How to Prepare for a Virtual Vendor Site Visit

It would be an understatement to say COVID-19 has changed a lot, and you might say the pandemic has altered some facets of our lives indefinitely... from how we live and shop to where and how we work. Like many others, some of us in third-party risk management have gone remote, converted our kitchens or spare bedrooms into offices and learned to do just about everything online. And, when we say everything, we mean everything, including things which were previously unthinkable to do any other way but in person.

In our world, one of those tasks includes conducting vendor site visits. Believe it or not, going on site to “check the tires” of our vendors must now be conducted virtually. So, how can we gain the level of transparency and validation we need on our more high-risk and critical vendors without going on site? How do we actually conduct a virtual “site visit”?

Setting Up an Effective Virtual Review

It might be easy to assume that conducting a virtual “on-site” review would be no different than any other vendor assessment, but that doesn’t have to be the case. If you have vendors who require on-site visits, this means they are a priority, and should continue to be treated as such.

As simple as it may seem, set out to meet with your vendor partners in the same way you would under normal circumstances, but instead of hopping on a plane you’ll gather in a virtual conference room, and get down to business. This will show your key vendors that you haven’t loosened your grip on risk management, nor should they.

Here are a few helpful steps to a successfully remote site visit:

1. Schedule the site visit.

Give your vendor ample time to set up the audit schedule. This is important! Everyone’s extra busy these days, juggling calls and the demands of our family members-turned-office-mates! While setting up the virtual site visit, make sure to discuss the procedure and what method or technologies will be used. If possible, agree to meet via video conferencing, so that the interviews and discussions can be as “in person” as possible. It’s a good idea to inquire if the vendor will allow you to view documents through share screen/video technologies. If not, you will need to discuss further until you’re able to arrive at a mutually agreeable method.

2. Review the vendor’s due diligence. 

As with any vendor assessment, take time to thoroughly understand the vendor relationship, and be especially familiar with their contract, risk profile and current control environment. This means you’ll definitely want to make sure you have current due diligence documentation which includes but is not limited to:

• Financials
• Up to date applicable policies, such as an information security, privacy, HR, compliance, etc.
• Updated or recently validated questionnaires
• Business continuity/disaster recovery plans and testing details
• Any of the latest security testing results, if applicable

Pro-tips: You’ll want to send an information request at least three weeks in advance, and make sure you allow yourself ample time to review these documents prior to committing to the scheduled virtual onsite meeting.

3. Plan for the meeting.

Once you have all the details from your remote assessment, work with the business owner to pinpoint any concerns or gaps that need to be addressed “in person”. Make sure to keep these well documented.

Sample issues to address may include:

• How the organization is handling the new remote work requirements. Is anyone still on site? How was the transition? Have new security measures been put in place? Has equipment been provided? What measures have been taken to ensure employee safety and ongoing business resiliency?
• Plan to discuss how the organization has been weathering the storm. Have they experienced any setbacks or downsizing due to the pandemic? What affect might this have on services provided (if it hasn’t already)?
• Any service delivery and/or control gaps
• Status updates on any open remediation plans from penetration testing, lessons learned, previous vendor assessments, etc.

4. Communicate the meeting details.

Let your vendor know which departments, subject matter experts and/or particular points of contact must take part in the virtual site visit. Be sure to provide a detailed list of evidence that you wish to review, assuming there are things they’re only permitted to share during a live web meeting. Also, provide the vendor with a list of additional topics you would like to discuss, so that they’re prepared to respond with the right people and supporting evidence.

5. Confirm everyone is ready.

As it’s coming close to show-time, make sure all your ducks are in a row, and confirm your vendors are as well. Be flexible where you can, but don’t let the new way of doing things hinder your role in protecting your organization from vendor risk.

You might also want consider these site visit best practices:

• If you’re using screensharing or video call technology, ensure it is a secure option
• Draw up a specific audit work program or checklist to follow which covers key areas (e.g., security within a server room, visitor log procedures, BC/DR exercises, etc.)
• Talk about expectations related to screenshots, screen capture and recording
• Make sure your vendors that are selected for these virtual site visits are based on risk and criticality
• Avoid wasting precious meeting time by asking questions they’ve already provided you answers to

While technology has greatly improved our ability to do many things from a distance, virtual site visits are a far cry from a complete replacement.

Keep in mind, virtual site visits are NOT absolute assurance around operational effectiveness, and they’re certainly not a replacement for overall due diligence or thorough insurance or audit reporting. At some point, we’ll have to circle back and to those walk-throughs for our most risky and critical vendors.

The moral of the story here is this: work with what you got, but of course, proceed with caution. With a little bit of planning, a few of these best practices and some luck, your next virtual site visit should go off without a hitch. 

Virtual site  visits are just one of the many industry changes due to the pandemic. Find out what else you should be doing. Download the infographic.