What You Need to Know About Their Business Continuity Plan
Working with a vendor to print and mail your customer communications offers many benefits. By outsourcing, you no longer have to worry about all the things having an in-house system requires, including business continuity. But, you must ensure that your vendor’s plan meets your guidelines. You should be privy to their plan as part of your partnership with your provider.
Why do you need to know about the plan? Because, it’s your reputation on the line, should something occur that shuts down the vendor’s main operations. There are also concerns relating to compliance and how all the regulations you must adhere to are covered.
Whether you’ve been provided their business continuity plan or not, there are certain areas to pay close attention to and questions to ask. Keep reading to get the facts on what you need to know about your provider’s plan.
One of the most important metrics of business continuity is estimated downtime. That’s because even a few hours can impact your operations. Downtime is dependent on multiple factors, including how long it takes to reroute operations to their alternate location.
First, the actual data has to be accessible to the second location. Ask questions about how this transfer occurs. Your vendor may have redundancy built in, wherein data is automatically available at both locations.
Downtime is contingent on shifting labor from one task to yours. Inquire about the number of employees at each site to ensure they have the bodies to cover business continuity situations.
Obviously, you want the least amount of downtime possible. However, you need to ensure that the protocols in place for your communications are carried out to the second location. Quicker doesn’t always mean better. When looking at downtime estimates, be sure that every necessary precaution is taken.
Where: Geography and Security
Every customer communications vendor must have multiple locations. In the case of a disaster, power outage, or any other potential risk, you’ll want to ensure that your vendor’s additional locations are in different areas.
Having locations within the same state or even region could be risky, especially if tornadoes, hurricanes or blizzards are the disaster. These weather conditions have the possibility of disrupting operations across a broad path. A good rule is for locations to be in different regions of the country. Make sure to ask and confirm which location is the primary one for your customer communications and which is the secondary.
Security of the second location should also be scrutinized. Just because it’s a backup solution doesn’t mean it shouldn’t have the same security protocols as main sites, including restricted access and surveillance.
With customer communications come the need for adherence to numerous regulations. From invoices to explanation of benefits (EOBs) to payments, all these communications include sensitive information that must be protected. While you may have knowledge of the compliance measures of your vendor at their main operations, you still need to know that other locations mirror these.
Do your due diligence here to mitigate any compliance risks or possible breaches. If a breach occurs, you’re just as responsible as your vendor. Along with a hit to your brand’s credibility, there is a monetary cost, which on average is $4 million per breach.
First, you need to protect any personally identifiable information (PII), which is everything from names to Social Security numbers to account numbers. Then there are industry-specific guidelines like the Health Insurance Portability and Accountability Act (HIPAA), which regulates how private healthcare information is used. Another is the Gramm-Leach-Bliley Act (GLBA) which dictates how financial institutions disclose and safeguard private financial details.
Compliance requirements don’t change if operations are disrupted. No regulating agency is going to overlook non-compliance even in the face of disaster. Feel confident in your vendor’s ability to comply with federal, state and industry regulations.
Disaster Recovery: Does Your Vendor Make the Grade?
After reviewing all the possible areas of weakness, what grade would you give your current vendor? Ideally, the vendor’s disaster recovery plan should be multi-tiered focusing on protection, sustainment and recovery. You should experience little to no downtime, as if nothing occurred. Systems in each location should be redundant and ready to take over should something occur to the main location. Choose a vendor with a scalable, secure and compliant cloud infrastructure.
If you aren’t sure about your vendor’s business continuity plan or don’t feel confident in their ability, it may be time to change your provider. At PCI Group, our business continuity plan is transparent and free of vulnerabilities. Learn more about how we can help by seeing a demo of our solution.