Third Party Failures: Protecting Your Business from Other Companies' Mistakes

It's important to recognize that your business can be impacted by failures at a third-party supplier or vendor. It is important to have a contingency plan if a critical supplier fails. Below is an excerpt from Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses by Donna R. Childs, which provides more information on how to protect your business from third-party failures:

You have made significant efforts to protect your business from human errors and from equipment failures. But you are not alone in this world and your business is highly dependent on third parties providing a variety of services to you. There are direct IT services, such as your Internet connection, e-mail, and Web hosting that are provided via the Internet from a data center if you outsource these services. And of course there are the standard services, like phone lines, electrical power, water, heating, and air conditioning, and so forth.

If you could, you would like to buy each service from two separate vendors, so that you have two companies providing you with phone service, another two providing you with Internet access, and so on. In theory, if one service fails, you would always have the same service from your other provider available. But that is only in theory.

When you buy services for your business, each supplier offers a whole list of service offerings and to make it really attractive, your salesperson will offer a nicely priced packaged deal. So a phone company would offer you Internet access together with their phone service, a cable TV company would offer you Internet access with your cable TV, and so on. Most throw in additional services, like e - mail and Web - hosting. Many people do not know that you can get add - on services by themselves, such as cable Internet access without having to sign - up for cable TV. In fact, you should carefully review if any type of bundling of services from one provider is really worth the savings. Often it is not, and there is more built-in dependency than you would appreciate at first glance. For example, the e-mail accounts that accompany the service subscription are normally accessible only when you have been authenticated and are connected via that particular Internet service. Of course, the vendor will tell you that they are doing it to protect themselves from abuse of their mail services for relaying spam mail. But this is only partially true because there are many other methods, like separate authentication for outgoing e-mail or limiting the number of outgoing mails from one e-mail account, which would have little effect on you, but would deter individuals that would like to send spam mail to thousands of people.

However, what your Internet service provider (ISP) is trying to do is to tie you, their valued customer, as much as possible to their services. This means that if your Internet access goes down, so does your e-mail. Only when you try to change your ISP, will you realize how much they have managed to lock you in. And imagine this happening to you in a disaster situation, your ISP no longer offers services for whatever reason, and suddenly you not only have to work on getting a new ISP, but you need to change your e - mail address as well. When you are in an emergency situation and responding to a disaster, you don ' t want to have your hands tied this way.

Choose your ISP independently of the other services they provide in their package. You first want to make sure that the Internet service suits your needs. As for the provider ' s other offerings, like phone service, make them secondary services for your business and obtain a separate primary phone service contract from another provider. This is particularly true for e-mail and Web hosting service through your ISP. Use them for noncritical applications, such as a Web site for internal information that you make available with password authentication. Here you can post the latest marketing information that can be accessed by your sales staff on the road. Purchase critical services, like your e-mail and your sales-generating Web site, through a large independent data center.

When we speak of service that has failed, we do not necessarily mean total blackout of that service. In fact, most third-party services have in their contracts clauses about reliability guarantees, so the service itself rarely goes down. But the quality of the service provided can be so poor that it is practically useless to you. Then you have to fight with the provider to fix trivial problems like noisy telephone lines, slow Internet connections, surges in electrical power, or insufficient heating or air conditioning. Before you sign up with any company, try to meet the people in charge for your technical support when you enroll. They need to give you satisfactory answers to how and how fast they would resolve issues for you and specify those guarantees in the contract. You also want to explore the possibilities of a test connection or visit one of the provider's existing clients and have your IT-savvy person check out important parameters, such as the bandwidth and latency for a planned network connection. You can then determine if it is within the range you need.

Before you start looking for an alternate provider, it makes sense to first meet with a representative of each of the organizations that wishes to provide the service to you. They will sensitize you to issues that you had not appreciated. It is essential that you try to establish a good relationship with your contact at the third-party service provider. Attend any information sessions to which you are invited. They are a good opportunity to meet the senior management of that company in a casual setting. Mention to them that you are working on preparing a contingency plan for your business and would like their recommendation on which provider you should use as a backup if their service fails—not that you assume it will, but just in case. It is a good idea to follow it up with a "thank you" letter expressing your interest in promptly completing your contingency planning.

You will achieve two results:

  • You will receive a letter outlining the contingency plans that your third-party provider has in place that will guarantee your service. The guarantee that you receive is usually somewhere between 99.5% and 99.999%, equivalent to a few minutes per year.
  • Your provider will, reluctantly, recommend one of their competitors as a backup provider. They won't do it in writing, but they will tell you on the phone.

If you do not achieve those two results with your service provider, then switch if you can. It makes no sense to stay with them in the long run. In any case, you need to obtain contingency, meaning at least a second, maybe even a tertiary, service provider. And having personal contact with direct phone numbers is very important. If you are in disaster-recovery mode and need their help, you do not want to log a support request with their customer support desk thousands of miles away and hope for a prompt response by their local emergency team.

Again, if e-mail and Web hosting are essential to your business they should be hosted in a professionally managed data center. Outsourcing is not expensive. You can find simple Web and e-mail services that cost below $10 per month, but you should be aware that at low prices, you are sharing the service with others, which has security implications. However, the advantage is that you definitely do not want to do your own constant network load monitoring, fault detection, and upgrade plans for scalability as your business grows. There are also some inherent advantages because you might get some services at a data center that you cannot build yourself. For example, hosted e-mail services most often provide additional antispam measures that work by comparing e-mail that is sent to hundreds of accounts of different companies at the same time, indicating that it is some sort of mass mailing, most likely spam, that is then automatically blocked if you have requested this service.

In the case of a disaster, you want your staff focused on getting the business up and running. You do not want to think about moving services to get your Web site back up because your ISP has failed. In that sense, good planning and purchasing of services can definitely simplify your own disaster contingency plans. Make sure, however, that your service providers are well equipped to handle their own emergencies and can handle disaster situations at least as well as you can.

From Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses by Donna R. Childs. Copyright 2008 John Wiley & Sons, Inc. All Rights Reserved. Used by arrangement with John Wiley & Sons, Inc.