By LAWRENCE ROBERT
Vendor management is a very complex aspect of any business, large or small. A vendor interruption could have a great impact on your ability to service customers.
When conducting vendor assessments, there are many factors to take into consideration.
- What business process does the vendor support? Are they on a critical path or non-critical path?
- Do they have a full complete business continuity program, disaster recovery program, crisis management program in place, that is exercised on a consistent basis?
- In the FinTech world, do you know where your customers funds are located? How many financial services providers are in the critical path?
- Are there geographical concerns such as high propensity for weather related events? International delivery concerns? Extensive networking hops with 3rd party vendors?
The list goes on and on. Fact is, when a company outsources to 3rd party vendors, they become an extension of your business model, and should be looked at in the same manner as your primary company’s business continuity program. This includes any regulatory guidance that is placed upon your organization.
At a high level, there are vendor assessments that expose risks and then there are mitigation aspects that need to be explored in order to minimize impacts to your business. Your business can be located on the United States West Coast but your product providers can be on the East Coast where hurricanes and other weather-related events could impact your business’s ability to deliver products and services to customers. Much like airline flight delays. Your flight can be delayed in Boston due to weather conditions, but the sun is shining in Boston. The original connecting flight could be in the Mid-West, being impacted by localized tornados.
One aspect of vendor management mitigation strategies that may be overlooked in your organization is Sole Source vs. Single Source vendors.
A Sole source is a vendor that provides a specific product or service to your company. This vendor makes a specific widget or service that is custom tailored to your company’s needs. If there is an event at this Sole Source provider, your company can only wait until the event has been resolved. There is no other vendor that can produce your product or service quickly. They are the sole source, on a critical path to your operations.
From an oversight and assessment perspective, this can be a difficult relationship to mitigate risks to your company. With sole source companies, we as practitioners must do a deeper dive into these companies from a risk assessment perspective.
From a vendor audit perspective, we need to go into more details of how robust their business continuity, disaster recovery, and crisis management programs are. We need to have a more focused view on frequency of testing, results of those tests, do they meet the RTO of the critical process they support, what is the communication aspect of their crisis management plan as it relates to your specific company? When and how a declaration is made and the consistency of communications that follow? Does this Sole Source vendor outsource? If so, what are the 4th party business continuity plans? With 4th party vendors, the easiest way to assess them is to ensure your sole source provider has proper recovery program oversight as you do.
Single Source providers are vendors that provide a service or product to your company that is one company that you choose to do business with, but there are other providers that could provide the same product or services. An example of a single source provider is a payment processing company. There are many to choose from, but you chose one specific company to do business with.
Moving to a new single source provider can be a daunting task that involves a new RFP process, process integration, assessments of their business continuity program, etc. Moving a single source provider cannot be done in the middle of an event that is impacting your business.
So how do we mitigate risks in a single source vendor environment? One way is risk dispersion. Because there could be other providers of the service, some forward-thinking companies are establishing agreements with two single source providers. Each vendor handling 50% of the daily workload, with each having the ability to ramp up to 100% in the event one vendor experiences a degradation in service or an actual outage. This distribution of workload has many advantages. It separates your company’s risks over a geographical distance from each other, relies on existing manpower at each location (no need to redeploy resources to alternate sites), and give you continuity of service at a moment’s notice during an actual event.
Identifying 3rd and 4th party risks to your company is a complex but manageable auditing process. Once risks are identified, you need to think about finding solutions to mitigate inherent risks to your organization?
Addressing vendor risk from a Sole Source vs. Single Source allows us to frame how we approach each vendor with a methodical approach that is unique to each relationship. Once we go outside ‘our four walls’ for product and services, we expose ourselves to additional risks. The risk vs. reward factor can be enhanced from a risk mitigation perspective by framing each relationship with a set of tools to reduce those risks while enhancing the rewards aspect. Sole Source vs. Single Source is one way to address risk and install mitigating procedure in place before an event occurs.
ABOUT THE AUTHOR
Lawrence Robert
Lawrence Robert, CBCP, CBCLA, is a highly experienced business continuity professional with decades of experience in domestic and international business continuity. He has an extensive background in designing, implementing, and managing business continuity programs for large multinational corporations. Over the years, Lawrence has worked for a variety of companies, both large and small, in a range of industries including finance, healthcare, government, and aerospace and defense. Throughout his career, Robert has demonstrated a passion for helping organizations prepare for and respond to major disruptions. He is a trusted advisor to his clients and a respected leader in the field of business continuity and crisis management.
www.clearpathrs.com