COVID and Business Continuity: Identifying Risky Vendors

by Justin Luebke

In times like these ensuring business continuity is a primary concern. The current COVID-19 pandemic is interrupting local and global supply chains as businesses temporarily shut their doors, staff are quarantined, and logistics channels by road, rail, sea, and air come to a screeching halt. According to IndustryWeek, due to COVID-19, “The world’s supply chains are facing a root-to-branch shutdown unlike any seen in modern peacetime as efforts to contain the coronavirus outbreak hit everything from copper mines in Peru to ball bearing makers in Germany’s industrial heartland.” The Institute for Supply Management® (ISM®) survey reveals that more than 80 percent believe that their organization will experience some impact because of COVID-19 disruptions. 

It is more important than ever to make sure your suppliers understand not just how to keep their business running, but also how to restart them after a significant interruption. 

How can the CyberGRX vendor risk assessment help? 

The business continuity section of our risk assessment covers four key areas to assess how well an organization is ready to handle potential disruptions. 

  1. Business Impact Assessments (BIA): Has the organization conducted a thorough analysis to understand the people, processes and technology interdependencies required to keep the business running? Did the analysis include the right departments to fully capture all requirements? Is the BIA revisited on a regular basis? 
  2. Business Continuity Plan (BCP): Based on the BIA, has the organization created a BCP with broad participation that includes critical elements such as roles, alternate sites and service providers, security concerns, backup requirements, and detailed recovery and testing procedures?  
  3. BCP Testing: It’s great to have a plan. But have they regularly tested it to make sure it works? Are they doing different levels of testing from tabletops to full business process and system recoveries to identify strengths and weakness in the plan? Have they identified the triggers to invoke the plan? 
  4. BCP Updates: It’s critical to make sure the plan is updated after testing or real-world execution to correct any issues that were identified. But it is just as important to review it on a regular basis for necessary changes. Did service providers change? Are there new connectivity requirements or changes in business processes? The BCP is a complex document that requires regular updates to remain relevant and usable. 

There is much nuance in business continuity for each organization. Our goal is to give you a sense of how seriously your third parties take their business continuity obligations. This should enable you to identify which third parties require a more detailed conversation as well as where you may need to consider backup or alternative suppliers.  

As always, we are here to help. Feel free to contact us for additional information on the CyberGRX assessment