Auditing Providers, Intrusion or need?

By Moises Lopez Soto

During the last years, there has been a diversification in the way the services are being delivered, increasing the number of providers that conform the supply chain and, therefore, the complexity in the control of all components to provide success in the final result. Trends as Outsourcing some time ago and recently Cloud are clear examples.

We find ourself everyday facing the challenge of ensuring business continuity of our organization with a high number of external agents and, in some cases, this external agent could be absolutely essential to the future of our company. That's why we must take action and act proactively to strengthen the links in the whole chain, minimizing risks and cushioning the impact that could suppose to our business the break of a weak link. This is a complex task when we have to control process and resources internally so it's easy to assume that it would be much more complicated with external agents which have full freedom to be independent in their process and way to deliver their services.

SLA is not enough

Establishing Service Level Agreements are completely valid and necessary on areas of service such as capability and availability but when we are talking about continuity it become insufficient. Among other things, this is because we are not referring to both the supplier's ability to give service but to their ability to keep delivering it after suffer a contingency.

The most common solution is diversification is relying on a model of "duplicity" in a provider-service base, with a relation of N to 1 and with a minimum of two, just as if it were a load balancing in a data network. In some cases this is the usual way to deliver the service,  in other scenarios suppose an increase in the resources required for service management with a greater workload for staff but, nevertheless, is NOT a valid solution for all services. For example, it is usually to stablish this kind of countermeasures when we are talking about business critical services like providers of essential services (electricity , water, etc. . ), when the solution is too complex or too expensive, when there is a monopoly or when there is a single infrastructure common to different suppliers, etc. Any way, it seems absolutely clear that a relationship model in which provider and the company has to be strength enough to carry out all contingency scenarios just as if they were the same company.

Audit process, an interesting weapon

It could be close the day in which the ISO 22301 (or similar) would be required to provide some kind of services, just like there is required the ISO 28000, the ISO 9000 or, even, the ISO 20000, but until that day arrives, audit processes becomes an interesting weapon. On the one hand it would bring a very significantly strengthen in the customer-provider relationship and on the other it will help to raise awareness, work and improving business continuity in both companies.
It is true that providers can refuse, just as we can see in the event that was supported by SIA last year, but it must be the customers which would has to assign some weight to the Business Continuity countermeasures that could be included by their provider in the proposals of service delivery.

Providers should consider the audit processes just like turning point in their business continuity activities, or if they have not done anything before a staring point, to provide resilience to their own business, having the opportunity to strengthen and enhance the relationship with their customers and, at the same time, get a business-marketing revenue on their actions in this field. On the other side, customers should approach them in a constructively way, focusing on growth and providing support and advice to the audited provider. Definitively, a Win-Win relation.

Now a days, audit processes are called to be the main element in order to ensure the strength of business continuity management system and so, the resilience of the company, so it seem to be more a need than an intrusion....