April 25, 2023

The shift to hybrid and virtual workplaces has accelerated since the pandemic, thanks to the use of third-party cloud applications (Software as a Service). These technologies enable workers to access resources from anywhere, but they come with a caveat: the organization has less control over its data. Managing your third-party risk should be a component of your business continuity plan.

Does your organization know all the third-party vendors who access and manage data on your behalf? In the event of a disaster, any gaps in responsibilities, security, and communications prolong the outage of business operations, so it’s better to identify and eliminate these gaps now before a disaster happens.

That’s where a business continuity plan comes in. A business continuity plan helps get the organization back up and running, but only if it has identified all the risks.

What is a Business Continuity / Disaster Recovery Plan?

Business continuity plans and disaster recovery (BCP/DR) provide procedures for creating reliable, continuous business operations and recovering from disrupted systems and networks. The goal is to minimize any negative impacts on company operations by identifying critical IT systems and networks, prioritizing the time to get back up and running, and determining the steps needed to recover from an outage. This plan also includes any third parties to the organization that have an impact on the IT systems and processes and identifies their contacts and responsibilities.

What is Third Party Risk Management (TPRM)?

Third-Party Risk Management is the process of analyzing and mitigating risks to your organization by parties other than your organization. Third parties pose a persistent risk as they are often holding data on behalf of the organization. While the data has been transferred to a third party, the organization is still responsible for anything that happens to that data, which makes third-party risk management crucial in reducing the likelihood of data breaches, operational failures, and reputational damage. Incorporating third risk management into your business continuity and disaster recovery objectives will help you reduce your risk of data loss, vendor bankruptcy, and business disruptions.

For more information on enhancing your third-party risk management process, please refer to this presentation, “Enhancing Third Party Risk Management in Cybersecurity & Privacy Programs.” Additionally, we have an online checklist to help get you started on what to ask when vetting third parties.

How can we combine TPRM and Business Continuity Objectives?

The main objective of business continuity and disaster recovery is to reduce the amount of downtime that an organization faces due to disasters like technology failures, natural disasters, or cyber-attacks. Of course, employee safety comes first but then look at the technological aspects of business continuity. Many organizations have outdated BCP/DR plans that are geared towards having a physical office and do not address remote work.

Like many organizations, you may have increased your reliance on third parties for file sharing, Customer Relationship Management (CRMs), donor databases, payment processing, email, and other essential processes. If the third party does not have adequate controls set up, you may be at risk of losing access to the application, loss of data (internal and customer/donor), and loss of time if the application goes down. This is why evaluating third-party providers is crucial to ensuring that your business downtime is minimized, and that data is protected.

7 steps for developing a business continuity and disaster recovery plan that incorporates third parties

Getting started can be simple and involves documenting the applications you’re already using.

1. Develop the purpose of the plan

Typically, the BCP/DR is going to help with the coordination of the recovery of business function.

2. Develop the scope of the plan

What applications, processes, and services will be covered within the plan. To identify these, work with department heads to identify what services they are currently using and what processes rely on IT services/applications. You can utilize a questionnaire or survey along with interviews to gather this information.

  1. Identify third-party applications/assets.
    • Accounting software
    • File share
    • Email
    • CRM
    • Etc.
  2. Identify on-premise / internally managed assets (if applicable)
    • Servers
    • Internet
    • Physical Documents
    • Etc.

3. Identify top risk scenarios relating to third parties and internally managed assets

What scenarios will have the biggest business impact on the organization and the assets that are targeted? This will help form the business impact analysis that determines the criticality of the applications. Example scenarios include:

    • Ransomware
    • Denial of Service
    • Credential Breach
    • Data Loss
    • Continuity of Operations

4. Develop IT systems chart

  1. Identify the system/service
  2. Identify the data stored within the asset
    • Organizational files
    • Donor information
    • Contact information
    • Personally Identifiable Information (PII)
  3. Determine backup and recovery information
    • Are there backups being run for the data?
    • Do you have a secondary backup?
    • Does the third party have a BCP in place?
  4. Based on the risk scenarios and downtime analysis, determine the criticality
    • How long can the organization survive without the application or performing the business function?
      • Tier 1- mission-critical
      • Tier 2- mission important
      • Tier 3- not mission-critical

5. Develop a responsibilities chart

  1. Identify key personnel relating to the systems/services
    • Internal owner- responsible for troubleshooting.
    • Internal backup- the secondary person responsible if the internal owner is not available.
    • Third-party contact/contact information- this may be your IT provider or the third-party help desk number or account manager.

6. Document processes/procedures if the application or service is to go down

  1. What is the communication/troubleshooting process for the application?
  2. What steps will you take to get the system or data back up and running?

7. Test the plan to determine if any additional communication channels are needed or if any updates are needed

  1. Review the top risk scenarios and ensure that you are prepared or have discussed what to do if those scenarios were to occur.

Reviewing and testing your plan

One of the main components of this is to formally document those application owners and processes that will occur if something is unavailable or may cause business disruption. By going through this process and testing the process, you will be prepared to combat business disruptions in the future. As an additional benefit, formally reviewing your third parties will help you better understand how they are managing your data and how well they are securing the availability of the applications.

GRF can help

Contact the GRF Risk & Advisory Services team if you need assistance in developing or reviewing your Business Continuity and Disaster Recovery plans, or reach out to a team member below.

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services

Darren Hulem

Darren Hulem, CISA, CEH, Security +

Risk & Advisory Services Manager

GRF - Tom Brown

Thomas Brown, CISA, CIA, Security+, CAPM

Senior Analyst, Risk & Advisory Services