Five steps to assess vendor resiliency and protect business continuity
NEW YORK, April 16, 2013 – As businesses increasingly rely on external parties for critical services, they become more vulnerable to business interruptions. This is especially true when such businesses know little about their third-party vendors’ resiliency and recovery capabilities, according to a new PwC US whitepaper, which examines the effects that vendor resiliency, or lack thereof, can have on an organization’s business continuity strategy. Titled Business continuity beyond company walls: When a crisis hits, will your vendors’ resiliency match your own?, the PwC report also notes that risk becomes greater when the organization has a limited understanding of its own business interruption threats, resiliency status and recovery capabilities and strategies.
“In a world of ever-increasing dependence on third-party vendors, you need to know if you can count on the other party when a crisis strikes,” said Phil Samson, principal in PwC’s Risk Assurance practice and the firm’s Business Continuity Management services leader. “It’s all about transparency – asking the right questions and pushing the right levers to determine whether your vendors will be able to weather a serious business interruption and quickly resume business as usual. The more you know about your own needs, your vendors’ capabilities and the robustness of your resiliency plans, the more comfort you’ll have about staying on track toward your long-term strategic and operational goals even when faced with adverse developments.”
According to PwC’s report, reliance on third parties is gaining momentum, and if companies lack insight into their critical vendors’ resiliency and recovery capabilities, they run the risk of their own strategic goals being derailed. “Our clients are adjusting to the shift in global economic power and demographic shifts – two of the mega-trends we identified – by increasing their use of strategic vendors to accelerate their global growth strategy and decrease time-to-market for their products and services. Along with the increase in strategic vendor reliance comes the need to more formally monitor vendor and other third-party risks,” said Brian Schwartz, PwC US Risk Assurance,Governance, Risk and Compliance leader.
In order to protect against business interruption risks, companies should institute a business continuity management program that encompasses vendor risk by incorporating increased resiliency and rapid recovery. PwC outlines five steps to help companies look beyond their own walls and examine interruption risk among the vendors who provide support.
Step 1: Map your vendor risk landscape
The journey to an integrated, responsive and proactive business continuity management program begins with a thorough business impact analysis (BIA), an interruption risk assessment (RA) and a high-level vendor interruption risk assessment. These allow for a company to review how interruption events, such as loss of technology or reduction in personnel and loss of facilities can impact the organization and move on to the next component of the vendor resiliency and recovery analysis: vendor resiliency stratification.
Step 2: Distinguish among different shades of red
Not all vendors are equally important to an organization, and it is critical for companies to take a risk-informed approach in determining which vendors are most integral to operational resilience. Within the BIA and RA documentation is the foundation for developing an approach that enables vendor resiliency and recovery assessment stratification. PwC identifies nine critical risk variables that organizations should take into account when assessing their third parties, including revenue and inventory impact from loss, labor, country and geopolitical risks and regulatory and cross-border issues, among others. These risk variables provide a framework for organizations to determine their spectrum of vendor risk and what factors need to be highly safeguarded in the event of a crisis.
Step 3: Be specific
Companies can no longer rely on generic business continuity questionnaires in vendor risk management, but must assess the quality of a vendor’s resilience and recovery capabilities. PwC’s report outlines several factors that companies should be considering within their BIA and RA, such as a list of processes that consume the vendor’s outputs, a geographical depiction of the vendor’s activities and a description of the vendor’s role during an interruption that affects the organization.
Step 4: Trust, but verify
Once the organization has developed a vendor risk landscape, it is significant to verify the vendor’s resiliency and recovery capabilities. PwC provides six best practices that can aid a company’s vendor resiliency interaction and analysis, including enlisting the vendor as a resiliency partner, obtaining relevant portions of the vendor’s BIA and RA and having the vendor provide its framework for responding to crisis events.
Step 5: React
According to PwC, vendors often have minimal formal resiliency or business continuity management programs in place, focusing solely on IT disaster recovery and life safety. Companies should determine how much vendor resiliency risk they are willing to accept. If a third party is critical to a strategic growth goal or to fulfilling a regulatory requirement, then resiliency levels should never be negotiable; replacing the vendor is a less risky and costly alternative to poor disaster preparedness and recoverability.
“Even the most internally prepared organization can be deeply impacted by an interruption at a third party. When disaster strikes, it is imperative to understand where your organization ranks in importance among the vendor’s customers, as it can significantly damage your market share, brand and reputation,” concluded Samson. “Although an organization may have reached a mature level of operational resiliency and recoverability by developing its own business continuity management program, it is still imperative to go beyond just basic vendor risk management.”
About PwC’s Risk Assurance Practice
PwC understands that significant risk is rarely confined to discrete areas within an organization. Rather, most significant risks have a wide-ranging impact across the organization. As a result, PwC’s Risk Assurance practice has developed a holistic approach to risk that protects business, facilitates strategic decision making and enhances efficiency. This approach is complemented by the extensive risk and controls technical knowledge and sector-specific experience of its Risk Assurance professionals. The end result is a risk solution tailored to meet the unique needs of clients.
About PwC US
PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms in 157 countries with more than 184,000 people. We’re committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US. Gain customized access to our insights by downloading our thought leadership app: PwC’s 365™ Advancing business thinking every day
Learn more about PwC by following us online: @PwC_LLP, YouTube, LinkedIn, Facebook and Google +.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US member firm. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
