As organizations navigate the uncharted territory of supporting business resilience during a global pandemic, continuity planning and risk management have become prime concerns.
Even as many are grappling to figure out a “new normal” for protecting employees, serving customers, and maintaining core operations, assessing new risks related to COVID-19 is key to making strategic business decisions in these difficult economic circumstances.
One significant risk area that institutions need to consider during a pandemic is the financial health of their critical vendors and their ability to maintain service, especially in relation to essential business functions. As market analysts predict a potential recession, now is the time to assess your vendor relationships and take steps to protect your organization.
a. If yes, when was the plan activated, and what is the level of impact to your business? (events/meetings cancelled, remote employees, travel bans, locations closed, etc.)
There’s no way to plan for every uncertainty, but if one of your critical third parties does not have a business continuity or pandemic plan — or has not activated it at this point — you should probably re-assess that vendor’s risk profile.
a. If yes, which ones and for how long?
b. If yes, have you made contingency plans to continue services?
c. Are there any infrastructure or other limitations we should be aware of that may reduce your ability to provide services?
Ideally, your vendors are proactively examining their own systems and doing everything they can to keep their services up and running. The goal here is to get as much notice as possible if they are anticipating some downtime that would impact your organization. If they have contingency plans, you can begin planning for those changes.
Many companies are preoccupied with the immediate concerns of pandemic planning and related issues. Meanwhile, the duration of the coronavirus outbreak and its effects remain a big unknown. The earlier you can start preparing for possible impacts to your vendor-supported operations, the better.
This question is targeting the impact of a recession. Does your vendor have enough liquidity or access to liquidity (line of credit) to survive a significant economic recession? Each day, more and more businesses are deemed “non-essential” and may be required to shut down operations and/or shift to a remote workforce as local governments seek to minimize the spread of the coronavirus.
Every company should be examining their critical vendors and verifying their supply chains. Perhaps your vendor is doing great right now and has no impact to services, but how will that change if their own critical vendors fail? Are your third-party partners planning ahead and trying to anticipate those risks?
As more and more companies try to sustain their workforce through remote operations, cyber-security risks increase dramatically, and you’ll want to find out if your vendors already had the systems in place to manage that. If not, what steps are they taking now to secure their systems and data?
Vendor due diligence reviews are typically performed annually, or when a contract renews, and may not reflect recent changes or impacts to your organization’s third-party risk landscape. Proactive action to reassess the risk levels of your critical vendors is a must in these uncertain times.
Don’t miss Part 2 of this series. Learn about 5 more COVID-19 vendor risk considerations for financial institutions.
Put these due diligence questions into action by downloading our COVID-19 Vendor Management Toolkit. It contains:
You may also be interested in these resources:
Looking to improve your third-party risk management or business continuity programs? Explore how Quantivate can help through our integrated GRC Software Suite. It includes solutions for vendor management, enterprise risk management, business continuity, and more. Visit our website or see the shortcuts below to learn more.