The introduction and rise of the coronavirus, also known as COVID-19, has caused many to ask, "Are we prepared for a pandemic?" For financial institutions, pandemic planning has been part of the business continuity management process since its introduction in the 2008 version of the FFIEC's Business Continuity Planning booklet. But what about your vendors? Are they as prepared as you are? This article will help you know which vendors need to be prepared for a pandemic, as well as what steps you can take to ensure they are ready.
Create a List
When asking a question like "which vendors need to be prepared for a pandemic," the obvious answer should be "all of them." However, each third party would not impact your organization in the same way, should they be affected by a pandemic. As such, it is important to focus your time and attention on vendors who pose a greater risk.
If you have read our Four Steps to Simplify Your Vendor Due Diligence Process article, you should be familiar with the "if-then" method. When determining which of your vendors need to be ready for a pandemic, you should ask two questions.
- Would the organization be significantly affected if the vendor's services were temporarily unavailable?
- Does the vendor use subcontractors in the performance of critical functions?
If the answer to either of these questions is "Yes," then you should add the vendor to your "needs to be prepared" list.
Request and Review Documents
While the "if-then" method helps classify your vendors, another great benefit of this methodology is it can also define the due diligence documents you should request and review. For example:
- If your organization would be significantly affected by temporarily unavailable services, then you should request the vendor's "BCP Documentation."
- If the vendor uses subcontractors in the performance of critical functions, then you should request the vendor's "Subcontractor Due Diligence."
Both documents can provide valuable information about whether a vendor has prepared for a pandemic or not. The way you know they are prepared is by reviewing these documents. For each document type, some questions to ask include:
- BCP Documentation:
- Does the vendor have a plan in place to operate with limited staff?
- Has the vendor tested this scenario in a BCP exercise? If so, what were the results?
- Subcontractor Due Diligence:
- To what extent does the vendor rely upon subcontractors to perform the services contracted to the organization?
- Are any of the subcontractors foreign-based? If so, are they in an affected area?
- Has the vendor requested and reviewed their subcontractors' business continuity documentation? If so, did the vendor identify any results that could negatively impact your organization?
These items are particularly important to consider in light of supply chains. In the event certain manufacturers are unavailable or temporarily stop production, you should understand if your vendors can obtain the resources needed to provide products or services to your organization.
Make a Decision
If the results of your review are satisfactory, you can rest easy knowing you have done your best to ensure your vendors are ready for a pandemic.
If you have reason to believe a vendor may not be able to provide services in the event of a pandemic, here are some additional steps you can consider.
- Revisit the Contract Review
Ensure you understand the vendor's Service Level Agreements (SLAs) and what circumstances may constitute default or termination of the agreement.
- Review Your Termination Contingency Plan
Should the vendor be unable to provide services indefinitely, ensure your contingency plan defines how you plan to continue the service (e.g., in house, converting to another vendor, etc.).
- Update Your Vendor Risk Assessment
A vendor's inability to meet contractual expectations in the event of a pandemic could result in increased operational, transaction, or reputation risk. These increased risks should be noted and evaluated in consideration of the organization's risk appetite.
- Document Communication and Set Reminders
Record all communication with the vendor and create reminders to follow up. This can demonstrate your efforts and help you stay informed of any changes your vendors have made to improve their preparation.
Let Tandem help ensure your vendors are ready for a pandemic. With Tandem Vendor Management, you can create the list of vendors using the "if-then" method, request applicable documentation with ease, and review the documents using our BCP and Subcontractor review templates.
With Tandem Business Continuity Planning, you can create, document, and test your business continuity plan. Integration with Tandem Vendor Management allows you to connect applicable vendors to your organization's processes, systems, and BCP exercises.
The best time to ensure your organization and vendors are prepared for a pandemic is today.