Third-Party Risk in a Pandemic World: The Short Tail and the (Scary) Long Tail

This new world we are living in today will represent challenges none of us even imagined 30 days ago. So, while all of us are deep into executing a pandemic plan we never thought we would need, a new normal will emerge fairly quickly. Then, it will be time to lift our heads and start planning for the long-term impacts.  

The Short Tail 

Chances are, by now, everyone reading this message has already reached out to their critical third-party service providers to gather up all the information available on the third party’s pandemic plan (By the way, if you haven’t done that yet, stop reading and DO IT NOW). If you need help deciphering the information provided by the vendor, be sure to attend our free webinar on that topic on April 7^th.    

There will be some vendors that show signs of stress immediately. Limited capacity, inadequate pandemic planning, weak execution, under-capitalized, short-staffed and so on. You get the picture. Do all that you can to recognize the signs and act accordingly and immediately.    

Now, We Get to the Tough Part: The Long Tail   

Here’s how we break it down:

Regulatory Risk

If you are a financial institution, you’ve seen the new FFIEC Guidance issued on March 6, 2020. There are numerous mentions throughout the guidance regarding critical third parties. Right now, your regulatory risk is at an all-time high.  

If you are not a financial institution but are a highly regulated entity, chances are very high you can expect similar guidance to be forthcoming. The best advice we can give you is don’t wait for that guidance to publish. Act now as if it already existed.  

If you are neither a financial institution nor highly regulated, now is probably a good time to use the best practice guidance above. You may not be facing regulatory risk, but you’ll certainly be faced with reputational risk. 

Real and Reputational Risk

When it comes to the long tail, we will see the impacts of the pandemic stretch over the next 6 to 18 months, if not longer. Here’s what it will look like:

Financial Strain:

For those that survive the short tail, there’s no doubt your vendors will experience financial strain. New sales will drop, unnecessary expenses will be cut and staffs will be reduced to offset the pain. In a nutshell, we’ll enter an era of survival of the fittest. Financial health will decline, and it will be essential that you can identify the warning signs of vendors who made it past the short tail but may not make it out of the long tail.   

While financial impact may fall into the obvious category, there’s a domino effect that may not be quite as obvious. And it will take a few months for the rest of the (real) risk to show up. 

When financial trouble is brewing, the quickest path to solve cash needs is to cut staff since payroll is typically one of (if not THE) biggest expense line on any profit & Loss (P&L). Survival has been extended but service, delivery and information security are compromised. There are no longer enough resources to execute on required controls. Patches are delayed, testing is diminished and bugs live a lot longer… just to name a few. In other words, the last SOC audit report may have looked just fine but the next one later this year may tell an entirely different story.   

Business Continuity and Disaster Recovery Preparedness:

Let’s talk about business continuity and disaster recovery preparedness. It’s much different than pandemic preparedness – could any of us been truly prepared for this? Is staffing adequate to execute on a plan and run a full-blown test? If a vendor is barely holding on by a thread, would a tornado, flood or earthquake be the final nail in the coffin?   

Cyber Risks:

Cyber risk takes on a whole new level of priority. Is it hard to believe that while the entire planet is in the middle of a pandemic crisis there are bad actors out there poised (and able) to take advantage of any and every vulnerability?   

What’s the Answer? 

Now, more than ever, your third-party risk management program needs adequate resources to weather the storm. When you see the first glimmer of light that your own pandemic plan is working and you have stabilized, look outward and place significant attention on the long tail with your critical third parties.    

You Really Have 3 Choices

You really have the following 3 choices:

1. Staff up your third-party risk management resources and manage it all internally.
2. Find a partner (like Venminder) that can do the heavy lifting for you.
3. Do both. Leverage the expertise you have in-house and use a partner (like Venminder) to fill in the gaps.  

By the way, changing nothing about your third-party risk management program is not an option. At least not an option we would advise. 

If you need our help, visit https://www.venminder.com/contact-us and a solution consultant will be with you right away.   

Pandemic planning should be included in your vendor business continuity plan and should be tested thoroughly. Download this eBook to help.