Red Flags within Your Vendor’s BCP
Red Flags within Your Vendor’s BCP

Red Flags Within Your Vendor’s Business Continuity Plan

Significant events, including natural disasters and massive cybersecurity breaches, will not only impact your vendor’s operations, but yours as well. Your data could be lost, your processes can be slowed or stalled, and your reputation could be hurt.

To protect your organization and stay proactive, you need to understand a vendor’s Business Continuity Planning (BCP) and Disaster Recovery (DR), their processes of creating systems of prevention and recovery to deal with potential threats. 

To do so, your organization should be reviewing the vendor’s BCP annually as part of your ongoing monitoring after you’ve selected and contracted with them. You must determine if there are any issues to be concerned about. But what would be considered a red flag?

You need to recognize the signs of a vendor in crisis. Here’s a list of common red flags to be aware of when performing risk assessments of your vendor’s BCPs: 

  • Disproportionate net sales to the amount of time a vendor has been in business
  • A lack of IT disaster recovery focus
  • No record of staff training documentation
  • Lack of updates or tests over a substantial period
  • Little attention to complaint management and tracking or remediation
  • No oversight of fourth-party vendors
  • BCPs that don’t address products/services that are applicable to your relationship with the vendor
  • Inconsistent or non-existent Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) 

RTOs and RPOs

A BCP also documents and demonstrates the process of how a business will recover from a declared disaster scenario with Disaster Recovery. DR is more reactive than BCP and zeroes in on technology infrastructure and concentrates on accessing data easily following a disaster. It comprises specific steps an organization must take to resume operations following an incident, with response times ranging from seconds to days.

This DR plan incorporates the fundamental principles of RTOs and RPOs. The RTO is the duration of time within which a business process must be restored after a disruption to avoid unacceptable consequences. The RPO is the interval of time during a disruption before the quantity of data lost during that period exceeds the maximum allowable tolerance.

Both RTOs and RPOs quantify what losses might ensue if critical services are disrupted and set targets for re-establishing services based on mitigating potential losses. It’s key that your organization works together with vendors to define realistic RTO and RPO goals. 

Let a VRM solution do the hard work for you

When it comes time to review your vendor’s BCP/DR plan, let a vendor risk management (VRM) solution do the work for you: 

  • Senior analysts can submit, retrieve, and review a completed Business Continuity and Disaster Recover Questionnaire, and request and receive your vendors’ private documents under an open Letter of Authorization. 
  • A summary view of BCP/DR planning and testing for each vendor can then be created that describes the risk analysis and findings. 
  • An analysis, final report, and the vendor’s native documents are uploaded into the VRM into your electronic vendor folders. 
  • You receive a notice when the task is complete and can review everything at your leisure. 

An automated VRM solution can help you rest easy knowing your critical vendor reviews are completed on time, each and every year.  Don’t ignore the red flags: Verifying that your vendors align with your organization’s strategic and operational goals can prevent a disaster, or at least ease the recovery.

Discover PolicyHub

It's the Policy Management solution that’s easy to use, so you can build stronger compliance.

Learn more