business continuity | COVID-19 | disaster recovery | Vendor Management

The COVID-19 pandemic is top of mind. The interruption of our lives is far reaching.

There are so many needs that as a business executive you must address, it is simply overwhelming. The first, of course is being in business when the world returns to a happier place.

A required area of oversight is that of Vendor management. There are two specific plans that you must require of your vendors. These are their Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).

As part of the CSRPS educational series on compliance please find below a road map of how you should evaluate your vendors as it relates to both BCP and DRP.


Oversee vendors as you would any department in your company, regardless of the vendor’s reputation or apparent ability to comply with consumer protection laws and regulations.

A crucial component of vendor management is verifying that your vendors are correctly implementing strong BCP and DRP. These plans must demonstrate the level of preparedness to minimize and/or prevent operational downtime and data loss risks.

If it does not, then this is a red flag. 


A properly implemented BCP ensures your organization’s critical operations, products and services are always delivered as expected and as specified in your organization’s vendor contracts.

A BCP provides an overview of the safeguards, analysis, testing and trainings in place to ensure measures have been established to prevent the cessation of operations in case of a business interruption event.

A BCP must address:

  • Planning for loss of personnel, facilities or services
  • Planning with public entities (emergency services, local and state disaster relief agencies)
  • Communicating with significant vendors, clients, employees and (if applicable) the media

When reviewing a vendor’s BCP, ensure it covers:

  • Critical components needed to ensure your organization’s operations continue and these components are tested on a regular basis.  The test results must be reported to your organization for analysis.
  • Should the vendor become unavailable, will your organization continue to operate normally and for how long.
  • Personnel loss and what is in place to continue operations, such as, cross-training, use of staffing agencies, automation tools, work-at-home protocols, identified essential personnel.
  • The vendor’s secondary work facility and remote work capabilities are secure in case it is necessary to relocate their operations.  How quickly will the vendor be ready to resume operations to handle your business needs?
  • Verify there is a clear communication plan in place in case of a breach event.  This plan must align with your organization’s information security plan(s) and must be included in the contract between your organization and the vendor.  It will confirm the timeframe of when the vendor will notify your organization of a breach or disruption in its ability to maintain information security systems that meet regulatory requirements.


The DRP details the processes and procedures to be followed as soon as a business suffers a disaster.  The DRP is in effect a until normal operations resume.

The DRP provides details regarding:

  • Implementing the DRP in accordance with the BCP
  • Determine what constitutes a disaster incident
  • Procedures for designating disaster recovery personnel and assigning their responsibilities
  • Coordinating communication and assistance between your organization and public entities as needed
  • Determinations, planning and communications on resuming normal operations

A vendor’s DRP must be reviewed to verify they are prepared and have trained their staff on items, such as:

  • Have they made their DRP readily available to all staff?
  • Publish an internal communication hierarchy and an incident management program.  All organization team members must know to whom and how to formally declare a disaster and who is responsible for recovery action items.
  • Address what to do in the event of a disaster resulting in data loss, system unavailability and/or equipment loss.
  • How quickly can the data, systems and/or equipment be restored?
  • Verify the operability of the secondary work location and/or data center.
  • Have a clear communication plan meeting specified timing requirements and regulatory requirements and identify.
  • Identify the designated person to notify your organization.
  • Review IT functions and if any are outsourced.


The above is a basic guide and not all inclusive.

It is important you understand your vendors’ operations, testing procedures and schedules. A  vendor’s processes should equal or exceed your organization’s data privacy and data protection processes.

A strong vendor risk management program is key to maintaining compliance and avoiding claims of improper treatment of your customers and your customers’ data.

For more information on best practices and guidance, visit

Michelle Johnston, CIPM, CIPP/US


Contact CSR