Nowadays, there is much talk about the risk associated with outsourcing, vendors and supply chains. However, many organisations still do not measure associated risk and take preventive actions. Over many years, the main priority with vendors has been service level agreements (SLAs) and most of them are satisfied with 99.9 percent availability or similar. Many vendors and suppliers depend on other vendors and suppliers to provide their services. Although service levels and penalty clauses may be in place in agreements, they are not adequate when it comes to mitigating impacts caused in the organisation due to a critical vendor service failure. Further, most agreements contain a “force majeure” clause that will generally cover them for their failure, partially or fully, due to a disaster or crisis.
Therefore, vendor continuity risk is to be recognised and managed within business continuity management (BCM). This is also referred to in the International Organization for Standardization (ISO) standard ISO 22301:2012, specifically in clauses 4.1 and 8.2-8.4, as well as ISO 27001:2013 within continuity A.17.
Statement on Auditing Standards (SAS) 70 was a good practice, but it was inadequate to cover the previously mentioned risk and was not widely used outside the US. SAS 70 was replaced by Statement on Standards for Attestation Engagements (SSAE) 16 in 2010, but it has not yet gained global prominence. In spite of the presence of various standards, each organisation has to develop its own due diligence to assess vendors on which the organisation is going to depend.
A vendor checklist for critical services should be considered during planning, request for proposal (RFP) and evaluation. This includes due diligence of critical products and services on which particular vendors rely (i.e., those impacting the supply chain of the vendor). The aim of this assessment is not to pass the responsibility of a failure to the vendor, but to adequately assess the risk and treat it within acceptable time frames and limits or avoid the vendor.
It is important that the organisational procedures, especially relating to procurement, contain documented and effective procedures to include checking continuity risk of vendors that support critical processes or services.
It is beneficial to educate vendors with ideas and suggestions gleaned from the experience of other organisations (subject to maintaining confidentiality) or even new products. Vendors need to be considered as partners in continuity planning, and organisations may support vendors with recommendations to other clients.
This article suggests a more practical way to ensure vendor continuity, based on consultancy and industry experience across the public and private sectors, with the objectives of:
- Identifying and measuring the continuity risk associated with vendors, suppliers, outsourced services and managed services
- Treating such risk through appropriate actions and plans
This is a fairly simple approach with a mathematical computation that can be modified by the organisation and used in an Excel tool. This approach is focussed on medium to small organisations. Large outsourcing projects may require further detailed studies, and some organisations may use external feeds and recommendations.
Service Risk and Continuity Score
In figure 1, the service risk is assessed and is illustrated by a quantitative rating and weighting method as guidance. Each organisation should adopt a suitable method to align with its corporate rating methods.
Continuity score has to be evaluated for each service and due diligence needs to be exercised, as not all information can be obtained from the vendor. These questions are drafted in a manner to assess the business continuity readiness while not documenting the confidential information of the vendor (figure 2).
A weighted average continuity score close to 5 indicates an excellent vendor for the particular product or service offered. This should be considered in conjunction with the service risk of the product and/or service. Continuity score measures the control that will mitigate the service risk.
A lower continuity score disqualifies a vendor if the product/services have a higher service risk. In other words, for lower service risk, continuity scores will have less importance.
Figure 3 may be used as guidance. In all cases, judgement should be exercised.
If the service risk is low (i.e., <3), assessing the continuity score is optional, as the impact of the service becoming unavailable is low.
If the service risk is high when the impact of the service being unavailable is high, then the continuity score has to be assessed. In other words, how the vendor will ensure continuity of service and whether the vendor has sufficient business continuity and resilience setups need to be assessed. The continuity score should be good, preferably above 3.
Among other criteria for selecting vendors, business continuity should also be included for all products and services that have a service risk of three and above. Vendor selection evaluation should mention the service risk and the continuity score (if applicable, based on service risk) and justify the reason for selecting the vendor.
Risk Assessment and Treatment
Considering the number of outsourced and other vendor services in operation in an organisation, risk needs to be reassessed periodically to reflect operational changes in order to mitigate new or existing and unforeseen service risk.
In any industry, there may be some vendors that are very powerful and have a monopoly. In such instances, it is not possible to assess their continuity when no other option is available. In some countries, telecoms are monopolies and, generally, no other choice is available unless a very small aperture terminal (VSAT) or other satellite communications are used, but these have limitations and cost concerns.
As in the cases noted, if there is significant dependency on the vendor and no other action is possible, that dependency risk has to be documented in a risk register and accepted at a corporate level. Vendor or outsourced service or supply chain risk assessment should be considered part of the organisationwide risk assessment. As a guide, such a risk assessment may include:
- A list of all outsourced or vendor-dependent services
- Risk assessment of the vendor service if it were to be unavailable for a prolonged period of time. Consider the service risk and continuity score mentioned previously.
- For high-level service risk, existence of action plans (such as testing manual procedures or obtaining regular softcopy dumps) before a vendor fails (default)
- Development of an action plan to execute after a vendor fails (default), cross-referenced in the respective business continuity and/or disaster recovery plans
Figure 4 shows an example of an outsourced risk assessment.
Other Risk Not Covered
A typical vendor continuity assessment may not cover the following risk areas, which may need to be addressed separately:
- Supply chain for common consumables for which adequate stock (in-house) and alternatives are in place (e.g., printing paper, printer cartridges)
- Ad hoc activities such as those related to auditing, consulting and project management vendors as they will be temporary. This could be part of the project risk assessment.
- Other risk associated with outsourcing such as confidentiality, conflict of interest and compliance. These have to be addressed in other risk assessments.
- Information security, especially confidentiality and integrity. This should be covered separately or combined into one, depending on the organisational setup. Since information security and business continuity have overlaps, it is a good practice to combine the risk assessment if possible.
- Deliberate default or nonperformance by vendor
This risk may be addressed by escrow. An escrow agreement is an arrangement by which one party (usually a vendor) deposits an asset or software code with a third person (called an escrow agent), who will, in turn, make delivery to the other party (usually a client) if and when the specified conditions of the contract have been met (such as insolvency of the vendor or noncompliance with the contract).
In the event of a deliberate default or legal/regulatory action preventing vendor operation, an escrow agreement may be of use. Escrow is one way of treating the risk of continuity of the vendor, at least in the short term, especially with software. The need and usefulness of an escrow agreement should be explored for the concerned service with the vendor.
There are different levels of escrow and the appropriate level should be chosen, with the possibility of executing and using the escrow agreement for the organisation’s purposes. However, depending on the cost and benefit, an organisation may choose not to have an escrow agreement.
It is of paramount importance to ensure the continuity of vendors, especially those that are providing and supporting the critical services and processes of the organisation.
The initial challenge is incorporating a requirement for business continuity in selecting vendors, as well as preparing the requirements for tender as part of procurement and project procedures or checklists.
The next challenges are understanding and measuring the business continuity readiness/effectiveness of the vendor, which requires exercising due diligence and obtaining completed questionaries.
Finally, based on a risk assessment, action plans should be available before and after a default/interruption occurs.
Samuel Shanthan, CISA, CIPM, MBCI, has more than 15 years of business continuity and information security-related experience at large multinationals, Big Four and Fortune 500 organisations. He has managed business continuity setups in Europe, Asia, Africa, the Middle East and Australia. Currently, he works as a consultant in the public sector and is running his consulting practice, Grace Risk Advisors.