… And just like that… every business in the US and internationally is operating in Business Continuity mode! Employees displaced, workplaces inaccessible, supply chains disrupted, customers unavailable, products not moving. Some had plans, some are improvising, and the Governors are dictating most of the responses anyway. How can you be sure that your counter-parties will be there for you for the next business-interrupting event? |
We’re learning a hard lesson about the value of having a programs for Business Continuity and even Risk Management and Cyber Security. When this is over, these will be – or should be - a major focus in your due diligence for suppliers, vendors, counter-parties and other organizations of interest. As stewards of your enterprises, you have a vested interest in ensuring that you only do business with those with current and effective programs. Conversely, they have a vested interest in convincing you that they do… whether they have programs or not. As someone who has been on both sides of the assessment process, I can tell you that some companies gloss over, dissemble or even flat-out lie about their Business Continuity, Risk Management or Cyber programs. Here are some tips to make that harder and cut through the flash and noise to understand – really understand – your counter-party risk! [Just substitute Risk Management or Cyber Security for Business Continuity when reading the below - the concepts still apply!]
Due diligence can be a rubber stamp, or it can be a valuable Risk Management tool to ensure your own organization’s resiliency.
The choice is up to you.
- Don’t take Yes for an answer. Ask open-ended questions. Asked “Do you have a Business Continuity Plan, most will say “Sure!” Ask who is in charge of it – an actual name. Don’t ask “Do you do testing?” Ask “When was the date of the last test? What type of test?” Ask “When was the date of the last Steering Committee meeting?” If they talk about an alternate work location (yes, in this post-COVID regime they still might be necessary), ask when the contract expires and the date of last occupancy for test or actual use.
- Don’t take No for an answer either. Many orgs will offer their slick PowerPoint or PDF piece about how good their Business Continuity Program is. That’s not the plan – that’s talking about the plan. You want to see The Plan! Most orgs will counter your request to see plan documentation with “Sorry, it’s proprietary or confidential”. Some of that is legitimate – companies do not want to expose employee personal info or security-related data. Many do not trust where the documents will go. But some companies, frankly, hide behind this. There are ways around the objections. Execute Non-Disclosure Agreements (NDA’s) to make them feel at ease. Ask them to share via Zoom or similar. Ask to see subsets of the documentation. In some cases, I’ve flown to a site and examined plan documentation physically under their watchful view, kind of like government SCIF space. But do not settle for documents ABOUT the program – look for the documents that COMPRISE the program Another tip: ask to see, via Zoom or otherwise, the folders or SharePoint sites containing the documents. Look for last-modified dates: are they all yesterday same time? Ask to be shown the revision history, either on the page or the control block within the documentation (sign of a properly-maintained program).
- Peek under the cover. Many enterprises only share the glossy PDF or PowerPoint that describes how robust and effective their program is. For me, that’s a yellow flag. Use that as a starting point, but don’t stop there. Ask to see the actual plan accouterments – not only the plan docs but the educational material, Steerco meeting minutes, Awareness material, issue logs, etc. Pick out some of the cool things they talk about and ask for the evidence
- Tick each box. A proper Business Continuity Plan will address the essential elements of a program:
Alternate Work Modes: what’s the strategy for contingency-mode operations
Teams: established roles and responsibilities, with backups at least two deep and preferably three, with everybody knowing their part
Communications: how to rally teams, get the word out, ensure employee safety and productivity
Plans: actionable checklists with relevant and only relevant content, backed up, available to parties of responsibility
Trained Employees: awareness and education driving adoption of the program and assuring competence and confidence no matter how people fit in, and exercise results.
Ask to see each element in writing - Ride along. The best way to do due diligence is to watch it in action and be a part of it. Offer to your critical counter-parties your services and participation. Don’t ask, offer it. You can not only get the evidence that their plan does at least exist, but you’ll be testing how the communications and operational circuits flow between you and them. Best practice that I’ve observed was an Internet retailer who drove down Operations risk by dual-source supply of critical services, requiring the them to write a joint Business Continuity Plan to address cooperation between competitors and failover/failback, then facilitated a three-party exercise with both providers and them as customer.
Due diligence can be a rubber stamp, or it can be a valuable Risk Management tool to ensure your own organization’s resiliency.
The choice is up to you.