Chaos and disruption has been the story thus far in 2020 and the world of third party risk management has been no exception.
Knowing how your organization’s data is being handled and protected by your third parties has always been a challenge and the current situation has only complicated these procedures. While there is no perfect roadmap to navigate these difficulties, companies are finding ways to adapt and gain peace of mind over the protection of their data. These are a few best practices we have seen over the past year that can help improve your vendor management program.
Beyond the annual assessment or questionnaire, maintaining an open dialogue between you and your vendors is absolutely critical. Whether it be staffing issues, financial problems within the company, or even just the regular stresses of working from home, your vendors are facing the same challenges many of us are in the current setting and are often conducting business in different ways than before. Even the occasional email or 15 minute call with your vendor contact can open up communication lines and perhaps uncover challenges vendors are facing that wouldn’t show up in an annual assessment. It is important to have an open communication line in order for you and your business to anticipate and counteract any potential issues before they arise.
Emphasis on Resiliency
Before this year, having a Pandemic Procedure outlined in your Disaster Recovery Plan seemed like a formality. Unfortunately, as the world found out the hard way, truly anything can happen. It is important to be sure that your vendors, especially those critical to your business’ functions, have procedures and resources outlined in order to keep their business operational. Beyond documented procedures, performing a tabletop walkthrough has become a best practice in order to establish roles and responsibilities for key members prior to dealing with an actual event. Give emphasis to your vendors’ resiliency plans and procedures. Remember, to be proactive is to be prepared.
While there is no replacing in-person interaction, companies everywhere are finding ways to make do virtually. The relationship can be maintained but gaining reliance on controls can be tricky, especially physical controls that require observations. The ability to leverage third party attestations such as SOC2 or ISO 27001 is truly invaluable when unable to affirm these controls yourself. Additional evidence can be obtained to satisfy most controls but reports such as these can offer piece of mind when operating in a virtual world.
Peace of mind is hard to come by these days and data security is never certain. Hopefully these tools we have learned over the past few months can be used to prep your vendor management program for whatever comes next in 2020.
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
View our entire Third Party Risk Management article library here.
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.