Third-Party Risk Management Q&A: Managing Vendor Risk in a Pandemic

During our recent three-day Third-Party Risk Management Bootcamp, we had a lot of GREAT questions come in and wanted to compile and share the answers. Below you will find third-party risk management questions and answers posed during Day 1, Day 2 and Day 3 sessions.

Day 1

Session 1: Third-Party Risk Management in a Pandemic World and The Third-Party Risk Management Lifecycle

Led by Venminder’s Dana Bowers, Chief Solutions Architect, Founder and Board Member, and Nicole O’Brien, Third-Party Risk Office, where they provided some background on the evolving changes in third-party risk management due to the pandemic and an overview of the vendor lifecycle.

Q1: In the lifecycle, wouldn’t it be more efficient to perform the due diligence prior to the risk assessment? Can you help us understand the benefits of performing the risk assessment prior to conducting due diligence?

Answer: I understand the confusion. Remember that the risk assessment is a bit like a sandwich around due diligence. You need to know your inherent risk (what data will they see, will they be critical, will they engage with our customers on hour behalf, are they providing services from oversees, etc.) Then you do your due diligence, in a way that makes sense based on what you found out in your inherent risk assessment. Then you take all the information you gather from due diligence and say, okay, are they still the same risk level now that we know a bit more of their inner workings? Do they have enough controls that we’re comfortable? This would be an assessment of your residual risk.

Q2: Has there been a dire need to revisit  business continuity plans post Y2K planning? Has anyone used that planning as a first step to develop revised business continuity planning? Assuming the answer is no one is going back to revisit business continuity plans, is that an indication that the millions spent were reactive and we need to reprioritize the importance of business continuity plans?

Answer: I certainly haven’t studied the issue closely, but clearly the lessons learned in the run-up to Y2K led us all to update our business continuity plans at the time and likely some of the lessons learned from that made their way into individual business continuity plans but there hasn’t been the same national push – until this pandemic – to revisit them. I’d hazard a guess that they (the BCP and pandemic plans themselves) barely get a passing glance on an annual basis, other than the requirement to have the board and senior management review and re-approve them each year – an exercise that likely is just a formality, rather than an in-depth review for most organizations.

Q3: If we have a critical vendor that is not willing to participate in the annual review process, how will that impact us from a regulatory perspective?

Answer: The short answer is you’re responsible for your vendors. Try to find a replacement that will work with you and explain to your current problem vendor that you simply can’t expose yourself to that level of regulatory risk. Now, there’s some common critical (major) vendors that we really can’t just replace, or they’re just so big they don’t care if you leave. Since I don’t know your particular situation, my best advice would be to utilize the contract to the max extent possible, try asking for someone else, talking to their legal person, see if you can do a remote view of some policies and procedures – see what you CAN get from them. If it doesn’t fit your process, sometimes we have to go about things “their way” just to make sure we’re mitigating risk, even if it might be more cumbersome for us. And MAKE SURE you know when the contract is up for renewal – work with your legal team and see if they can work with you on getting stipulations in there. All the while, document the entire thing. 

Q4: How long should a risk assessment take?

 Answer: It can take anywhere from a month to a year; however, a year is not acceptable. The maximum should be about 3-5 months.

 Q5: How frequently do you recommend we perform risk assessment on moderate and low-risk vendors?

 Answer: I would say every 2-3 years. It’s usually okay to put them on a “longer leash.”

 Q6: Who would you bump up in the risk assessment schedule during this time?

Answer: High-risk or critical vendors – if you need them to survive, start there. Beyond that, if they can’t work remotely or can’t access data remotely, I would go back to those vendors, especially.

Session 2: A Vendor Due Diligence Oversight Dive and Contract SLAs and Why They’re More Important Than Ever

Led by Venminder’s Branan Cooper, CRO, and Kelly Vick, President, where they provided more details pertaining to the due diligence activities that should be considered and an overview of contract management considerations and best practices.

