Before running to your vendors and performing your "due diligence", you need to determine what level of information will satisfy your business requirements. The range of inquiries goes from a simple questionnaire to a complete review of comprehensive plans. The answer to this dilemma depends on your company's risk tolerance. Perhaps the best way to determine what to ask is to engage your sourcing operation and get input from your businesses.

The questionnaire approach is by far the easiest method. Most vendors are willing to furnish data this way, since questionnaires typically ask for fairly high-level information about their BC program. Do you have documented BC plans? A documented BC Policy? Do you conduct regular BC tests? These questions are not threatening to most vendors. You are generally seeking YES or NO responses to these questions. As a rule of thumb, your response rate will be higher if the questionnaire takes less then 20 minutes to complete.

The comprehensive approach is generally desirable but difficult to achieve. Most vendors treat their detailed plans as proprietary documents and are reluctant to share with others, including companies with signed contracts. The best way to overcome this obstacle is to scale back your request and ask for a summary document that offers insight into the program without revealing sensitive data. The summary document should include details on (a) defined business and disaster recovery strategy; (b) commitment to risk and impact assessments; (c) established crisis management teams; (d) defined notification and escalation process; and (e) established audit, testing and awareness approaches. Most companies can provide this concise summary in a few pages.

The Analysis

Next, the BC manager needs to analyze the submitted data. The aim of this analysis is to judge the essence of the vendor's program and to communicate the collected data to your stakeholders. The best method is to group responses by general categories so that you can score each category - namely, green (acceptable), yellow (needs improvement) or red (deficient). Once the raw scores have been interpreted by category, you have baseline data to share with your stakeholders. You may want to establish an aggregate (weighed or unweighed) score based on the vendor's responses. The core message to be communicated is whether - or not - you believe an actionable BC plan exists.

Extra Step

To validate your vendor assessment, it is advisable to reengage your vendor if they used the comprehensive approach. The best method is via a scheduled telephone conversation. Vendors are more willing to share the details of their BC program verbally than to put them in writing.

During this scheduled meeting with the vendor, ask clarifying questions to make sure you understand their responses. Additionally, you must be able to discern the vendor's confidence in their plans. The scores generated in your analysis may change based on this conversation. Caution: Be leery of 100 percent verbal data with no documented data when determining your score. To negate this issue, you might send an e-mail summarizing your conversation and ask for an acknowledgement in return.

The combination of the documented and verbal information should provide adequate details to assess the vendor resilience. However, if you are still not satisfied, you can always insist on participating in the vendor's next test.

Finishing Touches

Before publishing the vendor score, take time to review the vendor's relationship with o your company. Your vendor could have a very comprehensive BC program and still be risky to your company. During the review process, it is important to establish whether the vendor is the sole provider of the goods or services, days of supply on hand, and other operational data that will shed light on how the company manages this arrangement. Beware: A BC-compliant vendor may still be your worst nightmare if the sourcing organization doesn't manage this relationship properly.
Our BC "influence" in the vendor management arena is essential, especially in the age when more and more outsourcing occurs. 

Larry Heck, CBCP, previously developed and implemented Avaya's BCP vendor management program and can be reached at 973-479-8339.