Organizations seeking an application to help mitigate increasing BC risks sometimes find themselves evaluating enterprise-class software for the first time.  From my experience working with many organizations over the last 20+ years, these evaluations tend to focus on software features but often fail to thoroughly evaluate risks specific to the vendor.  This blog post examines three commonly overlooked vendor evaluation criteria and provides suggestions for exposing hidden risks.

What did they build, what did they buy?

All software vendors strike a balance between investments in R&D and investments in other functions including Support and Services. Increased spending in R&D comes at the direct cost of competing initiatives.  As a result, software vendors often reduce development costs by utilizing components provided by other vendors.  For adjunct functions such as reporting, this can result in benefits for the vendor (reduced cost and increased speed-to-market), as well as benefits for the customer (more robust reporting).  For system-critical functions however, dependence on 3rd-party components can introduce risks which can be significant for the vendor and the customer.  For instance, if the software’s platform is designed and maintained by a 3rd-party, your software vendor sacrifices the ability to ensure stability and prioritize enhancements and bug fixes. As a result, your BC program may be exposed to additional risks.

Questions to Ask Your Vendor:

  1. Do you own and control your entire technology stack?
  2. Which components in your system are provided by a 3rd-party?
  3. Are any of these system-critical? If Yes,
    1. What are the SLA commitments from the 3rd-party vendor for up-time, time to fix bugs and address enhancements?
    2. What are the actual performance metrics for the last 12 months?

 

Alignment of Customer Support to your BC program requirements

Your BC program is most likely designed to ensure the resiliency of your organization in the event of a crisis no matter when it may occur.  To achieve this objective, you should be able to activate your critical plans on short notice at any time of day or night.  During a crisis, if you need immediate assistance from your BC software vendor, you should be able to have a live conversation with a support representative 24 x 7 x 365.  Without this fundamental support from your vendor, your ability to activate your plan during a crisis may be delayed.   

Questions to Ask Your Vendor:

  1. Do you provide 24 x 7 x 365 live support for critical issues?
  2. What are the SLA commitments for minimum response times for live support?
  3. Do you outsource or off-shore any of your support services?
  4. Request the hotline number from the vendor and try it out, unannounced during off-hours.

 

Hidden financial risks

Most likely, your organization is financially stable, operating profitably on a consistent basis.  If that status should change, your overall risk profile would degrade.  Your BC software vendor’s financial stability should be comparable to yours.  If the vendor is not financially stable, your dependence on their software may introduce new risks that are difficult or impossible to mitigate.       

Questions to Ask Your Vendor:

  1. Do you operate profitably on a consistent basis?
  2. Please provide audited financial statements for the last 3 years?

 

Selecting an enterprise software system for business continuity is a significant commitment that will impact the success or failure of your continuity program over the long term.  A thorough examination of your vendor should accompany the software evaluation to ensure that potentially hidden risks are exposed and fully considered.   

To see Assurance in action, check out our recorded demo:

Demo - Vendor Risk Assessments in Assurance

Topics: Business Continuity

Mike Jennings, VP of Advisory Services

Written by Mike Jennings, VP of Advisory Services

Mike leads the Assurance Advisory Services team. During his more than 26 years of business continuity management, disaster recovery and enterprise risk management experience, he has mentored clients and helped them solve their program needs. Mike has worked extensively with clients throughout the world on their BCM programs, including their underlying incident management and crisis management programs.

Recent Posts

Most Popular