The Business Continuity Team, responsible for conducting the Business Impact Analysis (BIA), should review the list of third-party vendors. This review will ensure that each business line identifies its vendor dependencies and evaluates them according to specific business requirements outlined in their BIA.
A key factor in evaluating vendor inherent risk is understanding the recovery time objectives for third-party services in the event of a disruption. It's essential that the BIA aligns with the Vendor Inherent Risk assessment from the business owner.
Collaboration between both teams is essential to ensure that the business requirements align with the capabilities of the vendors. Although the Vendor Management team may not be directly involved in the Business Impact Analysis (BIA) process, since it is owned by the business line and the BIA owner, it is important for both the BC and third-party teams to work together to ensure that business requirements align. Most time's this analysis is performed within the BC team.
Original Message:
Sent: 09-25-2024 11:55 AM
From: Anonymous Member
Subject: Critical inherent risk rated providers and providers identified for BCP/BIA purposes for organization
This message was posted by a user wishing to remain anonymous
Is TPRM involved with the bank's BCP/BIA designation of third party providers? We currently have many Critical inherent risk services that are not included in BCP/BIA provider lists. There is no collaboration between IT and TPRM in creating the BCP/BIA. How do others handle these lists of mission "critical" providers?