5 Ways to assess the continuity risks of your critical third-party partners


Business continuity planning is inherently cross-functional which means both the risks to an organization’s products and services and the resources needed to meet those obligations should be addressed.  As businesses increasingly rely on a global network of suppliers and service providers, business continuity professionals must ensure they understand and analyze these relationships and lead strategy identification efforts to protect their organization when faced with a third-party disruption. We explore 5 ways to assess your critical third-party partners’ risks. 

1.   Map your vendor risk landscape

2.   Focus on critical third parties 

3.   Draw up formal policy and procedure documents

4.   Establish a vendor selection due diligence process 

5.  Continuously revise and update business continuity plans

Developing and implementing business continuity and risk prevention strategies that include third parties can certainly be a tough endeavor since strategies could, at first glance, contradict an organization’s strategic efforts to leverage single-source suppliers, make supply chains “lean”, and reduce stored inventory levels. However, when you proactively seek to understand the business continuity landscape and specifically your organization’s business continuity plan, you will realize that addressing the risks associated with third-party relationships can significantly reduce the likelihood of a disruptive incident and the impact it can have on your operations. 

1.   Map your vendor risk landscape   

The journey to a cohesive, responsive, and proactive business continuity management strategy that extend beyond company walls begins with a comprehensive business impact analysis (BIA). The BIA provides a detailed, foundational view of how disruptive events such as a loss of technology, reduction in personnel, a disruption in facilities or a loss of third parties can impact the organization. In addition to highlighting critical technology, personnel needs, and key workspace needs, the BIA also supplies the first piece of the vendor resiliency and recoverability plan.

2.   Focus on critical third parties    

It is also important to assess who your most critical third-party partners are and how their organizations will be affected should they experience challenges, a disruptive event or even close down completely. This essentially means that organizations should narrow down their definition of “critical” to include third parties that will have a material impact on their business operations should they experience a disruptive event or close down. 

3.   Draw up formal policy and procedure documents         

Policy and procedure documents are essential to your program’s success. The policy should explain at a high level how vendor risk will be managed. Procedure documents should furthermore detail roles and responsibilities, including those of senior management and your business lines.

4.  Establish a vendor selection due diligence process 

Vetting your vendors before signing contracts with them is key. Ask to see SOC reports, conduct a risk assessment that includes results of penetration testing, and make site visits where necessary.

5.  Continuously revice and update business continuity plans 

Most organizations likely had not included pandemic planning in their business continuity plans. Organizations should take the time to now develop such a plan now that they have some sense of how to navigate a pandemic. They should also continue third-party assessments and lead security risk efforts from the top down. Third-party risk assessments work best when everyone is involved and engaged.

You might also be interested to read:

Meeting the emerging threat: Streamline business continuity to protect against ransomware

What are organizations’ greatest business continuity challenges during COVID-19 and how to solve them

5 Critical Objectives Every Business Continuity Solution Should Have