Vendor Risk Management When We're Past Pandemic Planning

Right about now, many organizations are dusting off their Business Continuity and Disaster recovery (BC/DR) plans, looking at the section on “Pandemic Planning,” and realizing they have a lot of blanks to fill in.

In my career, I’ve reviewed a lot of BC/DR plans. I’ve stood on my "soap box" many times and explained to my vendors that influenza/pandemic planning does not mean making sure your employees have their flu shots and an adequate cleaning service. I would ask them a few main questions:

1. Do you have redundancy and/or desk-level procedures built into your key operations so that if people are out sick, business can run smoothly? (i.e., help eliminate single points of failure)
2. Are you capable of continuing operations if many people need to stay home? (i.e., remote work)
3. Do you have an idea of how you would operate in a 'minimum manning' scenario?

I always looked at pandemic planning as part of a robust and mature BC/DR program. I’m personally guilty for not taking it seriously enough. My own words are echoing in my head, telling countless companies, “It’s a ‘nice-to-have’, but not a show-stopper”… Well, the show stopped. And it’s safe to say I won’t be on that same soap box any time soon.

So, we’re in a predicament. We’re past the Preparation stage. It’s time to identify and contain any damage that might come of all this, taking notes for “lessons learned” along the way. Whether you’ve had a good preparation plan or not, no one could have fully accounted for the true gravity our current situation. Of course, we can’t fix everything at once, so we need to prioritize.

Let's Take a Look at the Business Impact Analysis

The Business Impact Analysis (BIA) should help you see what the most critical parts of your business are, and subsequently, the associated vendors. Whether or not you have a mature vendor/third-party risk management program, I strongly recommend that every organization circle back on their BIA and do a little “COVID Checkup” on their critical services and vendors.

Tip: If you don’t have a BIA in place, take this opportunity to go the “quick and dirty” route. Use your best judgement to identify the vendors you rely on the most. These are the ones who are involved in your daily operations, and whose stability has a direct impact on your own.

I Know Who My Critical Vendors Are - What's Next?

1. Review their remote operations. Have you evaluated your vendors’ remote capabilities and security? Pay attention to vendors that may have mentioned that they don’t generally work from home, because right now, assume they are. If they’ve had to stand up this operation quickly, there’s a strong chance some important security measures are being bypassed.
2. Review their Financial Security. Even though an organization looked okay on paper a month ago, many companies have come to a standstill, may have had to make cuts, and might not be gaining revenue. Do some research, and make sure you have a redundancy plan (i.e. another vendor in mind) for services you can’t live without.
3. Communicate with them. You’ve probably gotten an email from everyone you’ve ever done business with about how they’re responding to this pandemic, but it wouldn’t hurt to send a “How-Ya-Doin?” to your vendor contacts. Not only is this important to make sure they’re able to maintain their commitments to you, but it’s also a great way to enhance your business relationships. From an auditing perspective, I stand by the fact that it’s easier to catch a fly with honey than with vinegar. You might just find out ways you can help each other out in these unprecedented times.

Of course, no vendor management program is a “one size fits all”. Every organization is as unique as the vendors that serve them. Just make sure that any changes to their operations are consistent with your expectations, and remember:

No matter the business continuity or pandemic plan, always use your best judgement to mitigate vendor risk, and document everything!

Once things go back to normal, or as I like to say, the “new normal”, we’ll have learned a lot, and we’ll make our BC/DR plans and BIAs better than they’ve ever been. In the meantime, lets ride this wave of collective altruism and incorporate it into our day-to-day operations, and business relationships. The more we help each other out, the more can come out of this stronger than before.

Protect your organization by thoroughly reviewing your vendor's pandemic plan. Download the infographic.