To realize greater levels of success, businesses have become more specialized, concentrating on what they do best to achieve better margins. The more specialized the business, the more they must rely on the use of third-party vendors to bring their products to market. The reliance on third-parties increases exposure to an organization’s resilience, regulatory, reputational, security, and financial risk.
It is the responsibility of the business continuity professional to ensure the resiliency of the organization, including third-party vendor recovery and security. Vendor continuity management (VCM) intersects with business continuity management (BCM) and operational risk management (ORM) anywhere third-party vendors provide critical products, services, or have access to sensitive company information. Just as BCM encapsulates risk assessments, maps critical processes to people, assets, and conducts business impact analyses, VCM extends those concepts to third-party suppliers, partners, and contractors.
Assessing the Impact: Measuring Vendor Risk
Vendor impact has gathered significant attention lately, considering that serious, newsworthy problems affecting national retailers and global consumer electronics leaders have been involved in third-party vendor breaches.
In this article, I will address the following:
- aligning VCM and BCM
- effective planning tools
- third-party hacks
- reputation management
- effective oversight
Many organizations do not understand the effect that vendor recovery has on their own continuity and recovery efforts. To stay resilient, BC professionals must include contingency plans to address critical gaps left by vendors. Unfortunately, many organizations manage vendor risk separately from BCM which places the needed information in silos. More mature BCM program managers conduct a “vendor business continuity review” instead of a risk assessment, as full risk assessments are not commonplace in BCM programs – although they should be. Organizations should first map vendor products and services to their processes, products, and services to determine where a vendor’s resilience could affect their own. It is also important to include vendor contingency and recovery capabilities to demonstrate operational resiliency, address the role vendors play in mission-critical delivery, and show that appropriate contingency plans are in place.
The Grand Design: Aligning VCM and BCM Planning
Effectively managing risk requires a structured, integrated process that works as part of an overall BCM strategy. BCM must include provisions for third-party vendors, suppliers, and contractors that are essential to the continuity of operations. The first questions to ask include the following:
- What access do vendors have to the organization’s data and customer information?
- How critical are a vendor’s products and services to the organization’s business continuity?
- Does the vendor have a mature program for information security and BCM to aid in the organization’s operational resiliency?
- Does the vendor truly know their cybersecurity risks through analysis, assessments, testing, and exercises?
- Most importantly, what were the results of the vendor’s last DR exercise?
Were issues found that could impact the vendor’s ability to fulfill their SLA to the organization’s critical processes, products, and services? If so, how are they remediating those issues?
Vendors are placed into tiers that indicate the criticality of their products and services and—most importantly—the part they play in an operational resiliency program. Top-tier vendors provide a prominent product or service that would make it virtually impossible for a company to operate without while lower-tier vendors providing a product or service that is not as essential for operations.
When assessing risk, information technology is a critical function as most organizations rely on IT departments and IT vendors for operations as well as safeguarding secure data. For example, an IT service organization that relies on an external vendor for hosting or cloud services will always need a host that is available and online to deliver critical applications. The cloud vendor will certainly be named as a critical vendor that would be required to provide a contingency and recovery plan.
Using a point rating system ensures the user has a clear metric by which to measure vendor relevance. A vendor impact analysis (VIA) provides a vendor’s criticality to recovery. The VIA assesses each vendor, similar to a business impact analysis (BIA), to determine their risks and recovery time based on the nature of the incident. A point rating based upon the VIA that the business units have completed will reflect vendor products and services that are critical to recovery and enable the organization to rank vendors specific to the recovery of a process or asset. The rating should not be arbitrary. It should be formulaic, based on the link to the business function in question, the RTO, and critical component inventories.
In business segments such as healthcare, pharmaceuticals, banking, and financial services, vendor risk programs are subject to regulatory requirements. For example, asset-management and wealth-management organizations are subject to unique oversight and sensitivities involving privacy, data storage, personnel, and due diligence. Businesses operating outside the U.S. may be subject to country-specific legal and data privacy regulations. Other specialized industries carry similar demands. For example, the Office of the Comptroller of the Currency (OCC) has risk management guidance in place that is applicable to national banks and federal savings associations on third-party relationships. It requires that entities “assess the third party’s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber-attacks.” In addition, regulatory requirements can extend beyond your organization to your vendors and—in some cases—the “vendors’ vendors,” often called “fourth parties.”