Q1: You said spend 3-5 months collecting due diligence and finish it AFTER contract is signed? How can you enter a relationship before due diligence is completed?

Answer: You should absolutely get as much done as possible prior to entering the relationship but many items may not be willing to be shared until after the contract is inked. The full risk assessment writeup may not happen until after the contract is signed.

Q2: What would you recommend for information to collect on a vendor?

Answer: If they have access to NPI, certainly info sec, BCP, SOC and all vendor vetting information.

Q3: How does residual risk rating impact due diligence update/oversight requirements?

Answer: Depends on what is identified and any particular areas of weakness.

Q4: What are better practices to elevate third-party vendor management to fore thought for management and remind management that although third parties may be involved responsibility continues to sit throughout the organization?

Answer: Show your team OCC Bulletins 2013-29, 2017-7 and 2017-21.

 Q5: I have a vendor who we have been doing business with for years. They were just acquired by a foreign holding company. What should I be concerned with?

Answer: OFAC checks, beneficial foreignership, any politically Exposed People (PEP’s), location and any access to US customer data.

Q6: Why would you enter a relationship without completed due diligence? Expectation that they may finish it in the future seems a little nutty.

Answer: Sometimes you have to – companies understandably are reluctant to give us business continuity plans or network diagrams prior to entering into a contractual relationship. It’s not a perfect science.

Q7: How do we implement this with the vendors that are essentially no risk? Sometimes for them to support even the simplest request for due diligence isn’t worth what we are paying them for services.

Answer: That is completely understandable. The first part is making sure that you know what a vendor is doing for you. It’s good to get that from your business owner – what they are doing, what you pay them, etc. Try to understand how to mitigate the risk that they pose without doing too much. Understand their process enough to understand the risk. Put into place a process of what to do going forward.

Q8: For SaaS vendors, I am seeing more and more SLAs pointing to a website vs. being documented in the contracts. Is this becoming typical for SaaS vendors? I see risk in having the SLA updated post contract finalization without us knowing/approving of the changes. How do you suggest we handle this to reduce risk of changes to SLA?

Answer: Vendors have Master Services Agreement (MSA) terms and SLAs point to websites likely because it is administratively easier for them to manage and discourages modification of their standard terms. Where possible, the customer will want the SLAs to be baked into the agreement and not referenced on a website. Depending on the type of vendor relationship and language in the agreement, SLAs can be anywhere from a nice side benefit to absolutely critical, so it’s important to look at them in relation to the type of vendor agreement being entered into.

 Modification of SLAs are typically governed by the “amendments” section of the contract. If you agree to click-through the “terms of service” on a website, the amendment section will likely allow the vendor to modify the agreement in its sole discretion by posting new terms, which gives the vendor the ability to replace any term of the agreement, including the SLA.

 Of course, you can request changes to even the online agreement. It will depend on how willing that vendor is to accommodate and how committed you are on doing business with this vendor. Any agreements that are negotiated will require the consent of both parties to amend the agreement, so the SLA could not be amended unilaterally absent a special provision granting that right. When you are able to negotiate the terms with a vendor who has these posted behind a link, you will want the contract to include these terms, including the SLAs, and not reference the link.

 Q9: Is it common for contracts to have a Force Majeure clause and how would that impact an SLA?

Answer: Yes, it’s common for agreements to have Force Majeure clauses. Force Majeure clauses excuse nonperformance by a party in light of certain specified conditions, typically events beyond that party’s reasonable control. The clause’s interaction with an SLA provision will vary depending on the specific language of the agreement, however typically if a party gives notice that a Force Majeure event has occurred and that it can’t perform under the agreement, there is no breach of the agreement and the SLA provision would not trigger. Nevertheless, this is specific to the actual terms of both the SLA and Force Majeure provision. Also, typically, Force Majeure clauses didn’t include outbreaks, pandemics and epidemics as separate Force Majeure items, but we have seen these provisions included recently (not surprisingly). But, even if pandemics aren’t specifically called out in the clause, there’s a strong argument that Force Majeure clauses that include “catch-all” language would cover pandemics (e.g., events outside a party’s reasonable control).

