I am responsible for not only seeing if our key suppliers have BCPs but assess them. I check for a BC policy (for leadership support) and BCP components (Risk Assessment, BIA, Crisis Management (Incident Response & DRP), Training & Exercise, Plan Maintenance) and annual updates. The assessment levels are Informal, Emerging, Developing, Mature, Integrate. If the BCP is less than Mature, I ask them to sign a Supplier Resilience Agreement. This is a non-legal commitment on their part that they will improve their resiliency over the next 3 years. I monitor them bi-annually to check on their progress and see if they have any questions. The level of cooperation also varies. Many are cooperative but there are a handful that will go with the proprietary response. I assure them I'm not looking for PII nor proprietary information, just BC content. Show me a template, redacted document, can we view it online, if it's their site is the Americas, can I pay them a visit, etc. I also escalate to our Buyers, PMs, etc. for support.
If all that fails, they are marked as uncooperative, which contributes to our supplier risk scoring.
------------------------------
Peggy Welch
------------------------------
Original Message:
Sent: 09-09-2024 06:59 PM
From: Brandon Carey
Subject: BC Plan
When I look at DR/BCP plans I look to see if the plan is well documented, regularly updated and tested, has a BIA that includes RPO/RTO. I also like to see there back up locations for their data, and other important information will also be there that's more specific to their industry/service. When measuring it against our institution BCP I make sure the RPO/RTO are in line with our needs.