Finding the Right Tools
Effective tools are necessary to identify which vendor products and services are aligned to critical operations. A VIA assists in identifying vendors that can have potential business impact, identify critical products and services, and document alternate vendor sources. The last area is particularly important. There may be only one vendor that provides a product important to your operation. What if that vendor is unable to operate due to an incident? If a critical supplier is unable to deliver a key part required by the manufacturing process for four weeks instead of within an SLA of four days, what would be the financial and operational impact to the business? Has the vendor exercised this scenario, and what was the outcome? Are there alternative vendors that can provide the same product or service, or perhaps this risk can be mitigated by carrying a longer parts inventory? These questions are essential to planning and recovery, and the answers will be found in the VIA.
Often, smaller organizations with few critical vendors perform assessments manually through spreadsheets or e-mailed surveys. These tools require significant manual manipulation and data movement as non-integrated tools rely on human intervention to be useful. Detailed instruments such as the Standardized Information Gathering (SIG) questionnaire from The Shared Assessments Program can help by providing a general set of questions for vendor impact assessments. Developing the proper assessment mechanism such as collecting, weighting, and scoring results, identifying issues, and taking action will only be as effective as the utilized tools.
Without automation, however, planning efforts can be challenging when it is time to identify, document, and remediate issues. While many BCM tools enable a company to identify vendors and associate them with business functions, they lack the ability to measure vendor risk.
In some firms, the BCM team operates in a silo detached from the vendor risk management team—even though they are both required to identify vendors as part of their contingency planning. How can BC professionals best manage business continuity and third-party vendors without replicating the work of the vendor risk management team? Organizations must integrate VCM within their BCM program to assess vendor risk and build complete recovery plans that incorporate third-party vendors as well as their regular BC needs.
Third-Party Hacks Mean First-Person Problems
Pacific Gas & Electric (PG&E), a San Francisco-based utility company, suffered a third-party data breach in which 30,000 confidential records about their information security assets were exposed online for close to 70 days. This data was left vulnerable online without password protection. The breach was the result of a third-party contractor who used improper methods when copying data from the utility’s network to the contractor’s network. Once copied, the data was no longer subject to PG&E’s access or control, and the contractor did not comply with PG&E’s information protection program.
Due to PG&E’s vendor not complying with protocol and PG&E not catching this error from their third-party vendor, it resulted in a violation of energy sector cybersecurity regulations and a hefty fine of $2.7 million which PG&E agreed to pay. It is interesting to think that this breach could have been avoided with proper vendor continuity management.
Cyber attackers and third-parties can single-handedly destroy a business, cause irrefutable damage as well as the loss of revenue and customers. Senior VP of the Santa Fe Group, Brad Keller, said, “If a third party doesn’t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address.”
Reputation Management: The ‘Wild Card’ of Risk
The harm caused by damage to an organization’s reputation can carry just as much weight as corruption to systems, facilities, or processes. In fact, it may ultimately be harder to recover from this type of devastation than from others, as it can have a larger financial impact from reduced revenue and falling stock value.
According to the Consumer Trust Index, 43 percent of customers indicated they would never return to a company if their private data was breached. This intertwines with consumer’s requiring a high level of trust in companies to fully maintain the privacy of their sensitive data.
It is important to note that a company’s response to a third-party breach can have an instrumental role in protecting corporate and organizational reputation. The response, along with any services provided to affected consumers, can make or break the goal of restoring consumer confidence. What you do after an incident will determine your reputational risk.
Oversight: The Key to Effective Governance
Ultimately, the effective management of vendors requires that organizations hold all third-party suppliers to the same high standards of accountability established within their own organization. That is the only way to close the window of vulnerability and protect against dangerous—even potentially catastrophic—scenarios that can cripple a business.
Conclusion: ‘Not My Problem’ is a Dangerously Obsolete Notion
Considering the potential harm to systems, processes, operations, and reputation that can affect an organization through a vendor, it becomes obvious that most organizations need to do much more than they are doing now. Keller summarized the issue succinctly: “If you’re outsourcing to or relying on a third party, you can’t just shut the door and say it’s someone else’s problem. You can outsource the function, but you ultimately own the risk.”
Terence Lee, CBCP, head of Strategic BCP, manages the operations of Strategic BCP, a division of SAI Global. He possesses more than 25 years of expertise in IT risk, compliance, policy, and audit management; threat and vulnerability management; business continuity planning and management; third-party vendor management; and operational risk management.