You have Business continuity plans to ensure continuity of products and services during a business interruption. Business continuity test exercises are done to check the efficacy of the plan, but there is more to it. You may have dependencies on the external parties like vendors, suppliers or consultants in the business process, for which there might be agreement in place. But does it give you confidence that your external parties will resume with the same level of service as you??
Here are some of the important areas to check for your vendors business continuity
Your function may be dependent on the external vendor. How is the interface between you and your vendor?
Consider the case where the vendor has to be operational from your office on a daily basis during working hours. They use your Infrastructure and have access to a specific network for executing the tasks assigned to them. The communication between you and your vendor happens in person and on emails.
During a disaster situation, you have a strategy to work from home in case the disaster renders the office site unusable. How will the vendor operate?
For such critical vendors, the business team should have a plan documented and communicated to the vendor.
In the Business as usual state, when the vendors are using their own premises for operations, a site-level disaster might not impact their operations.
However, if they are connecting to your office network for operations, you might have to consider how they would connect if you are working from an alternate site or disaster recovery site.
You may have hardware that is supported by Vendor. Let's take an example of the Hardware server at your primary site. Vendors have access to perform administrative tasks.
In case of disaster, you have to migrate your data to an alternate site. This might require support from the vendor. Even though a vendor is not critical for routine operations, but is required to perform activities, if not done, then it may impact your recovery objectives.
Such Vendors should be identified and arrangement should be planned. They should also participate in the tests/drills along with the team. The detailed activities done by such vendors should be documented and reviewed more frequently.
Your vendor may have Business continuity in place, however, this still may not be sufficient, check for the following when the vendor claims that BCP is in place.
Having the option of a secondary vendor for critical services mitigates the risks of Single point of failure. The secondary vendor(s) may increase the cost but it can avoid disruption of services. These secondary vendors can also be used during the normal course of business by distributing the load of the services as applicable.
Given that the vendor has agreed to provide the services, it is vital to check the above areas to ensure that the processes are recovered in the event of a disaster.