The Missing Piece in Vendor Contracts: Business Continuity

Today’s organizations rely to an unprecedented degree on third-party vendors, but few companies ask whether their key suppliers can withstand shocks or recover quickly from disruptions. It is past time for companies to insist that business continuity (BC) requirements be included in their vendor contracts.

[Related: Let’s Get Critical: Identifying
the Vendors You Truly Depend On]

How Outsourcing Outpaced Resilience

The past couple of decades have seen a move by companies to outsource functions outside their core competency that amounts almost to a stampede. Many activities that used to be managed in-house have been handed off to third parties, including many critical technology functions. Today, many companies are 100 percent cloud-based, with their IT teams focused on connectivity and application support rather than on the infrastructure itself.

Outsourcing has clear benefits in terms of efficiency and cost savings, but it has also created new vulnerabilities. Organizations rarely ask whether the vendors they rely on are prepared to handle disruptions. Most contracts contain no BC provisions.

The result is a dangerous and growing blind spot, one that encompasses digital services, traditional services, and physical goods. 

Clients often tell us that SaaS solutions like Microsoft 365 and Salesforce are “too big to fail.” CrowdStrike was also viewed this way—until it crashed worldwide last year, leading to the cancellation of thousands of flights, disruption of hospital operations, and significant financial impacts for businesses across the globe. 

Outsourcing is great, but companies’ reliance on it has gotten far in front of the implementation of the measures needed to make it safe. 

Four Common Fallacies

When we ask organizations why they don’t seek to include BC language in their vendor contracts, the answer often boils down to misplaced confidence. We hear variations of the same four fallacies again and again:

• The Cloud Fallacy

Many leaders believe that because a solution is based in the cloud, it can’t fail. As the CrowdStrike incident reminds us, cloud providers can and do experience outages. To learn more about this fallacy, read MHA CEO Michael Herrera’s post, “The Cloud Is Not a Magic Kingdom: Misconceptions About Cloud-Based IT/DR.”

• The Large-Company Fallacy

Another common assumption is that size guarantees resilience. But being large doesn’t make an organization immune to disruption. Even industry giants can suffer failures that cascade down to their clients. Consider how often airlines’ systems go down, causing flight delays or cancellations. These are huge companies. 

• The Memory Fallacy 

Because people don’t recall a major outage with a given vendor, they assume one will never happen. This is a dangerous case of “out of sight, out of mind.” As financial planners say, past performance is no guarantee of future results. Just because a provider hasn’t had a visible disruption in recent years doesn’t mean they’re invulnerable. History is full of examples where long reliability suddenly gave way to widespread failure.

• The SLA Fallacy 

Many BC practitioners assume that the Service Level Agreements (SLAs) they have with their vendors amount to proof of their resilience. It doesn’t. SLAs simply define service expectations and penalties if those expectations aren’t met—for example, a subscription-fee reduction if an outage occurs. But a refund doesn’t help you keep your business running when a critical service goes down. And the cost to the provider might be a fraction of the impact to your company, resulting in widely varying levels of investment and motivation. True BC requires evidence that the vendor has robust disaster recovery plans and has tested them.

Recognizing these fallacies for what they are is the first step toward building vendor agreements that provide real continuity assurance instead of false comfort.

The Need to Talk About BC in Contracts

Given the stakes, it’s no longer sufficient for companies to indulge in wishful thinking or trust their futures to luck. Organizations need to know where their key suppliers stand in terms of resilience. They should also oblige critical suppliers with weak BC programs to make improvements. Achieving these goals means putting BC requirements into contracts.

The goal is not to dictate the exact form of the vendor’s BC program. Rather it’s to gain visibility into their preparations and, if necessary, induce them to develop a higher level of resilience. Signed contracts are the best mechanism for effecting the needed changes.

Including BC terms in vendor agreements will improve the resilience of customer organizations. It can also bring advantages to the vendor in the form of improved robustness and competitive advantage. As the movement to write BC requirements into vendor contracts picks up steam, the whole organizational ecosystem will become stronger and safer.

Tips for Getting BC Into Your Contracts

Here are some practical tips to guide the process of adding BC provisions to your vendor agreements: 

• Recognize the Need 

Start by acknowledging that this is something worth doing. Learn the lesson of the CrowdStrike outage. Divest yourself of the idea that the cloud is a safe haven, big companies never stumble, and SLAs are sufficient.

• Identify Your Critical Vendors 

Not every vendor is equally important. Use your Business Impact Analysis (BIA) to determine which providers are critical to operations. Remember, a vendor might look minor to a single department but be vital when viewed enterprise-wide.

• Assess How Much Leverage You Have 

Once you’ve identified your critical suppliers, assess how important your organization’s business is to them. Giant providers like Microsoft tend to offer their services on a take-it-or-leave-it basis. Smaller ones might be more accommodating. 

• Create a Vendor-Contract Wishlist

It can help to know what the ideal contract would include (even though it might be a while before we get there). In a perfect world, a vendor contract would include the following provisions: A commitment that the vendor has implemented appropriate BC and disaster recovery (DR) measures. The right to review testing results and plans annually. Requirements for periodic BC and DR exercises, preferably including recovery testing. Documentation showing that the vendor’s recovery objectives (RTOs and RPOs) align with your organization’s needs.

• Request, Explain, Advocate

Ask for BC provisions. Explain why they’re important to you. You never know until you try, and the more clients who ask, the more vendors will feel the need to step up. At minimum, ask for summaries of plans, recent test results, and confirmation that a program exists and is actively managed.

• Get Expert Help 

Work with your legal team to get the language right. You might also bring in BC consulting firms like MHA that have seen how supplier outages can impact  companies and know what sort of provisions should be enshrined to keep customer organizations safe. 

• Make It Ongoing 

Negotiating BC terms is not a one-and-done exercise. Continue reviewing contracts, advocating for stronger provisions, and building vendor awareness. Over time, these efforts will pay off in stronger contracts and greater resilience across your entire vendor network.

By taking these steps, organizations can shift vendor contracts from being mere service agreements to becoming powerful tools for ensuring resilience and protecting their own continuity.

Moving from Assumption to Assurance

In today’s outsourced environment, too many organizations assume the vendors they rely on will be available no matter what. But as the CrowdStrike incident and other outages have shown, that assumption is dangerous.

To protect your organization, you need contracts that require evidence of BC and DR readiness—and you need to verify that your critical vendors can deliver. By recognizing the issue, identifying your critical vendors, and pushing for BC provisions in contracts, you can significantly reduce your exposure. 

At MHA Consulting, we have decades of experience helping organizations close gaps in resilience, including strengthening vendor agreements. If you’re ready to move from assumption to assurance, get in touch; we’d be glad to help you safeguard your operations.

Further Reading

• Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk
• Trust, But Verify: 7 Best Practices for Managing Vendor Risk
• How to Stop Third-Party Vendors from Becoming Your Achilles' Heel
• Let’s Get Critical: Identifying the Vendors You Truly Depend On
• Getting There: A CEO’s Tips for Achieving Operational Resilience
• The Cloud Is Not a Magic Kingdom: Misconceptions About Cloud-Based IT/DR