Imagine this: Burgeoning political turmoil and economic fragility has ignited extreme civil unrest in an overseas country that hosts 60% of your manufacturing. The entire region is a Molotov cocktail of mobs and destruction - buildings burning, traffic blocked, workers abandoning their posts, etc. - with no signs of extinguishing.
Though your vendor facilities are thus far physically unscathed, they have borne a 42% decline in employee attendance and 63% decline in production, and uncertainty envelopes product transportation.What’s your plan? Do you have one? Have you prepared to safeguard your reputation, revenue, and market share against third-party vendor risks by establishing a business continuity management program (BCMP) that addresses vendor risk mitigation?
Not all risks originate directly from your immediate enterprise. As more organizations migrate services and processes to third-party vendors, the more risks they face due to variable – and sometimes volatile - organizational climates. Some of these risks include:
- Regulatory and compliance risks
- Reputational risks
- Data and system breach risks
- Operational risks
- Financial risks
- Geopolitical risks
- Environmental and weather-related risks
Ramp up Resiliency
External interruptions can cripple even the most internally prepared business. For full-spectrum resiliency, a company’s BCMP should go beyond basic, internally-focused risk management by developing processes for evaluating and understanding your vendors’ interruption risks.
Let’s take a look:
1. Conduct a Vendor Risk Assessment
Risk assessments (RAs) and business impact analyses (BIAs) are always imperative starting points in comprehensive BCMPs. And a more targeted vendor interruption risk assessment (VIA) will help fine-tune interruption preventions, plans, and recovery by answering questions such as:
- Which third-party interruptions would have the greatest impact on the enterprise?
- How quickly could the impact take effect?
- Does my recovery strategy involve my vendors and how?
- What interruptions are more probable with which vendors?
The VIA should include:
A. Relationship Risk Evaluation: Examine the type of service a third-party provides and determine how critical it is to the organization
B. Business Profile Risk Appraisal: Survey factors such as:
- Financial status – Has the vendor declared bankruptcy or bear other credit risks?
- Stability – How long has the vendor been in business?
- Legal status – Has the vendor been involved in criminal charges or class-actions law suits?
- Security – Has the third-party suffered data breaches or other security issues?
- Regulatory status – Is the vendor strictly regulated and has it been or is it out of compliance?
- Location – Does the vendor’s locale warrant high-risk status due to potential for severe weather, political instability, etc. ?
2. Evaluate and Monitor Vendor Security StandardsRoutinely review the third-parties security protocols to ensure they align with your standards. In contracts, include stipulations that require the vendor to establish and uphold security practices, such as stringent employee background checks, data security training, maintaining up-to-date software, and implanting prevention processes and tools.
Entering in a service-level agreement (SLA) with your third-party could also establish mandates that enforce compliance with your security standards. Included in the SLA should be the right for your enterprise to conduct regular security audits and request for the vendor to follow the guidelines from the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) and the SANS Institute’s CIS Critical Security Controls.
3. Establish a ‘Least Privilege’ Policy
Allow third-parties to access only data that is necessary to perform their role. Also, regularly review user credentials and related policies.
4. Practice Awareness
Stay abreast of political climates, economies, weather, and other risk factors surrounding vendors’ locations. This allows for mitigative moves to address potential disruptions before they transpire.
5. Implement a Reporting and Monitoring Program
Minimizing risks with third-parties is a perpetual battle. Processes for monitoring vendors’ financial status, quality of service, risk management protocols, and compliance should be established. Useful metrics, such as the following, grant executives and shareholders insight on external risk management conditions:
- Number of vendors surveyed
- Overall effectiveness of individual third-parties
- Customer complaints and resolutions
- Vendor’s financial condition and insurance coverage
- Changes to government or industry regulations
6. Plan Contingencies for ChoicesSome organizations may choose to stay with a heavier-risk vendor for reasons such as exceptional cost savings or lack of more resilient alternatives. In these circumstances, an organization can establish additional disruption buffers, such as:
- Maintain higher inventory levels for critical items
- Collaborate and encourage the third-party to augment their risk and BC management
- Establish “backup” vendor relationships
- Bolster existing BC plans
Our business world today is a complex, global architecture, which harbors divergent laws, politics, working cultures, and weather. And also, greater risk. To build an all-encompassing bulwark of BC resiliency, organizations should scrutinize and diminish they’re external third-party risks as much as they do their internal.
For more great industry info, check out our free tip sheet:
Topics: Business Continuity
Written by Angie Longacre
As a writer for Assurance Software, Angie devotes her craft to promoting business continuity and disaster recovery awareness, and trumpeting Assurance Software’s invaluable benefits for both. When she’s not commanding the keyboard, you can find her outside for a run, searching for her next antique treasure, or lost in a good book.