Blogpost

Third Party Business Continuity and Disaster Recovery Programs

From natural disasters to software failures and cyberattacks, disasters bring considerable risk to businesses. While there is no way to prevent an unforeseen event, you can minimize the ensuing risks by working closely with third parties – those who provide your organization goods and services, to develop a disaster recovery plan.

In our recent All About Third Party Business Continuity and Disaster Recovery Programs webinar, our panelists discuss how to create a disaster recovery plan that accounts for the risks you are inheriting from your third parties.

Panelists in this webinar included:

Teresa C. Lindsey, Senior Consultant, Shared Assessments
Robert Stebbins, Senior Manager of Business Resilience & Disaster Recovery, Citizens Bank

We asked attendees if their companies engage with third-party providers regarding their disaster recovery programs. The good news? Most attendees (87%) said yes, they do engage with their third parties around disaster recovery.

What is disaster recovery?

Disaster recovery is an organizations method to respond and regain control over its infrastructure after a natural disaster, cyber-attack, or any other business disruption. The goal is to recover access to all your data and resume normal operations. Your organization’s definition as to what disaster recovery should be applies to your third parties as well.

Traditionally, when thinking about disaster recovery, organizations have been viewed as having a primary production data center and an alternative center to support in the event of a disaster. The primary data center was thought to be unrecoverable.

What should be in your third-party contracts?

Your third parties need to know what your organization deems important and how they will support your organization. Create clear understanding of exactly what a third-party provider is going to provide to your organization and account for this in your contract. What does your partnership really look like?

Contractual verbiage is important. Establish between you and your third party what the proper recovery time. Recovery time is the target time set for restoration within an organization after a disaster occurs.

Uptime and availability should also be outlined in response to a disaster. Uptime is a measure of the systems reliability; this means that a system is ready for operation. Availability is the promise that a system will work as required when required.

You should ensure evidence from your third party that they have a recovery plan. Considering a disaster or an outage, how will you be notified? This relationship is a partnership, implementing outage notifications is key.

How has COVID impacted disaster recovery plans?

The pandemic has added an element to your third-party relationships. Third parties are an extension of your organization, so it is critical to know if processes are being changed to accommodate for the pandemic. Is the presence of the pandemic shifting the functions of your third parties’ business and will it impact how they support your organization? Measure your third parties’ resilient business structure and adjust your plan accordingly.

What is Concentration Risk?

As you work with third parties, it is critical to understand how they protect your data. Are you intertwined with other companies? Or is your data held separately? This should be underlined in the contractual structure between the parties to ensure your third party is supporting and protecting your organization. In the case of a third party failing, fall back on your contract to outline next steps. You can never completely remove risk, but you can minimize it by ensuring your plan accounts for situations where things do not go as planned.

Conclusion

It is important to understand the criticality of the function that a third party is providing to your organization and to assess your requirements for that service. Remember that it is the job of your entire team to understand your relationship with your third party across many departments. Ensure your organization and your third party have a strong understanding of what disaster recovery and business resilience is and have an open conversation about how best to support each other.