The information system of a provider is an essential element. When outsourcing one of your services, make sure that your partner has a Business Continuity Plan (BPC) in case of a threat to its digital systems, network, infrastructure, power outage, hardware failure or even in case of a natural disaster.
The importance of establishing a BCP
With the dematerialisation of data, the data protection has, undeniably, become a major concern. Any failure of your provider’s computer system can have serious consequences, in some cases it can endanger your business.
Your provider has the duty to think and plan about the occurrence of these risks. He must in particular plan to introduce a solution designed to back up the data that he has at his disposal. This requires a business continuity plan (BCP), which includes a mission recovery plan. This plan must be up-to-date, robust, continuously tested and easily understandable. Human and technical resources are part and parcel of the equation.
Therefore, the purpose of the BCP is to allow the company to limit any harmful impact that may be caused by the interruption of its activity. It is a secret to no one that in the world of outsourcing, where the information system is one of the central nerve, an interruption of activity can quickly occur and this can have heavy consequences for the “victim” and especially for its clients, in other words, you!
Understand how the risk of downtime will be treated
Ask your provider frankly about his or her method of reducing the risk of downtime:
- Does he accept it even if it impacts on his business, his customers and their respective profitability?
- Has he planned to stop or not launch its delivery as part of a potentially high threat?
- Does he have an alternative so that he can transfer his business or protect himself (other offices, insurance, etc.)?
- Does he have a well-established procedure to deal with the risk upstream in order to reduce any possibility of downtime?
- Has he implemented a BCP (Business Continuity Plan) or a RBP (Return to Business Plan) to limit the impact of any incident?
What are the consequences involved?
- Financial: Time is money to repeat the old saying. In case of an interruption of activity, the bill can amount to several million euros in the most complex cases.
- Customer Satisfaction: the image and reputation of a company is sometimes depends on several factors. An interrupted service can be detrimental to customer satisfaction.
- In-house: employees, contractors, management; the interruption of activity always has consequences on the normal course of an organisation.
- Legal: as a provider, a company must be legally able to meet its obligations towards its client, otherwise it will be financially penalised, not to mention the impact on its reputation.
Understand the implementation of a ” Business Continuity Plan »
Continuity of activity is an important issue for the provider, so he must think and plan his approach, without leaving any room for improvisation. If he chooses to create his Business Continuity Plan in-house, he will have to have trained and competent employees who can take charge of this sophisticated and technical approach in order to develop a plan to manage the disruption with a recovery time objective.
It all begins with the establishment of three essential foundations:
- A crisis unit,
- Procedures to be activated in the event of an incident to ensure continuity or resumption of activity.
The purpose of this set is to determine:
- Critical data and process availability issues, needs and requirements,
- The importance of your company’s assets and information and
- Risks to the information system.
It will then be necessary to dissect, analyse and exploit the following elements:
- Key suppliers: Verify the contractual commitment; whether it has a pool of relay suppliers or if it is able to re-internationalise its activity.
- Substitution sites: The provider must have the possibility to propose a relay to one or more substitution sites in order to save the data.
- IT and telecom providers: The provider must have procedures and strategies in place to manage its human and technical resources in the event of an emergency.
- Human resources: the provider must have HR procedures in place to ensure continuity of service in the event of a threat of business interruption due to exceptional circumstances.
- Written documents: the provider must be able to provide his client with written documents that clearly explain his actions in the event of a problem.
Good to know:
Your provider must also put in place test procedures to ensure their effectiveness during a possible failure.
These procedures need to be constantly reviewed in order to be up-to-date.
The business continuity team must also be trained and tested and it must also carry out simulations based on the plan and the strategies agreed upon.
In the context of outsourcing, it is in the client company’s interest to check with the chosen service provider whether it has put in place a Business Continuity Plan, as this is not only a question of sustainability but also of the profitability of both parties.
This process would certainly take a long time to set up, requiring permanent maintenance. However, it will allow the provider to offer a system of prevention and recovery of data when a potential threat occurs (computer, climate, etc.).
The Business Continuity Plan serves to protect all stakeholders involved in outsourcing, so it must be robust, tested and continuously improved to ensure that no identifiable flaws remain in a sensitive system.