Home

Quick Links

Legal

navigation

Wednesday, April 1, 2020

COVID-19’s Impact on Third-Party Risk Management


While the long-term business impacts of COVID-19 aren’t yet clear, organizations would be wise to evaluate potential new vendor risk management issues associated with their third-party providers. Companies that depend on many third-party service providers to drive critical processes could run into issues if there are disruptions to those dependencies. Third-party providers that handle an organization’s technology infrastructure may not be able to deal with additional capacity demands as systems are utilized beyond their intended capacity.

If your company believes there is a potential for service disruptions, consider taking the following steps to help mitigate them:

  • Review the third-party vendor population, prioritize those services that are critical and operate in heavily affected regions, and evaluate if those services will be impacted.
  • Reach out to these critical third-party vendors by providing an updated due diligence evaluation questionnaire, which would enable the vendor to provide details if they are affected (regarding how). And ask them to outline the steps they have taken to prepare, mitigate and manage their response.
  • Discuss the third-party vendor’s pandemic preparedness plan (if there is one) and ask if it has been invoked.
  • Review service level agreements (SLAs) in place with key third-party service providers to identify risk areas where something could go wrong that would likely not occur under normal circumstances. Consider any implications if SLAs are not met, and what triggers exist if SLAs are not met by the service provider.
  • Consider organizing regular touchpoints with vital third-party vendors, to monitor the ongoing evolution of COVID-19’s possible impact on service levels.
  • Ensure that organizational personnel responsible for third-party vendor oversight understand how to assess the impact and mitigation process if issues arise.
  • Perform a third-party risk assessment with your critical vendors, discussing any potential service disruptions and the impact on operations if those disruptions occur.
  • Create or update your organization’s third-party service strategies by having alternative providers and consider impacts on critical processes if providers are changed.
  • Keep key internal and external stakeholders informed of issues or changes resulting from third-party issues.
  • Assess the impact of delays to code changes, security patch updates or any other changes.
  • Review third-party vendors’ security policies, processes and procedures to ensure that new vulnerabilities are not being introduced to the organization due to the rapid changes caused by the pandemic.

COVID-19 has changed the way organizations conduct business and manage their remote workforces. Organization processes for monitoring third-party vendor risk should be revisited to ensure that risk is not going unmitigated.

For the latest regulatory updates and more information on keeping your business running through disruption, visit our COVID-19 Resource Center.

COMMENTS

comments powered by Disqus