HomeGuidesBusiness Continuity & Resilience › BCR-07
BCR-07 Business Continuity & Resilience 4% of OML score

Are key suppliers or service providers included in continuity planning?

This question asks whether your business has identified all the suppliers and service providers you depend on (like your cloud vendor, payment gateway provider, logistics partner, or electricity distributor) and included them in your plan to keep working if something goes wrong. You need to know who your critical partners are and what will happen to your business if they suddenly stop working.

Why This Matters to Your Business

If a key supplier fails without warning, your business stops—and you have no backup plan. For example, an e-commerce business in Bangalore that relies on a single logistics partner loses the ability to ship orders for days if that partner's system goes down; customers cancel, revenue drops, and you lose market reputation. A manufacturing unit dependent on one raw material supplier from Gujarat faces production shutdown if that supplier's factory catches fire. A fintech company using one payment gateway loses transaction processing and customer trust when that gateway has a security breach. Without supplier continuity planning, you cannot meet customer commitments, fail audit requirements from larger clients, and may breach contractual SLAs.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no list of critical suppliers or service providers. You have never thought about what happens to your business if your main vendors stop working or fail.

Level 1
Initial

You have a mental list of important suppliers but nothing written down. If someone asks who your critical partners are, you can name a few but cannot quickly show a document.

Level 2
Developing

You have a written list of key suppliers and service providers (like your ISP, hosting provider, payment processor, courier). You know what each one does but have not formally assessed what would break if they failed.

Level 3
Defined

You have documented critical suppliers with contact details and what service each provides. You have identified which ones are truly critical (e.g., payment processor, internet) versus important but replaceable (e.g., office stationery vendor).

Level 4
Managed

You have formal continuity plans for each critical supplier, including backup vendors, switchover procedures, and contact escalation chains. You test these plans annually and update them when supplier relationships change.

Level 5
Optimised

You maintain an active network with backup suppliers, conduct regular continuity drills with critical partners, have formal agreements (contracts or SLAs) that require them to have their own continuity plans, and monitor their financial health and compliance status quarterly.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Call a 30-minute meeting with operations, sales, and IT leads. Ask each person to list the 3-5 vendors or services the business cannot operate without for even one day. Write down the answers. Business owner or operations manager 1 day
1 → 2 Create a simple spreadsheet with columns: Supplier Name, Service/Product, Contact Person, Phone, Email, Alternative Vendor (if known). Fill it with at least 10-15 key suppliers. Save it and share with operations team. Office manager or IT person 3-5 days
2 → 3 Review the supplier list and mark each as Critical (business stops without it within 24 hours), Important (causes delays but not complete stop), or Nice-to-have. Document why each Critical supplier is critical and what the business impact would be if they failed. Add this to your Business Continuity Plan. Operations manager with business owner sign-off 1-2 weeks
3 → 4 For each Critical supplier, develop a continuity card: switchover procedure, backup vendor contact, estimated time to switch, who owns the switch decision. Test switching to one backup vendor (even as a table-top exercise) to prove it works. Document the test results. IT person and operations manager 2-4 weeks
4 → 5 Conduct quarterly supplier health checks: call backup vendors to confirm they can still help, review critical suppliers' financial reports or news for warning signs, conduct annual joint continuity drills with at least 2 critical suppliers, update contracts to require suppliers to have their own continuity plans, maintain a log of all checks and drills. Procurement manager and IT person (ongoing owner) Ongoing, 2-3 hours per quarter
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written list or spreadsheet of all critical suppliers and service providers with contact details and service description
  • Risk assessment or impact analysis document showing which suppliers are critical and what business impact occurs if each fails
  • Business continuity plan document that includes supplier continuity procedures, backup vendors, and switchover steps for at least the top 5 critical suppliers
  • Continuity cards, runbooks, or checklists for each critical supplier showing who to contact, how to switch, and estimated switchover time
  • Evidence of testing or drills (email records, meeting notes, test report) showing that continuity procedures for suppliers have been validated at least once
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me your list of critical suppliers and service providers? How did you decide which ones are critical?"
  • "What happens to your business if your internet provider fails for 24 hours? Show me the plan to recover."
  • "If your payment gateway goes down, what is your backup? How quickly can you switch? Have you tested this?"
  • "Who are your backup vendors for your top 3 critical suppliers? Can you provide their contact details and confirm they have agreed to act as backups?"
  • "How often do you review this supplier list and update it? When was the last update and why?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and maintain supplier list, contacts, and criticality scores Google Sheets or LibreOffice Calc with shared access Monday.com (₹999-2,999/month) or Airtable (₹480-960/month)
Document business continuity procedures and run continuity drills with suppliers Google Docs for shared documentation, email for coordination Everbridge (₹5,00,000+ annually) or Assure Holdings (pricing on request, enterprise)
Monitor supplier financial health, compliance status, and news alerts Google Alerts for supplier names and industry news, MCA portal for company status checks Dun & Bradstreet India risk reports (₹5,000-20,000 per report) or Bloomberg Terminal (₹3,00,000+ annually)
🛡
How This Makes You More Resilient
When you have supplier continuity plans in place, your business can keep running even if a critical vendor fails temporarily—you know exactly who to call next and how fast you can switch. This means you avoid losing revenue, disappointing customers, or breaching contracts during vendor outages. It also means you can confidently promise delivery to your own customers because you have proven backup options.
⚠️
Common Pitfalls in India
  • Thinking only about IT vendors (hosting, email) and forgetting about operational vendors (electricity supplier, logistics, raw material supplier)—the impact is just as severe when the power goes out or your shipment is stuck
  • Creating a supplier list but never actually testing the backup plan; when crisis happens, the backup vendor may have changed their offering, pricing, or contact person, and switchover takes 10x longer than planned
  • Assuming one vendor can be replaced easily without checking—for specialized services like payment gateways, courier integrations, or industry-specific software, there may be only 2-3 real options in India, all of which are expensive or complex to switch to
  • Not documenting continuity responsibilities; when a critical supplier fails, nobody in your team knows who should contact the backup vendor, approve the switch, or update customers—valuable time is lost in confusion
  • Forgetting that your suppliers also depend on their suppliers; if your payment gateway's own data center provider fails, they fail too—ask your critical suppliers to provide their own continuity plans as part of your evaluation
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (data fiduciary obligations) and Schedule 2 (Technical and organizational measures) require plans for continuity when processing personal data; critical data processors (cloud hosts, backup vendors) must be included
CERT-In 2022 Direction 4 (Incident Response) and Direction 6 (Business Continuity) require organizations to include vendors in continuity planning and test recovery with vendors
ISO 27001:2022 Clause 5.7 (Supplier relationships) and A.15.1 (Information security in supplier relationships); A.17.1 (Planning and preparing for continuity) requires including suppliers in continuity scope
NIST CSF 2.0 Govern (GV) function GV.RO-04 (Third-party risk management) and Resilient (RS) function RS.PO-02 (Continuity planning with internal and external parties)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →