Vicky Kagler, T. Rowe Price, discusses in a time of static budgets, the need to perform extensive assessments of vendor’s BC/DR capabilities has stretched BC staffs to the limit. The typical BC due diligence questionnaire is bloated with ineffectual and redundant questions that ultimately fail to provide the information your staff needs to properly perform an assessment. Furthermore, Programs need an internal mechanism to understand the context of the vendor’s impact to the firm. Learn how T Rowe Price’s BC Program worked with their Vendor Management Office to institute a concise , smart set of questions that provide the basis of an effective vendor BC/DR assessment.
- Increased reliance on outsourcing
- How to assess different business models?
- Who can you partner with to get to the facts?
- Vendor Mgmt provides structure
- Relationship Manager to be sure the business is engaged
- So many vendors…….. So little time…….
- Regulatory requirements
- Incorrect Nomenclature
- Redundant/Compound Questions
- Incomprehensible Questions
- Valueless Questions
- Inappropriate Questions
- Please describe your firm’s business continuation plan including, but not limited to:
- Protection and recovery of your firm’s human, information, and physical assets; Oversight structure and process
- Maintenance of offsite facilities
- Describe how the firm communicates the BCP to staff
- Notification during a BC event or the plan documents?
- Do you have an incident management program, approved and overseen by management that includes incident response and data breach plans including: investigation, escalation, forensics, data gathering and reporting forms, disciplinary action, legal action, actions taken to prevent recurrence and feedback into the information security management system?
- Does your firm maintain documentation regarding incidents and data breaches (issues, root cause, outcomes, remediation, etc.)?
- Does your firm’s incident response plan include response to ransomware or a hacker?
- Please describe any tests of this program. Please describe any situation where your program has been implemented. Describe the results and changes made as a result of such testing or implementation
- Describe any changes made to the plan since the last questionnaire response.
- How is Business Continuity Risk assessed and monitored in your firm?
- If you were forced to leave the main location, where would you go to complete ‘today’ operations?
- Do you have a Business Continuity/Incident Response/Disaster Recovery plan?
- Do you involve external consultants to run your crisis management exercises?
- What are the key technology systems utilized in managing the Portfolio including but not limited to: trading, compliance, risk analysis, portfolio analytics, portfolio management, personal trading monitoring, including insider trading?
- Have there been any changes to these systems since the date of the last questionnaire response or are any contemplated?
- Not created by the company’s BC Team
- Borrowed questions
- We’ve always done it that way
- It looks very thorough
Vendor Management Program/Office
Business Unit ownership
Vendor Relationship Manager
Subject Matter Expert analysis