Your business continuity team has brought you the company’s new, improved, revised, or updated business continuity (BC) plans. Nice plans – comprehensive, lots of information about assignments, call trees, contact lists, etc. and they’re all up-to-date. Your staff assures you that they have addressed all of the priorities and requirements defined from your business impact analysis (BIA) and involved every key stakeholder so that the company is ready for the worst case scenario. You can hand out the kudos and get on with the next task.
Not so fast. Before you give those kudos, you have some questions to ask! There are three important elements that too many business continuity plans are missing – even plans that are well-developed based on traditional good practice. So, take the time to ask your plan development folks the following critical questions:
1. Have we addressed the fourth building block of business continuity: our vendors?
Every business continuity plan needs to address four things: disruption in the workplace, reduction in the workforce, interruption of IT services, and stoppages from your third-party product and service vendors. Most companies handle the first three. But vendors? They are too often left off the list and sometimes not even considered during the BIA.
On the one hand, it’s easy to understand why vendors are omitted in BC planning. They’re not part of your company, and they are supposed to be handling their own business continuity. Nice thought. But since your company is on the line if your vendors fall short, you continue to own the risk of a vendor failure or breach. For that reason, you need to vet your vendors with the same rigor that you use to address your own BC plan. You need to know – to the best of your ability – that your vendors are agile and resilient, and that they will keep supplying you with products and services, even when the bottom falls out of their universe. You also need to know how your organization will respond if they do fail.