Managing Vendor Risk

  • March 13, 2013
  • Andy Vanderhoff

Business continuity plans need to account for the risk of your suppliers being impacted during a disaster. In a process based approach you key suppliers/vendors should be mapped as dependencies to your critical business functions.

Vendor management should help you account for and manage the risk of doing business with your critical suppliers. One of the risks that needs to be accounted for is the risk of a disaster impacting your supply chain/suppliers. The challenge is that most contracts include a “force majeure” clause in them. A force majeure clause typically exempts the vendor from contractual obligations because of an “act of God.” So what is an act of God? They are what the business continuity profession typically calls disasters.

This means that most of your critical suppliers are not required to be up when you need them most. So how do you manage this risk? You need to ask your critical vendors for statement describing their BC and DR program. The statement at a minimum should include information about how often the vendor performs BIAs, plan updates, and exercises. You should ensure that the vendor can provide you validation regarding the key recovery times and recovery points for each service they provide to you.

The BC program should help identify which vendors have operational criticality. Operational criticality should be defined in terms of Recovery Time Objectives and Recovery Point Objectives. The vendor management program should provide vendor’s recovery time and recovery point capabilities back to the Continuity program.