I am responsible for not only seeing if our key suppliers have BCPs but assess them. I check for a BC policy (for leadership support) and BCP components (Risk Assessment, BIA, Crisis Management (Incident Response & DRP), Training & Exercise, Plan Maintenance) and annual updates. The assessment levels are Informal, Emerging, Developing, Mature, Integrate. If the BCP is less than Mature, I ask them to sign a Supplier Resilience Agreement. This is a non-legal commitment on their part that they will improve their resiliency over the next 3 years. I monitor them bi-annually to check on their progress and see if they have any questions. The level of cooperation also varies. Many are cooperative but there are a handful that will go with the proprietary response. I assure them I'm not looking for PII nor proprietary information, just BC content. Show me a template, redacted document, can we view it online, if it's their site is the Americas, can I pay them a visit, etc. I also escalate to our Buyers, PMs, etc. for support.
If all that fails, they are marked as uncooperative, which contributes to our supplier risk scoring.
------------------------------
Peggy Welch
------------------------------
Original Message:
Sent: 09-09-2024 06:59 PM
From: Brandon Carey
Subject: BC Plan
When I look at DR/BCP plans I look to see if the plan is well documented, regularly updated and tested, has a BIA that includes RPO/RTO. I also like to see there back up locations for their data, and other important information will also be there that's more specific to their industry/service. When measuring it against our institution BCP I make sure the RPO/RTO are in line with our needs.
Original Message:
Sent: 09-04-2024 12:36 PM
From: Anonymous Member
Subject: BC Plan
This message was posted by a user wishing to remain anonymous
During the due diligence, what is documented from the business resiliency results, how do you measure against your own organizations plan? Also if it appears to be risky, how do you mitigate?