As the United States begins to settle into the reality of social distancing, working remotely, sanitizing every touch surface and using video conferencing to communicate, where does that leave your organization? Where does that leave your vendors’ service level agreements (SLAs)?
It’s very likely that your employees and many of your vendors’ employees are working from home. Unless you’re prepared and were operational as a remote workforce prior to COVID-19, working remotely can cause havoc with your organization’s third-party risk management.
Managing vendors is difficult under the best of circumstances and we certainly aren’t at our best during this coronavirus outbreak.
Let’s face it, a pandemic is a natural disaster that we’ll need to manage as a disaster. Nothing we do during a disaster is “normal.” The best advice anyone can give you during this pandemic is to use the K.I.S.S. principle (keep it simple silly). Complex processes that haven’t been fully developed or are normal in your office may not work with a remote workforce!
What You Need to Know About Vendors Working Remotely
There are two reminders that I want to share:
- There’s no way you can over communicate. Figuring it all out is something that should have happened years ago…no? Well, we might want to start with a few basics and build on that.
How are we going to manage our seven pillars of third-party risk management when we’re working from home and our vendors are too? How can we follow their performance and monitor how they perform against their SLAs? Additionally, what does contract negotiations with vendors and reporting look like in our work from home environments? The only way to address all of this is to communicate regularly with your vendors.
- Working remotely tends to slow processes and procedures way down. This is especially true when the process or procedures is new to an organization. After your workforce becomes accustomed to their new surroundings, the tempo tends to pick up.
Ideas on How to Effectively Manage Third-Party Risk Remotely
The following will give you some ideas for how to survive in this pandemic scenario and help you set a pace for your third-party risk management that works best. I’ve grouped them by the pillars of vendor management:
- Vendor Selection – This is tough in a remote world. Most of us like to see and feel the product or service and use our personal experience to inform our selection process. For the most part, we can start the process working from home, but what happens when we’re ready to experience the product before we make the purchase? Site visits are an area that tends to suffer from the work-at-home economy. It’s hard to do a virtual site visit. Not impossible, just difficult to do effectively. Therefore, you will need to get creative with vendor selection. Also, consider if the vendor you want to bring on is necessary for operations at this time. If they aren’t, it may be best to wait.
- Risk Assessment – If you’re using a third-party risk management platform, the risk assessment process is not that difficult. Even if you’re doing it as a team, you can use the workflow your platform provides to manage the process and drive results effectively. If your third-party risk management program hasn’t developed beyond spreadsheets and ShareFile systems, you’re going to have a very real problem with completing risk assessments. It’ll be much more challenging.
Quick Tip: Your number one risk in any disaster scenario (including a pandemic) is data governance. How you’re managing your organization’s data and how your vendors are handling your data is critically important to your organization.
- Due Diligence – Other than site visits, due diligence is one area you’ll be able to handle with relative ease. Most of the information we gather is done online today. Whether or not the vendor’s personnel are working from home doesn’t really affect this pillar much. Again, if you’re using a third-party risk management platform, this process is easily accomplished online. The only issue that may arise is when you need something from a governmental entity that is shuttered for the duration.
- Contract Management – Some processes will be affected more than others. For example, new contracts with existing vendors may be easier to renew than negotiating contracts with new vendors. Again, showing that vendor selection becomes much more challenging during this pandemic time. In this area, you may want to consider leveraging existing vendor relationships to get the contract done. We’re already doing the back and forth with the red lined agreements, so the reality is when we negotiate contracts, it may not really have that much overall effect on timeline.
- Reporting – Prepping and delivering reports during a pandemic is, at best, awkward, and at worse, foolish. During a disaster, reporting isn’t the most important thing you’re going to do all day. However, you’ll need to report at some point in the future. Keep records of everything you do — document, document, document!
- Ongoing Monitoring – If your lines of business are still operational (a really large “if” in a pandemic scenario) you’ll want to maintain your lines of communication and stay on top of your SLAs. You need to be flexible on this pillar during any disaster scenario. Monitoring may have to be suspended temporarily. Try to be more understanding if your vendors aren’t performing at their usual high levels. Of course, the hope is they’ll respond, and all issues are resolved; however, flexibility is important here from both parties’ standpoints.
