Verifying a supplier's Business Continuity Plan (BCP) is critical to ensure they can maintain operations during disruptions, protecting your supply chain. Here's a structured approach to effective verification:

1. Request Documentation:

   • Obtain the BCP document, supporting policies (e.g., Disaster Recovery, Crisis Management), and any test reports.
   • Look for alignment with industry standards (ISO 22301, NFPA 1600) or your specific requirements.

2. Review Key Elements:

   • Risk Assessment: Does it identify relevant threats (natural disasters, cyberattacks, pandemics, supplier failures, geopolitical risks)?
   • Impact Analysis: Quantifies financial, operational, and reputational impacts? Prioritizes critical processes/functions?
   • Recovery Objectives (RTO/RPO): Are realistic Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined for critical functions?
   • Strategies & Solutions: Clear strategies (e.g., alternate sites, cloud backups, supplier diversification)? Adequate resource allocation?
   • Roles & Responsibilities: Defined crisis management team? Clear decision-making authority?
   • Communication Plans: Internal/external communication procedures? Contact lists?
   • Training & Awareness: Evidence of employee training on BCP roles and procedures?
   • Maintenance & Testing: Defined schedule for plan review, updates, and testing?

Phase 2: Validation & Verification Techniques

3. Management Interviews:

   • Interview key personnel (BCP Manager, Operations Head, IT Security, Crisis Team Lead).
   • Ask probing questions: "Walk me through activating the plan during a cyberattack," "How do you ensure critical suppliers are vetted?" "What was the biggest lesson from your last test?"

4. Site Visits & Physical Verification:

   • Primary Site: Assess physical security, infrastructure resilience (power, comms), safety procedures.
   • Alternate Site (if applicable): Verify its operational readiness, capacity, and maintenance status. Is it truly viable?
   • Data Centers/Backup Facilities: Confirm security, redundancy, and environmental controls.

5. Testing & Exercise Review:

   • Demand Evidence: Request copies of recent test reports (tabletop, walk-through, simulation, full-scale).
   • Analyze Results: Did the test achieve objectives? What gaps were found? How were they addressed? Was senior leadership involved?
   • Observe a Test (if possible): Gain firsthand insight into plan execution and team competence.

6. Third-Party Validation:

   • Certification: Check for ISO 22301 certification (valid and current).
   • Auditor Reports: Review findings from internal or external audits.
   • Insurance: Confirm Business Interruption and Contingent Business Interruption insurance coverage aligns with their risks and your needs.

7. Supplier & Sub-Tier Assessment:

   • Vet Critical Suppliers: How does the supplier manage their own critical suppliers? Request evidence of their BCPs.
   • Diversification: Assess if they rely on single points of failure (geographically concentrated suppliers, unique tech).

8. Scenario-Based Validation:

   • Present specific scenarios relevant to your industry/supply chain (e.g., "Port shutdown for 3 weeks," "Key component factory fire").
   • Ask the supplier to walk through how their BCP would respond. Evaluate the realism and effectiveness of their proposed actions.

Phase 3: Ongoing Monitoring & Continuous Improvement

9. Establish Verification Cadence:

   • Frequency based on risk tier (Critical suppliers: Annual/After major change; Standard suppliers: Biennial/Every 2 years).
   • Trigger re-verification after significant incidents, changes, or tests revealing major gaps.

10. Integrate into Contractual Agreements:

    • Include BCP requirements, verification rights, and consequences for non-compliance in contracts/SOWs.
    • Define acceptable RTOs/RPOs for critical services.

11. Track Corrective Actions:

    • Document findings and required corrective actions (CAPAs).
    • Set deadlines for resolution and verify completion.

12. Share Insights & Collaborate:

    • Discuss findings with the supplier. Offer support where appropriate.
    • Share industry best practices (if applicable) to foster mutual resilience.

Key Considerations & Red Flags

• "Paper Plan" Risk: Be wary of plans that exist only on paper, lack recent testing, or have significant unresolved findings from past audits/tests.
• Lack of Specificity: Vague plans (e.g., "use alternate site") without details on activation, logistics, or resource availability are inadequate.
• Ignoring Dependencies: Plans that don't address reliance on other suppliers, utilities, or infrastructure are incomplete.
• No Executive Buy-in: Lack of visible support from senior management undermines the plan's credibility and resource allocation.
• Outdated Information: Contact lists, process maps, or risk assessments that haven't been updated recently.
• Focus Only on IT: BCPs must address all critical business functions, not just IT recovery.

In essence: Verification is an ongoing process, not a one-time audit. Combine document scrutiny with direct engagement, testing evidence, and physical checks to gain a realistic understanding of a supplier's true resilience capabilities. Prioritize suppliers critical to your operations and tailor the depth of verification accordingly.