According to a survey, 80 percent of small and medium businesses still rely on tape- or disk-based technology as part of their disaster recovery strategy. If one of these companies is your vendor and its systems crash, don’t expect to get access to your data back that quickly. The vendor’s business continuity problem has now become your business continuity problem …
When you contract a third-party to provide goods and services to your organization, a degree of trust is established that the vendor will deliver as mandated. A degree of risk accompanies this pact—you are taking a risk that the vendor might not follow through, for whatever reason, on the terms of the contract. The risk is real, and even the most seemingly reliable third parties will encounter scenarios and disasters in which they might not be able to deliver.
Companies go to great lengths during contract negotiations with third parties to ensure their interests are served by the partnership. Business Continuity must be included in these negotiations from the outset. Here’s why:
Increased Outsourcing, Increased Risk
For years, the business continuity industry was inward facing: How do companies prepare for the unexpected within their own four walls? Although this focus hasn’t diminished, the economic environment evolved along the way—organizations are more than ever relying on third parties for key, niche business functions and operations, from call centers to consumer-facing applications to data systems. This strategy saves money and improves efficiency and production, but it also creates more risk, including risk you might not have even considered. For example, if your company is based in California but your third-party call center is located on the Gulf Coast, a hurricane that even glances the Southeast will affect your operations. Many companies, outside of their resilience teams, don’t adequately realize how deeply the web created by a robust outsourcing strategy can impact business continuity.
Trust but Verify
You’ve likely heard the phrase “trust but verify” before, but your organization may have never considered applying it to examining business continuity during contract negotiations. Addressing a potential third party’s BC program before the deal is signed can save headaches later if the vendor is faced with the crisis and struggles to recover. You never want to point fingers at your future (or current, for that matter) partners, but you do need transparency and honesty. If a potential vendor tells you that it has tested its BC plan and everything was great, be skeptical—no program is perfect, and every plan has room for improvement. If anything, it’s likely this vendor isn’t testing well, which reinforces the need for vendor continuity language to solidify your expectations and requirements.
Accountability of Third Parties … and Beyond
As already alluded to, vendors often do not take business continuity as seriously as the companies that contract their services. More distressingly, many third parties don’t adequately keep tabs on the risk and resilience of the vendors they contract themselves—the so-called fourth parties. Returning to the call center example, an IT subcontractor of your vendor could experience a server meltdown, thus interfering with the vendor’s operations, thus causing a crisis for you because your customers are getting a busy signal every time they call your 1-800 number. Without business continuity language in the contract reached with the third party, the risk increases that a fourth party you didn’t even know existed could throw your operations into chaos.
Vendor continuity isn’t just a smart strategy for ensuring uninterrupted operations and keeping your customers happy—in many industries, it’s a mandate. Government regulations across a number of industries, including financial, healthcare, and utilities, stipulate that organizations have preparedness plans. If a crisis event occurs and consumers are affected, in the eyes of regulators, it doesn’t matter if the contracting organization or the vendor was at fault—the contracting organization will always be held responsible. Therefore, establishing continuity requirements with vendors before they sign a deal offers extra security that you won’t run afoul of the law if and when a crisis occurs. Just because you are outsourcing operations doesn’t mean you outsource the risk …
Strong Language from the Start
Some companies already are proactive with including business continuity into contract negotiations as well as the finalized deal. However, many of these efforts are nothing more than a paragraph tucked away into the contract, easily ignored or given lip service by the vendor. Fortunately, this situation is improving, with more and more companies insisting upon stronger continuity language in the master service agreement before a deal is approved. This language requires critical vendors to maintain a robust preparedness plan so that they are able to recover services—the services you rely on—in the event of a crisis. For example, the contract may stipulate that the vendor mirror ISO 22301 standards on having a healthy continuity program. In this way, preparedness is more than just an afterthought buried in a contract: It’s an essential element of the partnership.
How involved is your BC team in contract negotiations with potential vendors?