Vendor Management During the Coronavirus: 6 Due Diligence Questions to Protect Your Organization

  • April 1, 2020
  • Quantivate

Managing Third-Party Risk Related to COVID-19

As organizations navigate the uncharted territory of supporting business resilience during a global pandemic, continuity planning and risk management have become prime concerns.

Even as many are grappling to figure out a “new normal” for protecting employees, serving customers, and maintaining core operations, assessing new risks related to COVID-19 is key to making strategic business decisions in these difficult economic circumstances.

One significant risk area that institutions need to consider during a pandemic is the financial health of their critical vendors and their ability to maintain service, especially in relation to essential business functions. As market analysts predict a potential recession, now is the time to assess your vendor relationships and take steps to protect your organization.

COVID-19 Due Diligence Questions to Ask Your Critical Vendors

1. Do you have a business continuity plan that includes a pandemic scenario, and have you activated it?

a. If yes, when was the plan activated, and what is the level of impact to your business? (events/meetings cancelled, remote employees, travel bans, locations closed, etc.)

There’s no way to plan for every uncertainty, but if one of your critical third parties does not have a business continuity or pandemic plan — or has not activated it at this point — you should probably re-assess that vendor’s risk profile.

2. Do you anticipate, or have you already identified, any services that you provide to us being impacted by the COVID-19 pandemic?

a. If yes, which ones and for how long?

b. If yes, have you made contingency plans to continue services?

c. Are there any infrastructure or other limitations we should be aware of that may reduce your ability to provide services?

Ideally, your vendors are proactively examining their own systems and doing everything they can to keep their services up and running. The goal here is to get as much notice as possible if they are anticipating some downtime that would impact your organization. If they have contingency plans, you can begin planning for those changes.

3. If this pandemic continues, how will it impact the products or services we receive over the next 30, 60, and 90 days?

Many companies are preoccupied with the immediate concerns of pandemic planning and related issues. Meanwhile, the duration of the coronavirus outbreak and its effects remain a big unknown. The earlier you can start preparing for possible impacts to your vendor-supported operations, the better.

4. If you received $0 new revenue, how long could your organization continue to provide these services?

This question is targeting the impact of a recession. Does your vendor have enough liquidity or access to liquidity (line of credit) to survive a significant economic recession? Each day, more and more businesses are deemed “non-essential” and may be required to shut down operations and/or shift to a remote workforce as local governments seek to minimize the spread of the coronavirus.

5. Are you sending similar COVID-19 questions to your suppliers/vendors to assess the risk to your supply chain?

Every company should be examining their critical vendors and verifying their supply chains.  Perhaps your vendor is doing great right now and has no impact to services, but how will that change if their own critical vendors fail? Are your third-party partners planning ahead and trying to anticipate those risks?

6. Did you already have and are you following an established work-at-home policy? If not, how are you accounting for increased cybersecurity risk?

As more and more companies try to sustain their workforce through remote operations, cyber-security risks increase dramatically, and you’ll want to find out if your vendors already had the systems in place to manage that. If not, what steps are they taking now to secure their systems and data?

The Takeaway

Vendor due diligence reviews are typically performed annually, or when a contract renews, and may not reflect recent changes or impacts to your organization’s third-party risk landscape. Proactive action to reassess the risk levels of your critical vendors is a must in these uncertain times.

Don’t miss Part 2 of this series. Learn about 5 more COVID-19 vendor risk considerations for financial institutions.

Other Pandemic Response Resources

Put these due diligence questions into action by downloading our COVID-19 Vendor Management Toolkit. It contains:

  1. A questionnaire that you can send to your critical vendors and other third parties to assess their business continuity strategy, COVID-19 response, financial health, and cyber risk management.
  2. An email template with suggested messaging for requesting responses from your vendors.


You may also be interested in these resources:

Looking to improve your third-party risk management or business continuity programs? Explore how Quantivate can help through our integrated GRC Software Suite. It includes solutions for vendor management, enterprise risk management, business continuity, and more. Visit our website or see the shortcuts below to learn more.

Vendor Management Software | Vendor Due Diligence Services | Business Continuity Software