- Exit Strategy – A pandemic will cause some businesses to fail (any disaster will). While businesses fail all the time, they fail faster and fall harder during a disaster. Determining if a vendor is meeting or exceeding your expectations is a critical part of how we measure any vendor’s performance. SLAs are a literal part of every pillar of third-party risk management. If your vendor is limping along and you can manage, it may be a good time to practice forgiveness.
The New Third-Party Risk “Normal”
How do you monitor a vendor when there’s nothing to monitor? What do we do when all, but essential services, are forced to close, and supply chains aren’t interrupted but obliterated? How are you supposed to monitor SLAs in this environment? These are the types of questions that I’m sure you’re asking yourself right now.
As if this wasn’t bad enough, we have bad actors queued up to take full advantage of our circumstances. We’ve already seen one international fintech forced to take themselves offline due to the actions of charlatans.
Social distancing and working from home are challenging at best. They can be downright crippling to any organization’s third-party risk management efforts.
It will be months before we’re going to see vendor operations and our usual supply chains return to “normal.” During this time, we’re not going to be able to perform our “normal” third-party risk management tasks the way we typically would — well, we will, but not the way we have always have in the past.
The Impact to Your Third-Party Risk Management Program
First and foremost, yes, you are still responsible for the third-party risk management program. No, you can’t abdicate, mitigate or eradicate the responsibility. Your vendors are still extensions of your organization and they can still cause your organization a long chain of pain. If you’re working from home and third-party risk management seems impossible to do, perhaps you need to focus on the parts of the third-party risk management program you can still accomplish. There are many things you can do to keep the wheels on the bus going ‘round and ‘round (for those of you with children, I humbly apologize for this tune running through your head for the next two or three hours).
During any disaster, including a pandemic like this, it’s critically important to your organization that you do the following:
- Over communicate everything! Failure to do this one thing that will make or break not just your third-party risk management program, but also your organization.
- Sketch out a plan for each of the seven pillars.
- Do the best you can to keep up with all aspects of your third-party risk management program. Perhaps even creating a list (accessible to your team and your stakeholders) on a shared platform that’ll allow you to keep your stakeholders and your team up to date on which vendors are operational and which vendors are shuttered for the duration of the event.
- Document every single thing you’re doing. Note the things that go well and the ones that don’t. That information will be useful when you review your “lessons learned.”
- Complete your after action, lessons learned report and publish the results to your stakeholders, especially your board.
- Practice being as flexible as you can with your vendors. The kindness will be returned when the pandemic is over.
Remember, none of us are at our best during a disaster. Some handle the situation better than others, and the same is true for organizations. Times like these never last, but for every organization that weathers the storm, they do forever alter the course, and no organization is ever quite the same. Some of your vendors won’t survive. Some will. Some will be fully operational as far as you’re concerned, others will be shuttered for the duration of the event.
Your best plan is to keep planning. Make notes on everything. Document everything you and your team are doing.
After the pandemic is over, put everything you have together and make sure it becomes a part of your organization’s pandemic plan. The only thing we can be certain of is that there will be another pandemic.
Once your organization makes their final adjustments to your pandemic plan, look at the plans your vendors have in place. Ask them for the results of their last full strategy test. Note any differences that might cause disruptions and get with those vendors to work out solutions to the risks you’re seeing. In the end, it’s these risks that may require you to change vendors.
More employees are working remotely than ever before, make sure you evaluate your vendor's cybersecurity plan. Download the infographic.
How to Successfully Educate Your Vendor Managers
Educating vendor managers about vendor risk management can be challenging if you don't know where...
Prince ...and what it means to keep your vendor management practices up with the times
Since Prince’s passing, the lyrics to his song “1999” kept coming to mind, which then triggered me...
How Do You Know If a Vendor Is FFIEC Examined?
The Federal Financial Institutions Examination Council (FFIEC) and the Consumer Financial...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.