 Q10: What is best way to go back to vendor to add SLAs to existing contract?

Answer: This will certainly depend on how strong the relationship is with the vendor – are they more like a partner or more like a vendor? What we’ve seen from our own clients (who have us as a vendor), is when they want us to make any contract changes (sign a new Data Protection Clause, insert SLAs or reduce their annual spend), we generally will agree to discuss and negotiate but we’ll want something in return. It is a two-way street – so a vendor might be willing to make a mid-term contract change with a term extension or an increase in spend. But, this one is certainly going to entirely dependent on the vendor and the relationship you have with that vendor.

 Day 2

Session 3: Vendor Cybersecurity Preparedness – Don’t Let Vendors Become Your Weakest Link and Understanding and Analyzing Vendor SOC Reports

Led by Venminder’s Lisa-Mae Hill, Senior Information Security Specialist and Aaron Kirkpatrick, CISO, shared what to review on your vendors’ cybersecurity and the different type of vendor SOC reports to be reviewing.

Q1: What is your opinion on vulnerability checks versus penetration testing due to the fact that the latter can cause damage just by trying to break into a system? What would be your reason when to do which?

Answer: Vulnerability checks/assessments should be ongoing in some way or frequently performed for wider scoped scans. Even anti-malware scanning is a form of vulnerability assessment. Penetration testing, depending on the industry requirements, may need to be done quarterly, but typically annual penetration tests are the norm across all other technology vendors. Things can break during penetration testing, but an experienced firm should have guidelines in place for their assessors which limit this risk and there should be a clear, fast communication line for the organization to get ahold of the assessor in case of an issue. Having a penetration test performed, not only on networks but on web applications as well, is an expectation for technology vendors, especially those with any data that may be classified as personally identifiable information.  

Q2: Is SSAE 18 just a SOC 1 or is it also a SOC 2?

Answer: The SSAE 18 (Statement on Standards for Attestation Engagements no. 18) standard covers both SOC 1 and SOC 2 engagements as they are both attestation engagements, just different sections within the same standard.

Q3: How do you review the SOC 2 report if it is so long? Do we need to read every page and content?

Answer: This is where experience will come in. Once you get familiar with the structure of the reports, you’ll be able to focus on the areas you’re most interested in. A quick check that I recommend would be to look at the auditors letter for the auditors opinion, look for any exceptions and search for key controls that your vendor management program focuses on when reviewing vendors, depending on their inherent risk.

Q4: Is there a preference between SOC reports vs ISO certifications and why is one better or preferred over the other?

Answer: Both are great to see but having a SOC report to share with clients and prospects provides insight into the organization, the actual testing that was performed, and results of those tests including managements response, if needed. SOC reports provide you with 35-800 pages of information while ISO certifications give you a page or two. If an organization is ISO certified, that is a great, quick and easy way to gain insight into whether they have an information security, privacy or business continuity program formally in place and it has been audited by a third party, depending on the ISO standard. We prefer having a SOC report because of the additional value it provides.

Q5: How are cybersecurity reviews being performed during the pandemic when on-site visits are limited?

Answer: You might have to put an exception in for this year’s physical security walkthrough but treat the rest of it like a remote audit. Collect the policies and procedures that you can, external testing and reviews (SOC, ISO, redacted penetration test/vulnerability scanning results) and this might mean getting on a couple Zoom or Skype meetings to review what they don’t want to sent you. 

Session 4: Vendor Business Continuity and Disaster Recovery and Red Flags in Vendor Financial Health

Led by Venminder’s Gordon Rudd, Third-Party Risk Officer and Mike Bowers, Chairman of the Board, where they shared the procedures your vendor needs to have in place to handle a business impacting event and the vendor financial red flags you should be watching for, especially in the pandemic.

