How to Evaluate Business Partner ResiliencyBy Bob Violino | Posted 2014-05-30 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce REGISTER >
Companies are becoming more reliant on external parties for critical services, and, as a result, they're becoming more vulnerable to business interruptions.
How can you know that your business partners are taking sufficient precautions when it comes to systems reliability? It's an increasingly important consideration, given the growing use of cloud services for critical business functions.
Companies are becoming more reliant on external parties for critical services, and, as a result, they're becoming more vulnerable to business interruptions, according to a new report, "Business Continuity Beyond Company Walls: When a Crisis Hits, Will Your Vendors' Resiliency Match Your Own?" from consulting firm PwC. This is especially true when they know little about their vendors' resiliency and recovery capabilities.
PwC notes that the risk is greater when enterprises have a limited understanding of their own business interruption threats, resiliency status, and recovery capabilities and strategies.
"In a world of ever-increasing dependence on third-party vendors, you need to know if you can count on the other party when a crisis strikes," says Phil Samson, principal in PwC's Risk Assurance practice and leader of the firm's Business Continuity Management services.
"It's all about transparency—asking the right questions and pushing the right levers to determine whether your vendors will be able to weather a serious business interruption and quickly resume business as usual. The more you know about your own needs, your vendor's capabilities and the robustness of your resiliency plans, the more comfort you'll have about staying on track toward your long-term strategic and operational goals—even when faced with adverse developments."
To protect against business interruption risks, companies should create a business continuity management program that encompasses partner risk by incorporating increased resiliency and rapid recovery, the report states.
PwC recommends five steps to help organizations examine interruption risk among their vendors. First, they need to map their vendor risk landscape. Having a proactive business continuity management program requires a thorough business impact analysis (BIA), an interruption risk assessment (RA) and a high-level vendor interruption risk assessment. These enable a company to review how interruption events can affect the organization.
Second, companies need to take a risk-informed approach in determining which vendors are most important to their operational resilience. Within the BIA and RA is the foundation for developing an approach that enables "vendor resiliency and recovery assessment stratification." It identifies nine critical risk variables that organizations should take into account when assessing partners: It includes revenue and inventory impact from loss, labor, country and geopolitical risks; and regulatory and cross-border issues.
The third recommendation is to be specific. Organizations can no longer rely on generic business continuity questionnaires in vendor risk management. They need to carefully assess the quality of a vendor's resilience and recovery capabilities. The PwC report outlines several factors that companies should consider within their BIA and RA.
The next step is to "trust but verify." The report points out that once an organization has developed a vendor risk landscape, it's vital to verify the vendor's resiliency and recovery capabilities.
The firm suggests six best practices that can help a company's vendor resiliency interaction and analysis. These include enlisting the vendor as a resiliency partner, obtaining relevant portions of the vendor's BIA and RA, and having the vendor provide its framework for responding to crisis events.
Finally, companies should determine how much vendor resiliency risk they're willing to accept. If a partner is essential to a strategic growth goal or to fulfilling a regulatory requirement, resiliency levels should never be negotiable. In such situations, replacing the vendor is a less risky and costly alternative to poor disaster preparedness and recoverability.