Note: In light of recent, highly publicized supply chain breakdowns, this blog post has been revised following its original publication on February 26, 2019.
Last Saturday, a major US retailer was unable to process credit card purchases from its cash registers nationwide for two hours. After resolving the issue, the problem resurfaced again the next day. The root cause was determined to be a data center issue at a 3rd-party payment processor.
How to Ramp up Vendor Risk Resiliency
As we all know, external interruptions can cripple even the most internally prepared business. For full-spectrum resiliency, a company’s BCMP should go beyond basic, internally-focused risk management by developing processes for evaluating and understanding vendor interruption risks.
Let’s take a look:
1. Conduct a Vendor Risk Assessment
Risk assessments (RAs) and business impact analyses (BIAs) are always imperative starting points in comprehensive BCMPs. And a more targeted vendor interruption risk assessment (VIA) will help fine-tune interruption preventions, plans, and recovery by answering questions such as:
- Which third-party interruptions would have the greatest impact on the enterprise?
- How quickly could the impact take effect?
- Does my recovery strategy involve my vendors and how?
- What interruptions are more probable with which vendors?
The VIA should include:
A. Relationship Risk Evaluation: Examine the type of service a third-party provides and determine how critical it is to the organization
B. Business Profile Risk Appraisal: Survey factors such as:
- Financial status – Has the vendor declared bankruptcy or bear other credit risks?
- Stability – How long has the vendor been in business?
- Legal status – Has the vendor been involved in criminal charges or class-actions law suits?
- Security – Has the third-party suffered data breaches or other security issues?
- Regulatory status – Is the vendor strictly regulated and has it been or is it out of compliance?
- Location – Does the vendor’s locale warrant high-risk status due to potential for severe weather, political instability, etc. ?
2. Evaluate and Monitor Vendor Security StandardsRoutinely review the third-parties security protocols to ensure they align with your standards. In contracts, include stipulations that require the vendor to establish and uphold security practices, such as stringent employee background checks, data security training, maintaining up-to-date software, and implanting prevention processes and tools.
Entering in a service-level agreement (SLA) with your third-party could also establish mandates that enforce compliance with your security standards. Included in the SLA should be the right for your enterprise to conduct regular security audits and request for the vendor to follow the guidelines from the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) and the SANS Institute’s CIS Critical Security Controls.
3. Establish a ‘Least Privilege’ Policy
Allow third-parties to access only data that is necessary to perform their role. Also, regularly review user credentials and related policies.
4. Practice Awareness
Stay abreast of political climates, economies, weather, and other risk factors surrounding vendors’ locations. This allows for mitigative moves to address potential disruptions before they transpire.
5. Implement a Reporting and Monitoring Program
Minimizing risks with third-parties is a perpetual battle. Processes for monitoring vendors’ financial status, quality of service, risk management protocols, and compliance should be established. Useful metrics, such as the following, grant executives and shareholders insight on external risk management conditions:
- Number of vendors surveyed
- Overall effectiveness of individual third-parties
- Customer complaints and resolutions
- Vendor’s financial condition and insurance coverage
- Changes to government or industry regulations
6. Plan Contingencies for ChoicesSome organizations may choose to stay with a heavier-risk vendor for reasons such as exceptional cost savings or lack of more resilient alternatives. In these circumstances, an organization can establish additional disruption buffers, such as:
- Maintain higher inventory levels for critical items
- Collaborate and encourage the third-party to augment their risk and BC management
- Establish “backup” vendor relationships
- Bolster existing BC plans
Our business world today is a complex, global architecture, which harbors divergent laws, politics, working cultures, and weather. And also, greater risk. To build an all-encompassing bulwark of BC resiliency, organizations should scrutinize and diminish they’re external third-party risks as much as they do their internal.
Watch a recorded demo of Vendor Risk Assessments in Assurance:
Topics: Business Continuity
Written by Assurance Software
Assurance Software takes your company’s enterprise-wide business continuity and resiliency program to the next level. With Assurance as your go-to partner for continuity and resilience, you can confidently mitigate risk, manage recovery, and safeguard your employees, customers, operations and brands.