Chaos and disruption has been the story thus far in 2020 and the world of third party risk management has been no exception.
Knowing how your organization’s data is being handled and protected by your third parties has always been a challenge and the current situation has only complicated these procedures. While there is no perfect roadmap to navigate these difficulties, companies are finding ways to adapt and gain peace of mind over the protection of their data. These are a few best practices we have seen over the past year that can help improve your vendor management program.
Communication
Beyond the annual assessment or questionnaire, maintaining an open dialogue between you and your vendors is absolutely critical. Whether it be staffing issues, financial problems within the company, or even just the regular stresses of working from home, your vendors are facing the same challenges many of us are in the current setting and are often conducting business in different ways than before. Even the occasional email or 15 minute call with your vendor contact can open up communication lines and perhaps uncover challenges vendors are facing that wouldn’t show up in an annual assessment. It is important to have an open communication line in order for you and your business to anticipate and counteract any potential issues before they arise.
Emphasis on Resiliency
Before this year, having a Pandemic Procedure outlined in your Disaster Recovery Plan seemed like a formality. Unfortunately, as the world found out the hard way, truly anything can happen. It is important to be sure that your vendors, especially those critical to your business’ functions, have procedures and resources outlined in order to keep their business operational. Beyond documented procedures, performing a tabletop walkthrough has become a best practice in order to establish roles and responsibilities for key members prior to dealing with an actual event. Give emphasis to your vendors’ resiliency plans and procedures. Remember, to be proactive is to be prepared.
Virtual On-sites
While there is no replacing in-person interaction, companies everywhere are finding ways to make do virtually. The relationship can be maintained but gaining reliance on controls can be tricky, especially physical controls that require observations. The ability to leverage third party attestations such as SOC2 or ISO 27001 is truly invaluable when unable to affirm these controls yourself. Additional evidence can be obtained to satisfy most controls but reports such as these can offer piece of mind when operating in a virtual world.
Peace of mind is hard to come by these days and data security is never certain. Hopefully these tools we have learned over the past few months can be used to prep your vendor management program for whatever comes next in 2020.
Related Articles
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
- Third Party Risk Management Planning During COVID-19
- Compliance and Third Party Risk Management: A Function for Continued Success
- The 5Ws and H of Third-Party Risk Management
- How Third Party Risk Management Caters to Your Organization
- Your Cyber Program is only as Strong as Your Weakest Link – Including Your Vendors
- Secrets Revealed: What Your Third Party Auditors Don’t Want You to Know
- Third Party Risk Management Virtual Assessments Forced by Pandemic
- Mind Your T’s and C’s
View our entire Third Party Risk Management article library here.
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
Learn more at www.schneiderdowns.com/tprm or contact us for more information.