It's a daily occurrence now; storms that lead to major flooding, terrorism, outbreaks of infectious diseases, cyber hacks, and even political turmoil. With such events occurring with increased frequency perhaps it's time to reevaluate your business resiliency posture.
On the surface, evaluating business resiliency is not as sexy as evaluating the constant threat landscape pertaining to network security, cyber threats, cloud computing, et al; however, overlooking the possibility of the business that can be lost in the event you or your key third party business partners or suppliers go offline due to such events can have disastrous effects.
John Beattie, Principal Consultant with Sungard Availability Services points out that "gaining insight about a vendor's business continuity and disaster recovery process is interesting, but not as important as understanding what you can expect from the vendor when a disruptive incident occurs within their organization".
Beattie adds some basic guidance that organizations should perform regarding third party risk:
- understand their specific recovery objectives for the systems and business functions that directly support the products and services you receive from them; and if they have been validated through rigorous testing; understand their procedures and capabilities for ensuring continuity of their information security and data protection controls should they invoke their IT disaster recovery plans; and
- develop specific strategies, plans and capabilities to address how your organization will respond to the loss of individual third party services (and perhaps even 4th party services) as well as other disruption scenarios such as the loss of IT services; the loss of a work place; and even for a reduction in available work force.
On the topic of vendor selection and retention, Beattie mentions that organizations need to gather enough information so an informed decision can be made about how to address identified resiliency and recoverability risks, pointing out that a good start or basis is having an ISO 22301 certified Business Continuity program who's scope includes all of the products and services received from that vendor "should carry a lot of weight during the vendor selection process" but validation of their resiliency is in order.
As many organizations perform periodic business continuity and disaster recovery tests, the Federal Financial Institutions Examinations Council (FFIEC - Appendix J) and the Office of Comptroller of Currency (OCC Bulletin: 2013-29) have each laid out guidance to help financial organizations gain assurance that third party service providers have implemented solid business continuity and disaster recovery practices.
The FFIEC defines business resilience as "the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity". Defining additionally "It is more than disaster recovery, it includes post-disaster strategies to avoid costly downtime, the identification and resolution of vulnerabilities and the ability to maintain business operations in the face of additional, unexpected breaches".
The OCC's Bulletin 2013-29 similarly recommends organizations "assess the third party's ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks." The Bulletin further recommends that a "third party reviews its telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities". Lastly, the Bulletin provides guidelines for stipulations in contracts for third parties to include:
- Continuation of the business function in the event of problems affecting the third party's operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks.
- Stipulate the third party's responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans.
- Include provisions--in the event of the third party's bankruptcy, business failure, or business interruption--for transferring the bank's accounts or activities to another third party without penalty.
- Requires the third party to provide operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented.
It would be wise for any company, regardless of the industry, to utilize this guidance in their business resiliency strategies.
Shared Assessments, a member-driven organization providing thought leadership in third party assurance, recommends organizations assess their third parties with probing questions - and evidence -regarding their business resiliency efforts such as:
- The existence of a Business Resiliency program that's been approved by management, communicated to appropriate constituents, and is periodically reviewed
- A documented Business Impact Analysis
- A formal process focused on identifying and addressing risks of disruptive incidents to the organization
- Specific response and recovery strategies defined for prioritized activities
- Business continuity procedures being formally developed and documented
- Senior management's role for the overall management of the response and recovery efforts
- Identifying dependencies on critical third party service providers
- Formal, documented exercises and testing programs
In short, organizations need to ensure business resiliency is incorporated into their business model's overall design as to diminish the risk of a service disruption and the impacts of those within their third party chain. Technology, business operations, and communication strategies that cover the enterprise should be included as these are all of paramount importance to a sound business resiliency strategy. Furthermore, this strategy should be assessed and if possible, tested, periodically.
You'll never know where the next "hit" is going to come from, but if or when it does, the efforts brought into it should certainly pay off.
References and Resources:
FFIEC Business Continuity Planning - Appendix J: Strengthening the Resilience of Outsourced Technology Services:
http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspx
OCC 2013-29: Third Party Relationships - Risk Management Guidance:
http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
"Business continuity - ISO 22301 when things go seriously wrong";
http://www.iso.org/iso/news.htm?refid=Ref1602
"Three Important Elements Your Business Continuity Plan Is Missing"; John Beattie;
http://www.forbes.com/sites/sungardas/2014/08/13/3-important-elements-your-business-continuity-plan-is-missing/
The Shared Assessments Program:
https://sharedassessments.org/