• Home
• News
  • Business Continuity News
  • Regional news
  • Sector news
  • Events Diary
  • Newsletters
  • Newsfeed
• Jobs
• Topics
  • BC: Facilities & Buildings
  • BC: General
  • BC: Markets & Companies
  • BC: Plan Development
  • BC: Software
  • BC: Statistics
  • BC: Testing & Exercising
  • Crisis Comms & Management
  • Critical Infrastructure Protection
  • Disaster Recovery
  • Emergency Management
  • Enterprise Risk Management
  • Operational Risk Management
  • Pandemic Planning
  • PS Prep
  • Standards
  • Terrorism
• Technology
  • Cloud Computing
  • Data Center / Centre Issues
  • ICT Continuity
  • Information Security
  • Recovery Facilities
• Resources
  • Webinars
  • BC software directory
  • Newsfeed
  • Twitter
  • Advanced BC information
  • Advanced ICT information
  • Basic BC information
  • Basic ICT information
  • How to advertise
  • About us
  • Contact us
  • Privacy
• Newsletters
• Training

WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Five steps to assess vendor resiliency and protect business continuity

As businesses increasingly rely on external parties for critical services, they become more vulnerable to business interruptions. This is especially true when such businesses know little about their third party vendors' resiliency and recovery capabilities, according to a new PwC US whitepaper, which examines the effects that vendor resiliency, or lack thereof, can have on an organization's business continuity strategy.

Entitled, ‘Business continuity beyond company walls: When a crisis hits, will your vendors' resiliency match your own?’, the PwC report also notes that risk becomes greater when the organization has a limited understanding of its own business interruption threats, resiliency status and recovery capabilities and strategies.

"In a world of ever increasing dependence on third party vendors, you need to know if you can count on the other party when a crisis strikes," said Phil Samson, principal in PwC's Risk Assurance practice and the firm's Business Continuity Management services leader. "It's all about transparency - asking the right questions and pushing the right levers to determine whether your vendors will be able to weather a serious business interruption and quickly resume business as usual. The more you know about your own needs, your vendor's capabilities, and the robustness of your resiliency plans, the more comfort you'll have about staying on track toward your long-term strategic and operational goals even when faced with adverse developments."

According to PwC's report, reliance on third parties is gaining momentum, and if companies lack insight into their critical vendors' resiliency and recovery capabilities, they run the risk of their own strategic goals being derailed.

"Our clients are adjusting to the shift in global economic power and demographic shifts – two of the megatrends we identified – by increasing their use of strategic vendors to accelerate their global growth strategy and decrease time-to-market for their products and services. Along with the increase in strategic vendor reliance comes the need to more formally monitor vendor and other third party risks," said Brian Schwartz, PwC US Risk Assurance, Governance, Risk and Compliance leader.

In order to protect against business interruption risks, companies should institute a business continuity management program that encompasses vendor risk by incorporating increased resiliency and rapid recovery. PwC outlines five steps to help companies look beyond their own walls and examine interruption risk among the vendors who provide support:

Step 1: Map your vendor risk landscape
The journey to an integrated, responsive, and proactive business continuity management program begins with a thorough business impact analysis (BIA), an interruption risk assessment (RA), and a high-level vendor interruption risk assessment. These allow for a company to review how interruption events, such as loss of technology, reduction in personnel and loss of facilities, can impact the organization, and move on to the next component of the vendor resiliency and recovery analysis: vendor resiliency stratification.

Step 2: Distinguish among different shades of red
Not all vendors are equally important to an organization and it is critical for companies to take a risk-informed approach in determining which vendors are most integral to operational resilience. Within the BIA and RA documentation is the foundation for developing an approach that enables vendor resiliency and recovery assessment stratification. PwC identifies nine critical risk variables that organizations should take into account when assessing their third parties, including revenue and inventory impact from loss, labor, country and geopolitical risks and regulatory and cross-border issues, among others. These risk variables provide a framework for organizations to determine their spectrum of vendor risk, and what factors need to be highly safeguarded in the event of a crisis.

Step 3: Be specific
Companies can no longer rely on generic business continuity questionnaires in vendor risk management, and need to assess the quality of a vendor's resilience and recovery capabilities. PwC's report outlines several factors that companies should be considering within their BIA and RA such as a list of processes that consume the vendor's outputs, a geographical depiction of the vendor's activities, and a description of the vendor's role during an interruption that affects the organization.

Step 4: Trust but verify
Once the organization has developed a vendor risk landscape, it is significant to verify the vendor's resiliency and recovery capabilities. PwC provides six best practices that can aid a company's vendor resiliency interaction and analysis, including enlisting the vendor as a resiliency partner, obtaining relevant portions of the vendor's BIA and RA and having the vendor provide its framework for responding to crisis events.

Step 5: React
According to PwC, vendors often have minimal formal resiliency or business continuity management programs in place, focusing solely on IT disaster recovery and life safety. Companies should determine how much vendor resiliency risk they are willing to accept. If a third party is critical to a strategic growth goal or to fulfilling a regulatory requirement, then resiliency levels should never be negotiable and replacing the vendor is a less risky and costly alternative to poor disaster preparedness and recoverability.

Obtain the document.

•Date: 19th April 2014 • US/World •Type: Article • Topic: BC general

Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.