The Biggest Risk To BC Preparedness – Third-Party Risk
At the recent Disaster Recovery Journal Fall World conference, I gave a presentation of the state of BC readiness. I had some great discussions with the audience (especially about where BC should report), but one of the statistics that really stood out for me and I made it a point to emphasize with the audience, is the state of partner BC readiness.
According to the joint Forrester/Disaster Recovery Journal survey on BC readiness, 51% of BC influencers and decision-makers report that they do not assess the readiness of their partners. If this doesn’t shock you, it should. Forrester estimates that the typical large enterprise has hundreds of third-party relationships – everyone from supply chain partners to business process outsourcers, IT service providers and of course cloud providers. As our reliance on these partners increases so does our risk – if they’re down, it greatly affects your organization’s business performance. And with the increasing availability of cloud services, the number of third parties your organization works with only increases, because now, business owners can quickly adopt a cloud service to meet a business need without the approval of the CIO or CISO and sometimes without the approval of any kind of central procurement organization.
Even among those organizations that do assess partner BC readiness, their efforts are superficial. Only 17% include partners in their own tests and only 10% conduct tests specifically of their critical partners.
If you’re not assessing the BC readiness of your partners through assessments of their capabilities, reviews of their plans, testing, and negotiation of specific uptime SLAs, your BC program and strategies are incomplete. You’re simply not ready.
So what should you do about it? First, if as a BC manager or director you don’t have a strong relationship with your sourcing and vendor management team, that is the first item to address. You need to be sure that your sourcing team brings you in to vendor strategy discussions early and includes you in RFP development, vendor selection, and contract negotiation. Second, you must adjust your business impact analysis surveys and your risk assessments to better focus on partnerships. Third, you must start now assessing your existing partnerships – what are the SLAs that we have in place? Which vendors are the least prepared? Fourth, from here on out, you must insist that as part of contract negotiation and relationship review, partners participate in BC testing and exercises – it’s not enough to just read over their documented BCPs.
I invite Forrester clients to read our new stream of structured research for building the always-on, always-available extended enterprise; we refer to this stream as Forrester’s Business Technology Resiliency Playbook.
For the broader BC community, I’m interested to understand how third-party risk is affecting your BC programs and strategies.