Hi everyone, some great business continuity and disaster recovery related questions were shared during last week's live Third Party Risk Management Bootcamp hosted by Venminder! The team thought it would be helpful to share them and provide answers as well. The webinar event was three days, 6 sessions and 11 presentations long, covered by nine experts. Needless to say, a lot of great information was shared. Chime in if you have further answers or comments for any of these. And, if you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.
Q: Your definition of Disaster Recovery is not in line with FFIEC: "disaster recovery exercises focus on testing the continuity of technology components, including systems, networks, applications, and data." Can you explain?
A: Good question! The testing of technology components is only one segment of the full scope the FFIEC's requirements for financial institutions. All financial institutions of a certain size are required to do full DR tests annually. Their DR tests must include, without exception, a complete business operations relocation test.
That's why we see so many financial institutions with multiple geographic locations for business units, such as Wires, Item Processing, ACH and Lockbox to name a few. With multiple geographic locations the financial institution has the redundancy our prudential regulators are attempting to ensure the entire finance industry maintains.
Q: Is an annual review of third party vendor's BCP and DR plans adequate or do we need to do it more frequent?
A: In my honest opinion, it depends upon the company. If it's a major player, they will be more than willing to share how they handle BCP/DR and you can be certain that the results of their testing will be satisfactory. In this instance, an annual review is enough. If the company is a small fintech startup, you will want to make sure you keep an eye on their BCP/DR. Perhaps reviewing the small fintech semi-annually. Of course, a small startup may only test once a year, which leaves little else you can do if you wish to stay with the vendor.
Q: Do companies really have a dedicated team to DR?
A: Yes, they do. In 2008, I created the DR team for a $25 billion bank with locations in 9 states. It consisted of 5 dedicated individuals and a dozen ad hoc members and perhaps 30 IT people that could be called upon as needed. Today, the bank is pushing $45 billion and the team has the same staffing level.
Q: How would a firm address the resistance of a company to provide the results of the Federal Exam (i.e. FFIEC, Fed Reserve, OCC, etc.) as the enforcement actions and published and public knowledge?
A: While enforcement actions are public floggings, examinations are very, very private affairs. They are literally delivered to the board and usually come with the qualification that the results of the exam are confidential between the examining agency and the organization. And remember, the point of an exam is to help the organization get better. Bottomline, you may never see the results of an exam.
Q: A lot of companies don't share internal policies stating it is private and confidential. Correct?
A: True. The policies you should be seeking may very well fall within the bounds of private and confidential. That's why we use a mutual non-disclosure agreement (MNDA). The MNDA will cover both parties and should eliminate some of the resistance in sharing the confidential information.
Q: If a critical vendor stops sharing their BCP test results as part of a new company policy – what should you do? Will the contract provision override this?
A: If you have it in the contract, the vendor is in breach of contract should they stop performing according to the contract. However, if it isn't in the contract, it won't happen and you're at the mercy of the vendor.
Of course, you can always use the champion vs. challenger process to let the vendor know you're serious about reviewing the BCP/DR test results.
Remember, a lot of firms don't want to share failures with their customers. Failure isn't something a client wants to hear from a vendor. It could be a bad test result they simply don't want to share.
Q: What do you recommend if the vendor doesn't want to provide that level of detail? i.e. they don't want to share results of penetration testing or they say their BCP isn't for release?
A: Contractually commit them to provide it, visit and discuss or host a WebEx and discuss.
Q: What would be a reasonable standard to hold small vendors to for a BC/DR test?
A: Just because they're a small vendor doesn't mean they can't have a big impact on your company. Vendors shouldn't be rated by size, but by how crucial they are to you.
If the impact of that vendor being unavailable is minimal, or there is abundant ability to quickly replace them with another vendor before there is an impact to your company, then what they perform for business continuity and disaster recovery testing can be as little as a tabletop walkthrough…as long as their ability to recover is in line with your needs.
If that vendor being unavailable would be a significant issue for you, then your requirements of their business continuity and disaster recovery testing procedures needs to be held to a higher level. Possibly up to validating simulated or functional testing where the vendor actually enacts their business continuity or disaster recovery plans for a certain period of time (days, weeks, months) to verify their procedures are sound.
Not all vendors are going to be willing or able to perform testing that might be in line with your dependence on them. If you find yourself in that situation, consideration of additional measures on your part may be the solution, such as working with the vendor to implement a testing solution that works to make you confident in their ability while being reasonable for their financial and logistical abilities, finding an alternate vendor as a backup, bringing in an additional vendor to also perform their function thus splitting the risk or replacing that vendor with one that is more robust.
The key to the decision is how important they are to you.
Third Party ThinkTank