Business Continuity Planning: Vendor Risks

One of the risks that a lot of companies may benefit from looking at a little closer is that of “vendor risks”.  Vendors can be suppliers or outsourced entities that perform a critical service on behalf of our organization.  We need to ensure that our critical vendors know how to respond in the event of our disaster and we need to know that the vendor can continue to provide materials or support in the event of their disaster.

I know many organizations include “Service Level Agreement” (SLA) clauses in vendor contracts, but I suggest that we may want to go further than that and, every now and then, ask to be shown evidence that they could meet those levels of performance at time of disaster.  How many of you audit or review your vendor’s Business Continuity / Disaster Recovery Plans?  How many participate in their vendor’s Business Continuity / Disaster Recovery tests or exercises?

Many organizations try to mitigate or eliminate vendor risk by engaging multiple vendors to provide a similar product or service.  Just be aware that, sometimes, even though you diversify your vendors, you may not have diversified the infrastructure they depend on.  Lessons learned from the events of 9/11 showed proof of the issues that can arise here.  Many companies felt confident that they were using multiple communication vendors only to discover that they all relied on the same underground infrastructure and same “points of presence” (POPs).  One central office failure; one cable conduit compromised and all vendors were out of service – the diversity did not provide the stability they thought they were getting using multiple vendors.  Even though you may think you have eliminated a potential “Single Point of Failure” (SPoF) by using multiple vendors, make sure you do not still have SPoF in the physical infrastructure they rely on.

Another example of this I recently encountered was working with an airport authority in dealing with a potential flooding risk caused by a suspect dam near the airport.  Many of the airlines at the airport had fuel provided by two or more fuel suppliers, but the delivery of the fuel was all through the same single source pipeline that was in the flood zone.  Even though the pipeline itself was underground and, potentially, not susceptible to damage by the flood, the fuel line switching station was above ground and in the flood zone.  The pipeline needed this switching station operable to move the fuel.

I also was once hired to look into the reliability of an off shore outsourced call center.  This facility, located in India, was a state-of-the-art facility in a pretty resilient compound.  The outsourced company felt so secured in their “hardening” of the facility that they did not see the need in investing in contingency operations.  The problem was, however, that the infrastructure that fed power, phone service and other utilities into the compound was very suspect.  Additionally, the employees did not live in the compound and a disaster in the area could easily prevent them from getting to the complex.  My client decided that they needed a contingency should their primary vendor suffer a business interruption event and took the necessary steps to cover this risk.

And, remember to make sure your vendors know what changes in their delivery or performance must be made at time of your disaster.  One simple example – do your mail carries (US Post Office, UPS, FedEx, others) know where to reroute your mail or where to do pickups from when a particular facility is compromised? 

Also make sure if you have vendor personnel on site that you educate them in the evacuation, notification and escalation process.  Are you responsible for accounting for vendor personnel during a disaster, or do you call the vendor and have them account for or alert their employees at time of crisis?  Do not forget those vendors that may not perform a critical service but are on site – such as, cafeteria staff; custodial staff; plant suppliers; landscapers; etc.  Make sure they are notified of an office closure and are included in the process for accounting for who may have been injured or killed in the disaster.

Sometimes it is easy to overlook our vendors in the planning process.  Make sure your program and department managers have adequately accounted for them.

Thank you for your input.