Vendor Risk Management Lessons Learned from COVID-19

Saying 2020 was an unusual year is like saying the sun is hot, the night is long and rain is wet. No one on Earth has lived through anything like this before: Worldwide pandemic, political upheaval and social mayhem. Everything we do today isn’t the way we did it one year ago today. Businesses have failed, and more will join them, while a significant number of the businesses who survive will go through mergers and acquisitions in the next 24 months.

Of course, with all this in play, third-party risk management has become more important than ever. Ensuring our vendors are still providing the products and services we originally contracted for and asking them to do more than the contract calls for has become common place today.

How COVID-19 Put Vendor Management in a Unique Position

No matter what industry you’re in, vendor management has had a tough time this trip around the sun. The problems vendor management faced have been everything from the strange lack of toilet paper to vendors halting operations abruptly and our supply chains failing miserably. I think it’s safe to assume we haven’t seen the last of the trivial, yet annoying, vendor failures and the major blow outs.

Vendor management has had its work cut out for it since the beginning of the pandemic. Vendor selection and vetting has been greatly affected as has ongoing monitoring. It’s hard to get a SOC report or audited financial statement when the organization’s audit firm is closed for business. Internal audits, external audits and exams are all ongoing, even if in a video format for now. So, what is the vendor management team supposed to do when the vendors they’re charged with managing are floundering and there is no information to base a decision on?

Simply put, vendor management can’t punt, and it’s up to the vendor management team to stay in touch with all critical and high-risk vendors during these trying times. It’s the vendor management team’s job to do the best they can to get all the information they need and to maintain a high level of documentation while vendors and vendor managers alike are scrambling.

Vendor Risk Management Lessons Learned

With all this in mind, here are 6 of the biggest vendor management lessons learned from 2020:

1. We overestimated the resilience of our supply chains. Every chain is only as strong as its weakest link. Organizations that did not practice good vendor management suffered and the organizations with solid vendor management programs are in far better shape.
2. Vendor management got a lot harder. With literally every organization struggling in some manner, it’s harder than ever for organizations without a coordinated vendor management effort. Document collection, contract management and risk assessments got a great deal harder in 2020 and you have to get more creative.
3. Vendor failures and consolidations escalated drastically. When supply chains fail, it affects everyone. Vendor management has the responsibility of ensuring critical and high-risk vendors have adequate plans for a natural disaster, like a pandemic, and are maintaining minimum service levels as best as possible (and if they’re not, making sure these failures are properly notated, communicated and mitigated).
4. Focus on ongoing monitoring of critical and high-risk vendors has increased. Ongoing monitoring of your vendors has become one of the most critical threads in the fabric of your organization. No time in our past requires more vigilance when it comes to ongoing monitoring.
5. Contract management hit warp speed. Things are happening faster than any vendor management team can keep up with. Processes and procedures get thrown out the window when the survival of the organization is at stake. Now is the time to review what you have contracted for and what each vendor is providing and may find the need to rewrite some contracts.
6. Vendor selection lost its way… temporarily. When organizations are fighting to survive, they will abandon the policies and procedures they have to seek a quick fix and stay afloat. Can’t blame any organization for doing what it takes to survive, especially when vendors are being onboarded and new contracts signed without going through vendor management. Make sure to avoid this and begin the discovery process for the new vendors now. Whatever you do, do not forget to run these new arrivals through your risk assessment process.

What to Do with the Lessons Learned

The most important thing we can do is take these lessons to heart, so we don’t keep repeating the same old mistakes. As we move into the new year, here’s a few things to make sure you have on your radar:

• Review pandemic plans. These are a significant part of vendor risk management. Check your organization’s plan, then see if each of your critical and high-risk vendors has a plan that complements yours.
• Revisit risk assessments. If your risk assessment process is robust, you should be able to pull up your risk assessments for all critical and high-risk vendors and see if they accurately reflect your vendor and their product or service as it is today. If there’s a mismatch, it’s time to revisit your assessment.
• Perform a contract review. Given the upheaval we have all been through with COVID-19, it’s time to review your contracts with critical and high-risk vendors.
• Overcommunicate. There’s nothing that will sour a great relationship like being ghosted. If your vendors aren’t communicating with you during this critical time, don’t wait – over communicate as soon as possible. It may save your relationship.

The main lesson learned from the current COVID-19 pandemic is simple: Vendor risk management doesn’t stop for a pandemic. Pandemic planning is a very real risk mitigation activity we should all embrace and learn to excel at in the very near future. Dialing in our pandemic plans with our vendor management programs is mission critical to every organization.

Are you ready for the aftermath of this pandemic? Download the infographic to help.