How to Stop Third-Party Vendors from Becoming Your Achilles’ Heel

Organizations of all sizes are increasingly turning to third-party vendors to handle tasks which would formerly have been performed in-house. Such tasks can range from payroll and accounting to email to presentation and meeting software.

In handing these tasks over to third-party suppliers, organizations are also passing along the obligation to provide business continuity (BC) and recovery capability for the services they provide—a responsibility they are generally glad to get off their plates.

From the BC perspective, there is nothing inherently wrong with an organization turning to outside vendors to meet their needs. However, too often organizations take the approach of “out of sight, out of mind” with their third-party vendors, and in doing so they are running a considerable risk.

Third-party suppliers have the potential of being an Achilles’ heel for your organization, meaning they are a small area of vulnerability that could potentially cause a significant amount of damage.

Before taking on any new process automation or software, it’s important to consider the third party risk associated with the new approach. Here’s how.

A chain is only as strong as its weakest link. The strongest your organization can be in terms of recoverability and resilience is as strong as the weakest of your critical suppliers. This is why you can’t afford to take an attitude of “out of sight, out of mind.” The stakes are too high for you (even as they might be very modest for the vendor).

Not all vendors are created equal in terms of their robustness and recoverability. Nor are they created equal in their degree of commitment to you, or how much they have at stake in the event they fail to meet their service agreement with you.

Did you know that, if one of your software as a service (SaaS) providers goes down, no matter how great the cost to you, the cost to them would likely be limited to refunding you your one-month service fee? This is not necessarily something to be regarded as a deal breaker; however, it is something for you to be aware of as a business continuity professional charged with minimizing disruptions to your company’s business.

What can your organization do to keep your third-party vendors from becoming your Achilles’ heel? We suggest that you prepare a Detailed Master Vendor List which includes the following information for each third-party vendor utilized by your organization:

• The product or service the vendor provides.
• The business process(es) in which the product or service is used. Map each product or service to the process(es) where it is used, and which would be impacted if it were unavailable. Note both the direct and secondary impacts. (If you lost your printing capability, for example, the direct impact might be that certain important printed communications could not go out.
• A secondary impact might be that certain sales and marketing processes were disrupted.)
• The criticality of the product or service to each process in which it is used. For every process where the product or service is used, rate how critical it is for that process. Rate the product or service at one of three levels:
  1. Rate the item Critical if your process cannot proceed without the product or service. There are two ways in which third-party products or services can be critical to a process:
     •  If you use a high volume of the item or service. (Examples: A food supplier for a restaurant, a paper supplier for a printing company).
     • If the lack of the product or service would quickly bring the process to a halt. (An example might be a vendor that is the sole provider of maintenance for a special piece of equipment: You might not call on that supplier often, but if you needed them and they were unavailable, you would be brought to a standstill.)
  2. Rate the item Moderate if the absence of the product or service would quickly but not immediately stop the process (e.g., if it would affect it at your RTO plus 1 or 2).
  3. Rate the item Low if the product or service is nice to have rather than essential, or if it can easily be replaced (e.g., shipping services: If you normally use FedEx and it was to become unavailable, you could easily switch to UPS).
• A workaround that could be implemented if the product or service were to become unavailable. The workaround for a given product or service might be different for different processes. Workarounds could vary from something like “Wait until Google gets Gmail working again” to “Place the order with alternate supplier X.”

If one of your vendors does go down, a detailed master vendor list such as that just described would enable you to quickly gauge the potential impacts on your organization of the loss and to promptly implement the previously decided workaround.

One objection we commonly hear when we talk to business continuity managers about this issue is that compiling a detailed master vendor list is a waste of time. The reason for this, we are told, is because this information is already available through the procurement or supply chain teams. It is true that some of the information we suggest you gather is sometimes available from those sources. However, the information most important from the business-continuity point of view—how each product or service maps to the business processes, how critical the product or service is to each process, and what should be done if the product or service becomes unavailable—is rarely gathered by those departments. If and when you do face a disruption from a third-party vendor, having the information on its impacts and workarounds complete and in one place would bring significant gains in the speed and adroitness of your response.

We further recommend that once you have your detailed master vendor list, you update it at least once a year and extract from it sub-lists tailored for each recovery plan, keeping those sub-lists with the recovery plans.

Other things to remember when it comes to third-party vendors:

• If possible, include in your contract with the vendor terms requiring them to adopt specified business continuity measures and to permit you to audit and review their Disaster Recovery (DR) tests. Many vendors are now being required to demonstrate their capability as a condition of providing services or products. This is especially true for vendors with large publicly traded or regulated organizations as customers.
• Include vendors’ risks in your Threat and Risk Assessment. When third-party vendors are critical to your organization, their risks are your risks. Those risks should be considered and addressed. What would you do if the service was handled internally?

Obviously, the increasing reliance of organizations on third-party vendors has multiple advantages; however, it also creates a potential Achilles’ heel in terms of an organization’s resilience and recoverability. To a large extent, the risks can be contained and managed by the simple practice of keeping an up-to-date detailed master vendor list. Such a list ensures that if the vendor does experience a disruption, you will quickly be able to ascertain the potential impacts on your organization, and you will know immediately what workaround to implement to keep your processes running smoothly.