Q1: I fear that the COVID-19 is happening on such a scale that what was done may not be fully remembered. The focus has been to implement the plan first. How do we strengthen these plans to capture the reality of steps taken to mitigate risks from the pandemic?

Answer: Excellent question. It happens in layers. It will not happen all at once. People who are affected by any disaster, natural or manmade, are going to be less reliable witnesses than they normally would be. Even for actions they themselves took during the event. However, it’s vital to your organization to get to the truth.

To get down to what happened, I like to hold two separate meetings. The first is the postmortem which focuses on exactly what happened and why. Do NOT focus on how to fix it in this meeting. The sole focus of this meeting is to determine exactly what happened. To help get the real story, I like to hold a postmortem session. Postmortem is exactly what it sounds like, a vivid description of what went wrong. It’s important to make sure this session in one held without judgement. No one wants to sit in a meeting and get beat up, but at the same time it’s extremely important to get to the truth.

The second step is to hold a lessons learned session. Given the information you have from the first meeting, how would you “fix” the problems? Can you fix the problems? If you can fix the problems, what is it going to cost? This is where we apply what we know to the problem we outline in the post mortem and come up with solutions that the senior management team and the board can get behind.

Q2: How frequently are you suggesting that the plans are appropriately updated?

Answer: Business Continuity Management (BCM) plans should be updated no less than quarterly.  Creating a BCP as a “check-box-Charlie” exercise (meaning you read because a regulator or auditor says you have to have one…but we’ll never follow it, so let’s not put any time in on it we don’t have to) attitude of doing a plan review once a year went out the window with the COVID-19 pandemic. Plans need to be reviewed and exercise quarterly.

Q3: Can clarification be given on how a contingency plan comes in to play? It seems to be different than DR and BCP, but not directly addressed in the session.

Answer: Contingency plans are part of every BCM Plan, DR plan and pandemic plan. Once you have your plan completed, you take a look at the plan and start to ask questions like, “What happens if we can’t secure enough laptops from Vendor A during a pandemic to send everyone to work from home?” Your answer might be, we will ask three separate vendors for enough laptops to give our workforce the ability to work from home. Your contingency plan is always going to be a plan for the component parts of any BCM program that might fail when stressed. For example, not having enough laptops for your workforce to work from home.

Q4: Who declares an event – CEO, Board, who?

Answer: In 99% of cases, never the board. It will most likely be the CEO or a member of senior management. You do need to decide if the CEO or senior management team is not available, then who will make that decision? This should be decided before an event occurs. 

Q5: I looked at some of the financial reporting, 8-K and 10-K, from some larger companies and did not see a section referenced as risk factors. Where do you see this information?

Answer: The U.S. SEC gives a look at the contents of a 10-K at this URL here. “The Risk Factors” are found in Item 1A – “Risk Factors”. Having said that, it can be challenging to find Item 1A, in that not all filings will have an Item 1A, because there may be no need for the section.

Q6: I don't understand the 10-K concept. Can you please elaborate?

Answer: The Securities and Exchange Commission (SEC) regulate all publicly traded companies. One of the many reporting requirements established by the SEC is that every company must file a financial report detailing all aspects of the reporting companies’ finances. The reporting is done both quarterly and at the completion of the company’s year-end. The year-end report is labeled a 10-K and the quarterly report is labeled a 10-Q.

Q7: In the 10-K, what items could we ignore?

Answer: Well, you can weed out about half of the 200 pages fairly quickly. I would not ignore the risk sections. But, stock performance, income tax sections and many of the repeat sections are things that can be glossed over, unless you are a financial institution.

Day 3

Session 5: How to Review a Vendor’s Pandemic Plan

Led by Venminder’s Aaron Kirkpatrick, CISO, where he provided a very timely presentation covering how your vendors’ pandemic plans protect you, the components and steps to review a pandemic plan.

