2020 introduced many unforeseen circumstances across the world with very few companies prepared to tackle the challenges that a global pandemic such as COVID-19 brought to light.
When the pandemic hit, most organizations had informal ideas that were loosely discussed on how to tackles the challenges of working remote, staggered scheduling of employees, or even a temporary closure, however, formal business continuity planning did not take place.
Even organizations that did have thoroughly documented business continuity and resiliency plans struggled with the transition due to circumstances that were not initially considered or never fully testing these plans. Having a well-developed business continuity and resiliency plan is important, it is equally important to include any your vendors to the organization as part of the planning process. Organizations across all industries are utilizing vendors to perform or assist with performing critical tasks that are part of their core business processes. Which is why it is pertinent to understand and ensure that all your vendors have developed and maintain their own set of business continuity and resiliency plans that outline how the vendor will continue to perform the services they provide.
While organizations cannot account for all potential situations, by developing, documenting and performing third party risk management controls and procedures can make a greater impact on the overall quality of your planning efforts for your organization. To better prepare your organization, we have provided several important business continuity and resiliency best practices for third party risk management, especially during COVID-19.
Business Continuity Plan (BCP) – Identifying the vendors that are critical to your organization is the first step. These would be any vendors that you rely on to make your final product or provide a service.
As part of performing due diligence of your vendor, ensure that your review involves inspecting your vendor’s BCP.
Ensure that the Recovery Time Objectives (RTO) and Recovery Point Objective (RPO) listed in the BCP meets or exceeds your expectations so that the disruption to your clients and customers will be minimal.
Additionally, take note of any additional parties involved in the products or services being provided by your vendors, as this could potentially cause an unforeseen issue.
If Pandemic Planning is not included in your plans, as well as the plans for critical vendors, ensure that these plans are defined and required.
Critical Vendor Risk Assessments – If vendors are assessed based upon a defined period, ensure that scheduled reviews are not missed or overlooked. Perform the appropriate due diligence for all vendors, even if the process must be modified, such performing the assessment virtually as opposed to being onsite or identifying key risk areas and modifying assessment to the key business risks.
Escalation/Notification of Issues – Ensure that all vendors have defined escalation/notification procedures along with an agreed upon timing to communicate potential issues or changes.
Review Contact Information –Ensure that all your vendor’s contact information is accurate and updated frequently. Additionally, ensure your vendor has the correct contact information for your organization.
Performance Assessments (Monitoring SLA’s, KPI’s, or Metrics) – Ensure that your vendors are still meeting or holding to the defined Service Level Agreement’s (SLA’s), Key Performance Indicator’s (KPI’s), or key defined internal metrics.
Utilize these metrics to schedule frequent meetings with critical vendors to stay in contact and to allow for constant open or direct communications to address potential issues. This helps to reduce the risk of potential instability with a critical vendor.
Monitoring and Alerting – Monitoring the status or progress of any previously noted findings for all vendors including:
Monitoring various threat feeds for notifications of potential security breaches (US-CERT, FS-ISAC, etc.).
Additionally, setting up news notifications, or “key word” alerts for all critical vendors.
Depending on your business needs, a paid third-party risk management solution could be utilize to provie active alerts on the status and integrity of your critical vendors.
Assess the Risk of Potential Lock-in or Dependency for Critical Vendors –When reviewing critical vendors, assess if your final product/service of your business is solely dependent on any of the products or services that are provided by any vendors.
Address if any alternatives, are available.
If no alternatives are available, ensure that communications are frequent, and the previously mentioned are adjusted accordingly.
Throughout these uncertain times, all companies are striving to ensure that they can provide quality services, while making the best use of their resources and vendors. As a result, maintaining responsible third party risk management practices and procedures are more important now than it has ever been. By performing the proper due diligence of your vendors, it allows you to gain an understanding the controls in place, especially as it relates to the business continuity and resiliency considerations as well as the potential long-term impacts that can potentially be realized because of COVID-19.
While the considerations and suggestions outlined above are not all inclusive, these best practices are able to be implemented, even during the current pandemic. If you feel that your organization is in need of assistance to review the processes or procedures that are currently in place or assistance with implementing these best practices, Schneider Downs is here to help!
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
View our entire Third Party Risk Management article library here.
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.