Media headlines continue to debate the world response to the current Ebola crisis. The spread and attention to protocols has resurrected pandemic concerns, even though the Ebola virus is not airborne. Pandemic planning can be an important component of business resiliency plans depending on the nature of the business, and the risks for operations if people are ill or quarantined for extended periods of time. While the usage of lockdowns and discussion of airport security controls makes for headlines on the news shows, managing risk for any pandemic starts with basic risk assessments. The World Health Organization (WHO) is updating their recommendations as they monitor this outbreak.
I remember receiving my first due diligence questionnaire on Avian bird flu as a service provider that was sent as a mass mailing to all vendors of the requesting financial institution. At that time the risks and concerns world-wide were considerate; the approach of a mass mailing made the due diligence effort feel more like an exchange of paperwork to check a rudimentary business continuity compliance box vs. an assessment of the true third party risk.
As recent influx in guidance has shown, regulatory oversight of third party service providers is at an apex not seen in recent decades. Whether serving financial institutions, healthcare companies, energy, education, or government sector, each business vertical should assess risks for a pandemic and apply a risk based approach to defining the level of assessment of readiness to their third party service providers. The starting point is to look internally at the risk to your own operations, if your employees or customers were at risk for contracting or spreading a communicable disease. The next lens is to look externally to your base of third party relationships and assess or triage their service to your organization, and the likelihood or risk their service to you could be affected by restrictions in their people resources due to a disease like Ebola.
Traditionally, geography has played a factor in the development of business continuity and disaster recovery plans. Earthquakes, Hurricanes, Tornados, Floods can at least be planned for based on the likelihood of known environmental factors or anticipated weather patterns. The spread of disease however is based on human factors, and that is not only hard to predict, but more difficult to manage and contain. While the source of the current outbreak is focused in a particular geographic region; we live in a very connected world. The focus on airport security and travel controls is thus an expected priority to help prevent the spread of disease. However, due to that same interconnectedness of technology and a global marketplace, organizations are also very dependent on third party service provider relationships.
The starting point is the internal and external risk assessment.
Review your existing risk profile within your organization
Consider these thoughts on some considerations on how to begin to develop a risk based approach to defining your organizations’ response to pandemic planning in light of recent events.
- Is your organization in a unique situation of having greater potential of direct interaction with provision of service to people who may have come into contact with affected people?
- Do you serve a geography that has greater potential for having people traveling to/from the affected regions?
- Are your operations highly dependent on people and the availability of the labor force?
- Do you have an existing business continuity plan that accounts for the potential of quarantines or long term employee absences?
- Does your organization have critical third party service providers that are highly resource or people centric?
Assess your third parties for risk outside your organization
In a risk based approach to third party risk, organizations triage and determine which third parties have a higher risk to your organization due to pandemic business continuity, based on the nature of the services they are providing. Consider your dependency on their services, and the degree to which that service is directly related to supplier personnel. The first step is to review your inventory of vendors to determine which third parties have the greater potential to impact your operations, if they incur staffing challenges due to pandemic or Ebola risks. The second step is to then assess the need to confirm your third party vendor’s readiness to respond to the related risks. Third step, ensure you evaluate your contingency plans or readiness plans across suppliers.
Here are initial considerations to assess and confirm with only your critical third party service providers that have the greater potential to disrupt operations due to staffing challenges resulting from quarantine or long-term employee unavailability.
- Does your third party supplier operate in a geography that has greater potential for having people traveling to/from the affected regions?
- Is the service the third party provides, highly people-centric, or requiring dedicated staffing levels?
- Does your third party supplier have geographically dispersed operations to minimize risk of localized outbreaks of diseases?
- Does your third party have the capacity to enable work from home for critical functions?
- Does your contract or SLA address parameters for business continuity for situations of pandemic?
Bottom line, monitoring business continuity risks for pandemics is important – Ebola brings a different nuance to that planning due to the unique nature of the spread of the disease. Organizations should not create a “one size fits all” approach to risk assessment for pandemics – each disease is different. When addressing third party risk, resources need to focus on the critical suppliers that pose the greatest risk potential, vs. a cookie cutter vendor questionnaire approach.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.