Contact Us

Continuity Insights Management Conference

Are You Asking the Right Questions – Vendor Assessments

Vicky Kagler, T. Rowe Price, discusses in a time of static budgets, the need to perform extensive assessments of vendor’s BC/DR capabilities has stretched BC staffs to the limit.  The typical BC due diligence questionnaire is bloated with ineffectual and redundant questions that ultimately fail to provide the information your staff needs to properly perform an assessment.  Furthermore, Programs need an internal mechanism to understand the context of the vendor’s impact to the firm.  Learn how T Rowe Price’s BC Program worked with their Vendor Management Office to institute a concise , smart set of questions that provide the basis of an effective vendor BC/DR assessment.

The Challenge
  • Increased reliance on outsourcing
  • How to assess different business models?
  • Who can you partner with to get to the facts?
  • Vendor Mgmt provides structure
  • Relationship Manager to be sure the business is engaged
  • So many vendors…….. So little time…….
  • Regulatory requirements
What is Wrong with Today’s DDQ’s and RFP’s?
  • Incorrect Nomenclature
  • Redundant/Compound Questions
  • Incomprehensible Questions
  • Valueless Questions
  • Inappropriate Questions
Just to name a few….
Incorrect Nomenclature
  • Please describe your firm’s business continuation plan including, but not limited to:
  • Protection and recovery of your firm’s human, information, and physical assets; Oversight structure and process
  • Maintenance of offsite facilities
  • Describe how the firm communicates the BCP to staff
  • Notification during a BC event or the plan documents?
Redundant /Compound Questions that repeat things and go on and on…
  • Do you have an incident management program, approved and overseen by management that includes incident response and data breach plans including: investigation, escalation, forensics, data gathering and reporting forms, disciplinary action, legal action, actions taken to prevent recurrence and feedback into the information security management system?
  • Does your firm maintain documentation regarding incidents and data breaches (issues, root cause, outcomes, remediation, etc.)?
  • Does your firm’s incident response plan include response to ransomware or a hacker?
  • Please describe any tests of this program. Please describe any situation where your program has been implemented. Describe the results and changes made as a result of such testing or implementation
Incomprehensible Questions
  • Describe any changes made to the plan since the last questionnaire response.
  • How is Business Continuity Risk assessed and monitored in your firm?
  • If you were forced to leave the main location, where would you go to complete ‘today’ operations?
Valueless Questions
  • Do you have a Business Continuity/Incident Response/Disaster Recovery plan?
  • Do you involve external consultants to run your crisis management exercises?
Inappropriate Questions
  • What are the key technology systems utilized in managing the Portfolio including but not limited to: trading, compliance, risk analysis, portfolio analytics, portfolio management, personal trading monitoring, including insider trading?
  • Have there been any changes to these systems since the date of the last questionnaire response or are any contemplated?
Why does everyone keep doing it this way?
  • Not created by the company’s BC Team
  • Borrowed questions
  • We’ve always done it that way
  • It looks very thorough
  • CYA
But is it helping your business?
Where does good vendor oversight start?
  • Vendor Management Program/Office
  • Business Unit ownership
  • Executive Sponsor
  • Vendor Relationship Manager
  • Subject Matter Expert analysis

 

Continuity Insights

Similar Articles

Is Your Company Prepared for the Worst? Why Business Continuity Must Be Part of Your Strategy

By David Nolan: You may think your company is prepared for adversity – but if you believe these 7 common misconceptions, it’s not. Imagine a runner on a treadmill following …

Jeremy Adkins Enterprise Business Continuity (BC) and IT Disaster Recovery (DR) Governance

Business Resiliency Health Index Implementation

Jeremy Adkins and Neeta Adkar, Lockheed Martin Evaluating business resiliency posture, highlighting areas of progress or regression, and objectively comparing results across business areas are some of the keys to …

Recently Acknowledged Authorities Join Recognized Subject Matter Experts at 2019 Conference

“Our goal in procuring high-profile presenters is to strike a balance between lining up recognized subject matter experts, while continuing to tap new resources and recently acknowledged authorities,” said Bob …

Leave a Comment

Share to...