Important Third-Party Risk Management Takeaways from 2020

Without a doubt, 2020 will go down in history as the year we all learned the value of a pandemic plan. It was the single most unusual year. Period. Risk went through the roof! Every risk category experienced dramatic elevation, and in some cases, third-party risk management was put on pause as we were all sent home to work and to educate our children. All the while, organizations scrambled to meet the technology and human demands of lockdown. And at the same time, devastatingly, many lost their lives.

As organizations scrambled to adjust, third-party risk management was tasked with keeping up. Unfortunately, many weren’t fully equipped, leaving a rash of error in its wake: contracts were often signed without the normal levels of due diligence and risk assessments suffered greatly. Survival mode will do that to just about any organization. Consider it a mass baptism by fire.

However, in the grand scheme of things, we’ve all learned a lot. As a result, we can walk into the new year with new knowledge.

4 Important Takeaways from 2020

Comprehensive Emergency Planning for Your Vendors Is Non-Negotiable

Pandemics are unique. For most organizations, they fit into the business continuity management planning process somewhere within the disaster recovery planning process. Usually, they were completed in a perfunctory manner that no one ever thought they would use for anything more serious than the flu. I’m going out on limb here and will say that pandemic planning will be one of the top tasks – likely the number one priority – for every organization as we move forward.

As we continue, reviewing our critical and high-risk vendors’ business continuity management, disaster recovery, and oh yes, the pandemic plans, will be mission critical for every organization on the planet. So, be sure to ask your vendors for a copy of their plans. It’s also critical to ensure your vendors perform comprehensive testing and that they provide proof. Partial testing will not tell you if the vendor can, in fact, recover from a significant event.

Third-Party Risk Management Must Increase Speed

While many organizations were forced to hit the pause button on third-party risk management, the need to perform due diligence and risk assessments didn’t go away. Organizations have no choice but to clean up the mess sooner rather than later… because here’s the thing: regulatory agencies expected organizations to use the business continuity and disaster recovery plans they had in place and follow their pandemic plans. But let’s get real! For most organizations pandemic planning was a distant concept that wouldn’t happen. Oops…

Now what… where do you from here to pick up the pieces and put your third-party risk management program back together? Consider the following:

• Collect all necessary due diligence materials
• Perform the risk assessments for company, product and/or service
• Account for all potential increased risk
• Review contracts carefully (Pay special attention to the SLAs!)

Remember, when organizations make hasty decisions, the risk is higher than it should be.

Mergers and Acquisition (M&A) Activity Will Ramp Up

Moving forward, we’ll see M&A activity skyrocket. That will put a great deal of extra stress on every third-party risk management program, and so staying in touch with critical and high-risk vendors is always a good idea. This is because when M&A activity picks up, it will be crucial for your third-party risk management team to continue to stay in close contact with their critical and high-risk vendors. There is no such thing as over communication with your vendors when they’re stressed out. Today, it’s safe to say that everyone is stressed, which makes communication a critical activity for third-party risk management for the foreseeable future.

Business Survival Is the Goal

The primary lesson we should take away from the COVID-19 pandemic is that, like people, organizations will do anything to survive. They’ll abandon the process and procedures that are in place to keep the doors open, which, honestly, makes perfect sense. The big takeaway here is we all need to develop policies and procedures to allow for these emergencies. Also, like with all other plans, these emergency policies and procedures will need to be tested. Remember, regulators don’t care why, they just care that the policy wasn’t followed. Documenting what is expected when facing the unexpected can go a long way.

There is a purpose to business continuity management, disaster recovery and pandemic planning. Governments are going to do what they feel is in the best interests of their people. While we can’t predict the exact actions any federal, state or local government will take, regulators want us to be prepared.

Let’s focus on the lessons we learned from this year and look forward – better yet, start to move forward – to the day we can tell our senior management teams and our boards, “We’ve got this. We have your back.”

Reflect on this past year by seeing how the industry has changed and how to adjust your approach in 2021. Download the whitepaper.