Draft your business continuity plan (BCP) and your vendor management policies together using the same definitions and with the same goals in mind. When BCP and vendor management are coordinated at a policy level, it leads to coordination in carrying them out.
Use proper risk assessment methods.
Vendor management and business continuity should identify critical vendors together, aligning the risk a vendor presents with the institution’s overall strategy. Each critical vendor creates extra work, so limit the designation to third parties that truly present a substantial risk.
The best opportunity to minimize risk is at the start of a contract. Business continuity and vendor management should work together to spell out requirements and expectations before contract negotiations—including audits, documents and when you can expect them. It’s not enough for your vendor to say that it’s compliant—you must have the tools to do the due diligence and prove it.
Divvy up monitoring responsibilities across business continuity planning and vendor management and share the results. This includes both annual reviews with expected vendor documents (SSAE 16s, disaster recovery plans and tests, incident response plans and tests, financials, summary findings and evaluations) and ongoing monitoring (litigation, sale or acquisition of the vendor, data breaches, regulatory issues and financial performance).