Q1: Should my organization only put focus on our high-risk and critical vendor pandemic plans, or should we be focusing on all but reviewing at a different frequency for lower risk vendors?

Answer: It is likely that high-risk and critical risk vendors you should focus on and expect solid answers from. This will open a lot of eyes that we may not have seen prior to the pandemic. A few vendors may be reclassified as higher risk or criticality. I would focus on all during this time.

Q2: Because of the current pandemic, as a result, do you foresee any changes that will need to be incorporated into pandemic planning moving forward?

Answer: Yes, I think it will shift from pandemic planning being a ‘checkbox’ item. I hope that we land in the middle of what we historically have been doing, which has been pretty relaxed, and add tons of questions to the pandemic plans.

Q3: How often should pandemic plans be reviewed by the board? 

Answer: They should be on the same review and approval schedule so I would say yearly.  

Q4: Can you explain the difference between pandemic planning and disaster recovery planning again? 

Answer: The difference really comes down to disaster recovering planning being more about responding to an unexpected business impacting event and responding immediately. Pandemic planning is usually a much longer event and hopefully we have a much longer notice to plan.  

Q5: When in the due diligence process, do you recommend that we ask our vendors for their pandemic plan? 

Answer: Good question! I really suggest adding it to your existing, initial due diligence and ongoing monitoring document request list. It shouldn’t be an added request; it should already be there.  

Q6: How can we properly mitigate the risk of dealing with unprepared vendors and more importantly unprepared management?  

Answer: First you’ll want to understand the potential impacts if that vendor’s service degrades or ceases. Depending on the severity of the impact you may simply report the risk to senior management/the board and have them accept it, or you may need to set up a backup/replacement vendor. There are many actions in between these two steps which will depend on the potential negative impacts due to the vendor’s actions or lack thereof. Unprepared management, or management unwilling to accept/adopt change may also pose risk at your vendor or internally as you’ve mentioned. The easy, yet likely unhelpful answer is to provide educational resources to the offending management, but this may not be effective due to the same causes of the unpreparedness, unwillingness to learn or too busy/overwhelmed to take the time to change/adjust. 

Q7: What may be a good source for templates helping business operations complete their business continuity plans?   

Answer: Here are a few good resources for business continuity planning:   

https://www.ready.gov/business-continuity-plan

https://www.fema.gov/media-library-data/1389019980859-b64364cba1442b96dc4f4ad675f552e4/Business_ContinuityPlan_2014.pdf

https://www.fema.gov/media-library-data/1388776348838-b548b013b1cfc61fa92fc4332b615e05/Business_ImpactAnalysis_Worksheet_2014.pdf

https://www.fema.gov/media-library/assets/documents/89510 

Q8: What should companies do if a vendor will not provide BC plans and/or testing results?  

Answer: Many times we encounter vendors who are unwilling to share their business continuity and related plans. We support this as many times those plans contain sensitive internal operations information. In these scenarios we encourage vendors to create plan summaries which include information about the plans, testing of the plans and recovery time and recovery point objectives.

Session 6: Third-Party Risk Management Exam and Audit Prep and Tying It All Together for an Effective Third-Party Risk Management Program

 Led by Venminder’s Nicole O’Brien, Third-Party Risk Officer and Dana Bowers, Chief Solutions Architect, Founder and Board Member, where they shared how to prepare for an exam or audit as well as tips and tricks and wrapped up the sessions by recapping some key takeaways.

Q1: Do you differ between third-party risk management and contract management or do you see there are efficiencies in joining the two?

Answer: Good question! They definitely go hand in hand since managing risk begins with the contract. Be sure to follow the FFIEC guidance when negotiating a contract. However, even though risk begins with the contract it certainly doesn’t end with the contract. Once your contract is in place, be sure to have a well-defined ongoing monitoring program that is risk-based and clearly defines the requirements of risk assessment and management commensurate with the level of risk the third party represents to your organization. Document everything along the way. The contract begins your risk management lifecycle and will come back in play at the end of the term when you are able to refer to your documented historical vendor performance and either exit the relationship or negotiate for a renewed term. 

