In its report, entitled Business continuity beyond company walls: When a crisis hits, will your vendors’ resiliency match your own?, PwC also notes that risk becomes greater when the organization has a limited understanding of its own business interruption threats, resiliency status and recovery capabilities and strategies.

“In a world of ever increasing dependence on third-party vendors, you need to know if you can count on the other party when a crisis strikes,” said Phil Samson, principal in PwC’s Risk Assurance practice and the firm’s Business Continuity Management services leader. “It’s all about transparency – asking the right questions and pushing the right levers to determine whether your vendors will be able to weather a serious business interruption and quickly resume business as usual. The more you know about your own needs, your vendor’s capabilities, and the robustness of your resiliency plans, the more comfort you’ll have about staying on track toward your long-term strategic and operational goals even when faced with adverse developments.”

According to PwC’s report, reliance on third parties is gaining momentum, and if companies lack insight into their critical vendors’ resiliency and recovery capabilities, they run the risk of their own strategic goals being derailed. “Our clients are adjusting to the shift in global economic power and demographic shifts – two of the megatrends we identified – by increasing their use of strategic vendors to accelerate their global growth strategy and decrease time-to-market for their products and services. Along with the increase in strategic vendor reliance comes the need to more formally monitor vendor and other third-party risks,” said Brian Schwartz, PwC US Risk Assurance, Governance, Risk and Compliance leader.

In order to protect against business interruption risks, companies should institute a business continuity management program that encompasses vendor risk by incorporating increased resiliency and rapid recovery. PwC outlines five steps to help companies look beyond their own walls and examine interruption risk among the vendors who provide support.

Step 1: Map your vendor risk landscape

The journey to an integrated, responsive, and proactive business continuity management program begins with a thorough business impact analysis (BIA), an interruption risk assessment (RA), and a high-level vendor interruption risk assessment. These allow for a company to review how interruption events, such as loss of technology, reduction in personnel and loss of facilities, can impact the organization, and move on to the next component of the vendor resiliency and recovery analysis: vendor resiliency stratification.

Step 2: Distinguish among different shades of red

Not all vendors are equally important to an organization and it is critical for companies to take a risk-informed approach in determining which vendors are most integral to operational resilience. Within the BIA and RA documentation is the foundation for developing an approach that enables vendor resiliency and recovery assessment stratification. PwC identifies nine critical risk variables that organizations should take into account when assessing their third parties, including revenue and inventory impact from loss, labor, country and geopolitical risks and regulatory and cross-border issues, among others. These risk variables provide a framework for organizations to determine their spectrum of vendor risk, and what factors need to be highly safeguarded in the event of a crisis.

Step 3: Be specific

Companies can no longer rely on generic business continuity questionnaires in vendor risk management, and need to assess the quality of a vendor’s resilience and recovery capabilities. PwC’s report outlines several factors that companies should be considering within their BIA and RA such as a list of processes that consume the vendor’s outputs, a geographical depiction of the vendor’s activities, and a description of the vendor’s role during an interruption that affects the organization.

Step 4: Trust but verify

Once the organization has developed a vendor risk landscape, it is significant to verify the vendor’s resiliency and recovery capabilities. PwC provides six best practices that can aid a company’s vendor resiliency interaction and analysis, including enlisting the vendor as a resiliency partner, obtaining relevant portions of the vendor’s BIA and RA and having the vendor provide its framework for responding to crisis events.

Step 5: React

According to PwC, vendors often have minimal formal resiliency or business continuity management programs in place, focusing solely on IT disaster recovery and life safety. Companies should determine how much vendor resiliency risk they are willing to accept. If a third party is critical to a strategic growth goal or to fulfilling a regulatory requirement, then resiliency levels should never be negotiable and replacing the vendor is a less risky and costly alternative to poor disaster preparedness and recoverability.

“Even the most internally prepared organization can be deeply impacted by an interruption at a third party. When disaster strikes, it is imperative to understand where your organization ranks in importance among the vendor’s customers, as it can significantly damage your market share, brand and reputation,” concluded Samson. “Although an organization may have reached a mature level of operational resiliency and recoverability by developing its own business continuity management program, it is still imperative to go beyond just basic vendor risk management.”

Source: PwC US