You believe your institution is prepared for a disaster—but are your vendors?
Precautions against fourth party risk for both vendor management as well as business continuity planning.
If you’re dependent on a third-party vendor that can’t quickly recover from a disaster, there’s a major gap in your own business continuity plan.
Unfortunately, not every institution recognizes the link between vendor management and business continuity guidance.
This is a huge mistake.
When vendor management and business continuity work together, not only do they eliminate duplicate work and conflicts, it makes the bank safer, stronger and better prepared.
Here are four best practices to help integrate business continuity planning with vendor management to ensure you have the vendor preparedness information you need.
Coordinate policies. Draft your business continuity plan (BCP) and your vendor management policies together using the same definitions and with the same goals in mind. When BCP and vendor management are coordinated at a policy level, it leads to coordination in carrying them out.
Use proper risk assessment methods. Vendor management and business continuity should identify critical vendors together, aligning the risk a vendor presents with the institution’s overall strategy. Each critical vendor creates extra work, so limit the designation to third parties that truly present a substantial risk.
Analyze agreements. The best opportunity to minimize risk is at the start of a contract. Business continuity and vendor management should work together to spell out requirements and expectations before contract negotiations—including audits, documents and when you can expect them. It’s not enough for your vendor to say that it’s compliant—you must have the tools to do the due diligence and prove it.
Monitor proactively. Divvy up monitoring responsibilities across business continuity planning and vendor management and share the results. This includes both annual reviews with expected vendor documents (SSAE 16s, disaster recovery plans and tests, incident response plans and tests, financials, summary findings and evaluations) and ongoing monitoring (litigation, sale or acquisition of the vendor, data breaches, regulatory issues and financial performance).