DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

The risk assessment is done, the crisis management team is in place, plans have been developed for both continuity and recovery and all the business units have exercised their plans to perfection. Now the business continuity planner can sit back and relax with nothing to worry about. It’s all covered . . . or is it?

On Aug. 2, 2001, approximately half the banks in Norway had a digital disaster, losing card services, ATMs, Internet banking and automatic phone banking for three days.

The cause wasn’t torrential rain or widespread flooding. It had nothing to do with a power failure or a rampant computer virus. So how could something so widespread occur in the absence of a natural disaster in an industry where regulations demand exceptional disaster/continuity planning?

Give up? All were customers of the same vendor, who provided the banks with various computer services, including data storage. The vendor, implementing a project to install 288 new disks in its storage system, erroneously initialized 288 existing disks, crashing the entire system.

With every passing year, businesses become more connected, more intertwined – and more dependent on vendors to provide the highest quality products and services at exactly the right time. Anything less may substantially and adversely impact the bottom line of a business, exactly what business continuity planners spend entire careers trying to prevent. So what is the solution?

Vendor Management

Vendor management programs have been around for a long time in one form or another. Many of these programs focus on service level agreements (SLAs), which provide penalties for supply failures or poor product quality. Some provide positive incentives for “on-time” supply arrivals or consistent service “up-time.”

While these types of agreements may “encourage” a vendor to maintain process and quality standards, they don’t get to the meat of the problem experienced by Norway’s banks.

A more proactive solution is required to ensure that a vendor will be a strong and valuable partner, able to deliver your critical products and services during times of crisis. The question needs to be asked, “If you have a disaster, how do you plan to provide the products/services I need without a lapse that adversely impacts my business?”

So . . . What Is A Vendor Management Program?

A successful vendor management program is a partnership between a business and its vendors/suppliers. It involves the open exchange of information between the parties and serves to strengthen the existing business relationship. The vendor management program has three phases:

1. Developing Management Support
2. Establishing Contact
3. Partnering for Performance

Developing Management Support

The first requirement of a successful vendor management program is supportive management. It will be necessary to develop a policy statement outlining details of the program, in addition to defining requirements for vendor participation. The policy must have solid “buy-in” from management (signature of the most senior executive possible) in order to ensure a firm foundation exists for resolution of compliance issues within most organizations. How does one develop this support?

Every organization has at least one executive who understands the downside potential of business continuity issues. While it will likely not be your CEO (you are exceptionally lucky if it is), you should be able to find one who reports directly to the CEO, the CFO or CIO for example, to be your champion. They can help raise the visibility of your program to the appropriate level for ongoing executive support. This is not an optional step. If the CEO, or at least the COO, is not on board with your program, you will never survive the inevitable conflicts that will arise.

Establishing Contact

Who are your critical vendors . . . the ones you absolutely can’t do business without? No one has time to manage all a company’s vendors, so focus must be placed on those that are truly critical to the business’ daily operations. The business impact analysis is a perfect source for this information. A BIA will provide key information regarding what functions or processes are critical to a business and identify the suppliers for that function or process. This information may be used to develop and prioritize a starting list.

Once a list of critical vendors has been established, contact them, working through business continuity contacts, if available, or established business relationships (purchasing, account managers, etc.). The first communication should be a cordial effort at relationship building. Indicate that a program is being developed for ensuring critical vendors are able to continue to meet the business’ needs during times of crisis, stressing the importance of being a partner in the effort.

As part of the first contact, request information regarding the vendor’s business continuity and disaster recovery plans. An aggressive approach is to ask for copies of their disaster/continuity plans so that they may be used as assumptions for your own planning efforts (don’t be surprised if the vendor refuses to make their plans available, as they frequently contain confidential/competitive company information). The real goal for this stage is to confirm that they do, in fact, have plans that are written and exercised regularly.

Some companies will send lots of information, some will send less than a page. The next step depends on the strength of management support and goals of your program. If the program is just looking to ensure that each vendor has some kind of business continuity/disaster recovery happening, then a minimal response may be satisfactory. Information should be tracked by making an annual contact to check for changes. If the vendor is bottom-line critical, a more aggressive approach may be desired, soliciting more detailed information on existing plans, or requesting a joint exercise to demonstrate a greater level of partnership (they should be just as concerned about losing you as a customer as you are about losing them as a vendor).

Resolving Compliance Issues

Some vendors may choose to not respond. If the appropriate executive support has been developed initially, plans should be in place for addressing this. While various options exist for combating a non-communicative vendor, any course of action should focus on eliminating the risk of a failed vendor causing damage to an otherwise healthy business.

If a vendor does not respond to three requests for information, use internal business relationships/partnerships to open communications with the vendor. Place the burden for the risk created on the executive whose business uses the vendor. The sponsoring executive should be notified that one of their critical vendors is refusing to participate in the company’s vendor management program and provide them with three options for moving forward:

1. The executive can work directly with the vendor to “encourage” compliance within a given time frame.
2. The executive can accept the risk (by signing a risk acceptance form that is forwarded to the company’s CEO), indicating that they understand the risk being created and that they accept full responsibility for the vendor’s performance.
3. The business unit can select a new vendor for that product or service.

What about the vendor that does respond, but doesn’t have any business continuity/disaster recovery plans currently? This is a great opportunity to build a strong partnership with the vendor by offering assistance to help them get started. Some companies offer this service to their vendors for free, while others provide it on a consulting basis (great for those looking to turn business continuity departments into revenue generators). Whichever way it is approached, the goodwill that is created will undoubtedly make the vendor a stronger partner in the future.

The primary goal of a vendor management program should be clear: ensuring that critical vendors are able to support the business under the worst of conditions. Without this knowledge, the business is at risk each and every day of becoming collateral damage . . . the victim of someone else’s disaster.


Dennis (Denny) Hodge is senior manager of the Office of Risk Management at McLeodUSA, the largest competitive local exchange carrier in the United States. Responsibilities associated with this position include directing all McLeodUSA efforts in the areas of business continuity and disaster recovery planning, risk assessment (both physical and process), safety, regulatory compliance and loss control. Hodge was a participant on Focus Group 1, Sub-Committee 2 of the fourth NRIC Council responsible for monitoring Y2K testing of the national telecommunications infrastructure. He serves on the Board of Directors of the Iowa Contingency Planners Association, is a member of the Iowa Quality Center Advisory Board and has been a featured presenter at various industry conferences, including DRJ Spring and Fall 2001.