Q2: What are some key metrics you recommend regularly presenting to the board on third-party risk management?

Answer: The report should cover key performance data for all critical and high-risk vendors such as SLA performance, annual reviews and findings, etc. 

• Call out any issues since the last report
• You may want to use a stop light methodology (red, yellow, green) to quickly indicate current status
• Here is a paragraph straight out  of the OCC guidance that should be helpful:
  Bank employees who directly manage third-party relationships should escalate to senior management significant issues or concerns arising from ongoing monitoring, such as an increase in risk, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or compliance lapses. Additionally, management should ensure that the bank's controls to manage risks from third-party relationships are tested regularly, particularly where critical activities are involved. Based on the results of the ongoing monitoring and internal control testing, management should respond to issues when identified including escalating significant issues to the board.

Q3: What exactly defines a "very mature program" or what are the differences between a mature program and a very mature program? Do you think that it is appropriate to view an automated management solution as an equivalent to having another full-time employee (FTE)?

Answer: A mature program has all the correct elements of third-party risk management, regardless of method to get there (for example: manual vs. automated). Key risk factors have been identified and are satisfactorily managed. However, a VERY mature program has automated processes (for scale) and can map activities back to key guidance and can demonstrate best practices in all areas. Do you think that it is appropriate to view an automated management solution as an equivalent to having another FTE? That would be a good way to look at it! The only way to overcome inefficiencies is to throw more people at the problem.  In order to scale and develop a very mature program is to choose a platform flexible enough to map to your processes and automate as much as possible. A good software platform, once configured, will allow you to delegate and then monitor progress and spot problem areas. 

Q4: Is there a requirement for ongoing monitoring being performed annually for critical or any vendors? Our policy states periodically and is written vaguely which makes it hard to obtain ongoing due diligence from relationship owners.

Answer: I do not think there is any specific regulatory guidance that states annual reviews as being an absolute requirement. However, if a vendor is critical to your organization (by critical I mean the availability of the product or service of that vendor is mission critical to daily operations – in other words, if they go down, you go down with them and business comes to a screeching halt) then I consider annual to be an absolute minimum. You may find yourself doing reviews even more frequently than annual if you identify an issue with the vendor – such as poor financial health – which would dictate more frequent reviews such as quarterly financial health assessments.  Our policy states periodically and is written vaguely. Which does make it hard to obtain ongoing due diligence from relationship owners. I would fix that asap. The policy dictates the requirements and if it does not have any teeth in it then neither does your ability to ask others to execute. A good guideline would be annual for critical/high-risk vendors, bi-annually for moderate-risk vendors and every 3 years for low-risk vendors.

Q5: Should auditors change what they ask for after the exam has started?

Answer: If they start to veer from the original questions, I would ask them to have a more intellectual conversation rather than continue down the ‘rabbit hole’.

Q6: What is the best way to set up an office base for visiting auditors? How will that change if they start happening remotely due to COVID-19 precautions?

Answer: I would say to set up a comfortable conference room, away from the organization but try not to be completely closed off from the organization. Snacks, water, make them feel comfortable. I always liked when people would visit the room, do a ‘walk through’. But, always make sure to escort – do not give them a chance to write you up for something small. As for remote work right now, you want to have documents and deliverables prepared to share via Webex or other applications.

Q7: There is usually a great deal to accomplish after an exam to address the examiners findings. What have you done in the past to prioritize these findings?

Answer: Start with the initial ‘triage’ and map out a plan of how you are going to tackle the findings that you need to address.

Q8: Is your third-party risk management program required to be approved by the board?

Answer: Yes, but it’s actually the policy document that needs to be approved by the board. Remember, there are two different documents. Yes, absolutely the policy has to be approved by the board.

Use these 10 steps to help with vendor management during the COVID-19 pandemic. Download the infographic.