Vendor Management: Services are Invisible - Until They Don't Work
I started scoping out my next blog entry with PCI in mind (and how it will likely find its way into the community-bank/credit union space in a few years) and was blind-sided by one of my favorite nits to pick recently: the risks presented by poorly managed third-party vendor relationships.
ThePlanet, an ISP based in Texas, suffered a small explosion on May 31, knocking out a large number of hosted websites. According to the Houston Chronicle, "about 7,500 customers were impacted by the fire at ThePlanet's facility. By Sunday, a few thousand customers remained without service. The company was told not use its backup generators because of fire safety issues, officials said." Upon reading this story, I immediately thought of the community banks and credit unions I work with, the majority of whom use hosted solutions for their external-facing websites. What would an outage such as ThePlanet's mean to them?
For starters it would render unavailable their internet banking capabilities. While most of these services are hosted by other third-party vendors, that fact is largely invisible to the customer/member. They only know they go to their institution's website, click on a link and access the desired service. For all intents and purposes, when the institutions website is unavailable, these services are unavailable. Consider what some of these features are:
Now try and imagine what the impact would be when a customer/member tries to access the website because they have a pressing financial matter to address and they can't!
Most of my clients don't extend their vendor management programs to assess how such an outage would be addressed. And because most disaster recovery/business continuity plans only cover internal scenarios, it wouldn't be addressed there either.
Coincidentally I was asked last evening by the Managing Partner of my firm what were the three highest-risk topics I'm seeing on my recent engagements and I replied:
Based on ThePlanet outage it's not hard to understand why.
As for PCI, check back in a few days and I'll explain why you should keep an eye on where the standard is going.