4 minute read
How is your pandemic plan working with your vendors? by Branan Cooper
Until recently, a pandemic plan was still an obscure concept for most people, except perhaps an organization’s business continuity manager, information security staff, or the board who had to review it annually. That all changed earlier this year with the outbreak of the coronavirus. Suddenly, pandemic plans became a major concern, not as an obscure topic, but instead as an operational reality.
pandemic planning is (and always has been) a requirement
Advertisement
Organizations may have been required to have formal pandemic plans for quite a while. The problem is, when is the last time an organization actually pulled it out, dusted it off and really thought about its implications?
As part of their overall third-party risk management process, many organizations go through the required perfunctory exercise of reviewing and approving their plans and vendors’ plans each year. It is doubtful that most contemplated a working world in which nearly everyone would be working remotely. Coupled with that, of course, is the reality of having school-age children, spouses and others competing for time and attention and perhaps, in many cases, even internet bandwidth.
remote work is becoming the norm, bringing increased security risks
There are many challenges and increased risk that come with remote working. With most of – maybe all – your organizations’ data flowing freely to remote locations, how certain can you be of the security implications? Not just the online security, but the physical security as well. Do the employees routinely shred the materials they are printing and reviewing, particularly if it contains non-public personal information such as customer data?
Underlying all of this are the organization’s vendors. The old adage, “a chain is only as strong as its weakest link,” truly comes into play here. Even if your organization has a rock-solid approach to pandemic planning or has a great way of hardening its network, what about all the vendors? There could be hundreds, perhaps even thousands, of vendors involved, with many of their employees working remotely.
2 steps for vendor awareness during the pandemic
There are two steps you should take to ensure proper vendor awareness during the pandemic:
1. Maintain an open line of communication and discuss expectations with vendors. It has never been more crucial than at this inflection point. Understanding their practices is vital, particularly to the extent that they are housing, distributing, transmitting, or discussing nonpublic information about your customers.
2. Document the potential business impact that you anticipate. What steps are being taken to mitigate that risk, as well as any incidents that occur? Ideally, much of this type of planning has taken place long before any potential pandemic event occurs, but many organizations have treated this as a formality with a remote possibility, rather than an actual exercise to consider.
lessons learned
Once this pandemic crisis is over, it is a good opportunity to get your team together and do the following: Discuss what went well
Discuss what did not go well
Perform a gap analysis on items needing improvement
Discuss what should be implemented based on the learnings
Perhaps you find certain vendors with whom you need a better understanding of their strategy, or perhaps, there is a need for better internal and external communications. It could mean employee training for both your organization and the vendor. Whatever the case may be, document the analysis well and assign individual accountability where necessary to ensure that actions are followed through before the next pandemic event occurs.
The lessons learned in times of crisis help us prepare for the next one and provide a real-life opportunity to look at the situation with the benefit of experience and hindsight and see what we could have done differently or better via communication with the senior management team, the board, and vendors, which is always a valuable exercise.
In closing, for additional perspective, refer to the FFIEC’s Interagency Statement on Pandemic Planning from March 2006, which was published during the Asian avian flu pandemic, and the more recent Interagency Statement on Pandemic Planning from March 2020 in response to COVID-19. While these were written for financial institutions, the guidance provides instructions that can apply to all types of organizations and contains a variety of additional instructive references from other reputable groups.
author Branan Cooper
Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of internal processes and controls—most notably in the area of third-party risk and operational compliance. Branan leads the Venminder delivery team as the third-party risk management subject matter expert in residence.
Branan is also a member of Infragard and PRMIA. He was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Research Network (GSRN).