designed questionnaire should give you some good insight into the state of your vendors’ business continuity programs. (For help on this step, check out these 15 business continuity program metrics; or, complete a comprehensive assessment of your third parties using our Compliance Confidence online tool.) Give vendors a two- to three-week deadline to complete it. But be warned: Not all vendors will be transparent, so make sure your questions dig deep.

1. Analyze the responses. If a vendor is not forthcoming with information or sends you a boilerplate-filled, 2-page summary, you may need to make an onsite visit to find out what you need to know. (Some companies won’t give you access to BC recovery plans or test results unless you view them in person.) Identify gaps in the program and assess how significant the gaps are to their ability to support your business if they suffer a disruption. Weigh and consider the responses with their level of criticality.

1. Identify an action plan to address gaps. If the level of third party risk is too high for any particular vendor due to significant weaknesses in the program, develop a plan and a timeline for addressing them.

1. Follow up. Did the vendor address outstanding issues in the time frame allotted? If not, reevaluate those relationships and consider your options for alternate providers.

    

A Third Party Risk Assessment Tool That Works

Don’t reinvent the wheel—use the Compliance Confidence (C2) assessment tool as a questionnaire for third party risk evaluation. Part of the BCMMetrics™ suite of online business continuity software, Compliance Confidence can be used with all your third party vendors as a way of evaluating their business continuity programs. It’s simple to give your third party vendors access, easy to fill out, and presents a straightforward “FICO”-like score measuring how well a program stands up to the most current standards and guidelines.

It also highlights areas for improvement, making it easy for you to work with third parties on business continuity goals.

Interested in seeing the tool in action? Schedule a free demo today.