Mitigating Third-Party Risks Amid The Pandemic

The COVID-19 pandemic has disrupted business and supply chains throughout the world in an unprecedented manner. Many businesses have found it difficult to predict and prepare for the governments’ response of social distancing and quarantines, and the economic shock caused by them. Financial services firms, including banks and insurance companies, are also subject to volatile financial markets. While financial services firms navigate these difficult times to determine whether they can keep their branches open or receive governmental aid, they must also keep a close watch on operational risks to determine if they can sustain uninterrupted business. Firms usually have a large degree of visibility into the status of their own resources, but it is essential to also have a robust third-party risk management (TPRM) program to keep the entire value chain operating.

As firms across the economy work to get their systems back into operation after several states instituted a ‘shelter-in-place’ order, many will struggle to manage their internal resources and client delivery. It is likely that some of your company’s suppliers will have service or inventory disruptions. In order to protect your firm’s business continuity, now is the ideal time to set up a TPRM program. As this is a large-scale effort that includes several departments (e.g. - legal, finance and IT), there is need for a centralized team to manage this process, such as a vendor management office or procurement, due to their existing high-touch relationship with vendors.

The following steps form the basis of a successful TPRM program in the context of a global crisis and a larger enterprise risk management operation.

REVIEW PAST DISASTER RECOVERY MATERIALS

In most crisis response situations, start by reviewing and leveraging any previous disaster recovery or business continuity plan your firm already had in place. Financial regulators and the states’ banking and insurance departments generally make it statutory for banks and insurance companies to have these plans. These plans, whether rudimentary or best in class, can help define a governance structure, roles and responsibilities — and identify the most important parts to be tackled.

ANALYZE BUSINESS PROCESS FLOWS TO IDENTIFY CRITICAL SUPPLIERS

Each business unit, department or function should collect its operating procedures or process flows and identify all third parties that are involved in the business unit’s operations. Often, there will also be vendors that are not directly involved in the process but help support it, they should be identified as well. Here, procurement plays an important role in conducting a comprehensive review as it is likely that no one person in the business unit is charged with watching over all suppliers. Once that process is completed, divide the vendors into three categories to prioritize the risk management process:

Critical

These are vendors without which the business unit cannot operate, including, for example, risk information services or market data.

Necessary

These are vendors that provide services that are not only important to the functioning of the department but can also be internalized through the addition of resources or can be conducted later, once additional capacity frees up, such as tax preparation.

Optional

These are vendors that support overflow volume or manage processes that can be internalized or be easily replaced by other vendors, such as customer support overflow providers.

EVALUATE RISK COMPREHENSIVELY

The global pandemic and the resulting state-mandated quarantine are situations few people could have anticipated. The goal of the TPRM program is to ensure that you and your vendors are insulated from these shocks as much as possible, lending stability to your firm’s operations. It is imperative to define the success metric for each type of risk before proceeding. Some of the risks to consider are:

Operational risk

Determine whether the pandemic prevents the supplier from fulfilling its requirements by asking:

• Does the COVID-19 situation directly impact the delivery of the service or product?
• Can this work be done remotely? Does the vendor have sufficient capacity to do the work remotely?

IT risk

If the work can be done remotely, does the vendor have the necessary information security protocols in place to protect customer data? Especially with firms moving to a remote work environment, both enterprise and personal IT risks are higher than ever before.

Financial risk

Does the vendor have enough financial resources to sustain itself and provide services if several customers lose the ability to pay their invoices? Checking a firm’s financial health score using a credit monitoring provider like Dun & Bradstreet is one quick solution to determining its financial position.

Regulatory risk

Is the vendor in line with all the financial regulators and state boards' rules and regulations? Does the ‘shelter-in-place’ mandate or a recession potentially make them more likely to be out of compliance with any major rules, as in subrogation and debt collection?

MITIGATE ALL OF THESE RISKS EFFECTIVELY

Constant contact with third-party vendors is critical in these disruptive times. Ideally, your vendors’ account management teams will reach out proactively with their response and plans for the foreseeable future. If they have not, reach out to vendors for their business continuity plans. Once in hand, do not take them at face value. Review them with additional scrutiny and assess whether they have the resources and capacity to deliver their services. This would include questions around the availability of secondary locations, the ability to work remotely, whether they have a robust information security program and much more.

Another factor to be cognizant of: Are any SLAs stipulated in the contracts? Vendors should be very transparent if they expect to miss any such SLAs and the business unit should sign off on any leeway given to the vendor in these conditions. If the vendor is providing any service from an international location, back-up plans should be in place in case those countries also institute a ‘shelter-in-place’ policy.

IMPLEMENT A RAPID SOURCING PROGRAM TO FILL ANY GAPS

If there are any critical gaps identified where a vendor cannot provide any contingency, the business unit should partner with procurement to source those capabilities from a secondary vendor for a temporary period. Procurement is usually well-suited to lead such efforts due to its market intelligence and large supplier contact base. Sometimes, an existing vendor in another business unit can be leveraged to provide an adjacent service, which procurement can facilitate through its involvement in multiple business units. If that is not possible, the issue should be escalated to the management to determine what resources can be allocated to bridge the gap internally.

IDENTIFY GAPS FOR CONTINUOUS IMPROVEMENT

This bulletin aims to expedite the setup of a TPRM program. Once this program is functioning, it’s a great foundation for putting in place a fully-fledged TPRM program that would detail even more defined policies and procedures as part of a larger enterprise risk management program.

Risk management is an ongoing process that closely monitors risk across the organization — and seeks to continuously improve itself over time. But before any company can improve, it has to know the effectiveness of its current state relative to industry benchmarks and metrics which will help identify gaps and help define road maps. To that end, organizations should:

• Create a scorecard to weigh and measure ongoing risk and track progress.
• Use the scorecard in conjunction with industry benchmarks to rate where your organization compares to peers in the banking, financial services or insurance industries.
• Establish standard contractual language to help mitigate risks across the board.
• Work across the organization on setting risk management objectives, identifying best practices and centers of excellence for risk and TPRM — and create one-, three- and five-year plans with named stakeholders and oversight.

Once these elements are all put into place, your TPRM program will have wider visibility throughout the enterprise in ways that can help manage risk more effectively and help ensure the program is on track to meet its intended goals.