Vetting your vendors from a business continuity and disaster recovery (BC/DR) perspective is hot, hot, hot these days. For example, the federal government put out specific Risk Management Guidance for national banks in October of 2013. In a nutshell, the guidance says, “You’d better make sure your vendors have it together if you’re doing business with them, and it’s on you either way!”
Now, this is not new; don’t get me wrong. People have been shouting about the need for business continuity up and down the supply chain – any supply chain – for decades. After all, if one of your key vendors experiences a disruptive incident, it can directly impact your business. And that’s bad for everyone.
But here’s my problem: most businesses aren’t asking their vendors the right questions to ascertain the true level of business resiliency.
This is the case even for many global enterprises (I know, because I’m familiar with the questionnaires a lot of the “big guns” use). What happens is this: businesses are asking their vendors general “checklist” queries. They are not asking questions that relate directly to the specific products and services the vendor provides for them.
Let me give you three examples of what companies tend to ask vs. what they should be asking if they want to understand their true risk and get back actionable information.
Don’t ask: “Do you conduct a BIA?”
Everybody (and I do mean everybody) asks their vendor if they have conducted a business impact analysis, or BIA. But this is a completely useless question! A “Yes” response doesn’t tell you if recovery requirements have been established for each of the products and services that you receive or what those requirements are?
So, a vendor has done a BIA … so what? You know absolutely nothing more than you knew before about whether a vendor is going to let you down when a crisis hits, or whether they will be able to rise to the challenge and keep your business going strong.
Here’s the better question to ask: “What are the defined recovery objectives for each of the products and services that we receive from you?”
Now, there’s a question that’s going to give you a meaty response! You will know exactlywhat your vendor’s target is for resumption of what you need. That’s what you care about, isn’t it? Then that’s what you should ask about! Be direct. Be specific. Be ruthless until you get the answers you need to understand whether or not your vendor is putting your business at risk.
Don’t ask: “Do you have business continuity plans?”
Again, bad question. First, it is another “Yes/No” response. Do you sense a pattern here? You don’t want to check off a box on your questionnaire. You want informationthat you can work with.
Second, it is too broad. A decent vendor will have business continuity plans for the whole spread of their business – including a whole lot of aspects that you could not care less about. (Sorry if that sounds brutal; I’m just being practical here.)
The fact is, you need to be a little selfish when it comes to vetting your vendors on their BC/DR plans. So ask a selfish question. For instance, “What pre-defined strategies do you have in place with regard to the products and services we receive from you for responding to the loss of critical resources including work place, work force, your own third-party vendors, and your application systems?”
And remember … if you receive a blank stare, awkward silence, or nervous shuffling in response, you’d better press further!
Don’t ask: “Do you conduct annual disaster recovery exercises?”
I suspect you’re getting the hang of this by now. As a “Yes/No,” broad-based question, this query doesn’t tell you a thing … including whether any tests which they may have conducted were successful or spectacular failures!
Instead, ask something like this, “Have you conducted an exercise in the past 12 months that included actual recovery of all of the application systems that are needed to resume provisioning of the products and services that we receive from you? If so, what were the results?”
At the end of the day, you want to get past the superficial to the actionable. Namely, does your vendor take reasonable and effective action in order to ensure the continuity of services that your business depends upon and; the protection of your data that they manage? Or are you confident, based on the information you have received, that your vendor is not going to put your company at risk? When you have those answers, you have all the answers you need.
This piece was first published on Forbes.com