TPRM and COVID-19 – The Next Shoe to Drop: Actually, it’s Potentially an Avalanche of Shoes

TPRM and COVID-19 – The Next Shoe to Drop: Actually, it’s Potentially an Avalanche of Shoes

May 13, 2020 | Business Continuity, Business Resiliency, Incident Reponse, Pandemic Planning, Supply Chain

shoes 1

After 16 years as a risk leader at Deutsche Bank, Victor Meyer recently joined Supply Wisdom as the COO. Supply Wisdom®️ is a real-time and continuous risk intelligence and monitoring solution that covers 14 categories of third party and location risks across over 300 risk parameters. A former US Navy SEAL, Victor was also formerly Vice-Chairman of the World Economic Forum’s Global Agenda Councils for both Pandemic and Catastrophic Risk.  In this blogpost, Meyer reflects on the fallout of the COVID-19 pandemic.


It’s a natural inclination during a protracted period of crisis or disruption to try to predict the “next shoe to drop”. The COVID-19 pandemic certainly invites this type of exercise as leaders seek knowns in an atmosphere of much uncertainty. But this pandemic is different than other types of crises with which most business leaders have had direct experience. The scale, cascading nature, interaction of impacts, and “novelty” factor makes the next shoe very difficult to predict. The current crisis is actually a combination of crises – epidemiological, economical, and most of all social, and the aggregated impact is stretching many supply chains and service providers’ capabilities to the breaking point. So, with COVID-19, I’m afraid it won’t be a single shoe, but rather an unpredictable avalanche of shoes we need to monitor as we manage the resilience of our supply chains and third parties throughout the lifecycle of a crisis that could last years, if not longer.


Looking back over the last couple of months, the first shoe to drop for many organizations was that social distancing and/or government policies to stop the spread suddenly required large numbers of employees to work remotely. For many companies and third parties this was a significant stumbling block as they were unprepared to enable large portions of their staff to work from home in the short timeframe they were given.  Imagine though if business leaders had been monitoring the virus spread continuously since it was first reported back in January 2020.  If they had monitored the spread and the resulting effects, instead of waiting for the government restrictions that required work from home, they could have been prepared because they had proactively taken the steps to enable a smooth transition to work from home and/or quarantining infected individuals.  Instead, many companies stumbled due to restrictive security policies/practices that had remained unchanged. For others, it was the lack of hardware and infrastructure limitations, such as not enough laptops and inadequate local internet bandwidth, that tripped them up because they were not prepared for the increased needs.


The Next Shoe

Many experts in our discipline believe the next shoe to drop will be the deterioration in the financial condition of third parties. I agree with this assessment as bankruptcies related to COVID-19 (both personal and corporate) are expected to set records in the next 12 months. 1 What exactly will this mean for your organization?


Financial impacts may also extend to the macroeconomic level, including reduced tax revenue, sovereign defaults or the imposition of capital controls in some countries. Insurance may become unaffordable and some organizations will struggle to make the investments necessary to reconfigure workplaces into safe places for employees to return to work. Employee healthcare costs will almost certainly increase.


But effective leaders will need to take their financial blinders off and monitor the operational and non-financial risks which are arguably larger and even more difficult to handle in terms of disruptions to their business in the short term.


Looking at a Third-Party Risk Framework that Goes Beyond Financial

For too long risk leaders have been almost entirely focused on financial risks: relying on point-in-time financial risk assessments which are virtually useless and even counterproductive in a rapidly developing situation like COVID. Hopefully risk leaders now realize they need to elevate their Third-Party Risk Management (TPRM) programs beyond point-in-time financial assessments. To be able to respond effectively to emerging risks, risks must be monitored continuously and provide real-time risk intelligence across a broad framework of potential disruptive risks.  So, what are some of the next “shoes” that I see on the horizon?


Cybersecurity – The large number of employees working remotely has increased the cyber susceptibility of third parties. Hackers are already using this new vulnerability to their advantage.  Companies will be at risk if they unable to ensure and verify that personal devices and Wi-Fi networks used by remote workers are following cybersecurity protocols.


Governance, Regulatory & Compliance – Compliance risks could materialize and result in penalties due to restrictions on typical working environments, lawsuits against third parties for failure to adequately protect employees from infection, and the breakdown in data privacy as confidential information is exposed due to unsecure work locations. Moreover, restrictions on employee working conditions will be constantly changing as business re-opens and protocols are gradually removed and then reapplied in areas where new outbreaks occur. Organizations should challenge business decision making to anticipate unintended second-order consequences of reputational damage. Consider Harvards decision to turn down funds from the CARES Act Higher Education Emergency Relief Fun after considerable public criticism. 2 Those banks that are using third parties to process the Paycheck Protection Program (PPP) applications would do well to risk assess and monitor these organizations lest they revisit the problems of mortgage servicers and insurance assessors on the back of the financial crisis.


People – Levels of absenteeism could increase as the pandemic reaches peak levels, and organizations will be subject to the unpredictable effects of employee layoffs both at their own organization and at third parties as financial health of these organizations deteriorates, and workforce team restructuring occurs. We also need to consider a future where employees are reluctant to use mass transit or even work in a physical office environment. When books are written about this crisis, I am confident that they will talk about how we grossly under-estimated the effects of the pandemic on societies’ mental health.


Client – Third parties could experience significant loss of clients if the pandemic is prolonged. This could occur as a result of consolidation or as organizations refocus on costs and concentrate their supply chains and third parties to gain more pricing power. Those third parties that suffer performance problems could find themselves in a financial death spiral as they are offboarded by successive clients.   


Solutions Maturity – Due to financial pressures, third parties may not have funds to invest in products or solutions upon which your organization relies resulting in them being deficient, underfunded or even discontinued.


Looking Beyond Third Parties to Location in Which They Operate

A pandemic is at its very core a location-based risk. In this case, starting in Wuhan, China as an unnamed viral pneumonia. 3 It then spread from location to location around the world. As the effects of a pandemic vary widely in different locations due to local infection rates, local healthcare infrastructure, and government policies and restrictions to control the spread of the pandemic, it’s important to monitor risks beyond individual third parties to the locations in which they operate.  Location-based risks are constantly in flux during a pandemic as facts and policies change from day-to-day. It’s critical that these changes are monitored continuously.  Last week’s news is irrelevant to what’s happening on the ground today, and the facts in one location have no bearing on what’s happening in another location, sometimes within the same country.  A comprehensive location risk framework should include the following categories of risk:


Geo-Political  – Travel limitations may change dramatically as the pandemic continues or re-outbreaks occur, government regime changes and increased risk of corruption may increase as unscrupulous government officials take advantage of the current situation, crime and social unrest may increases as the economic downturn affects citizens financial health, and other natural hazard events could exacerbate the problem created by the pandemic. For instance, during the rainy season in India there are frequent power outages.  At an office this is not usually a problem due to backup generators, however while working from home employees may not have a backup power supply.


Legal – Changes in laws and government regulations may restrict operations or reduce desirability of operating in a certain location. We are already seeing potentially severe restrictions on immigration. Litigation risks may emerge in some very unprecedented ways.


Business – The economic downturn may be felt more acutely in some locations and result in a negative effective on the overall business atmosphere, which may lead to a decrease in foreign investments, trade relations, and credit availability.


Financial – The economic downturn in some locations may result in increased costs of doing business due to increased labor costs, fuel/electricity costs, tax rates, telephone/Internet costs, and office rents/real estate costs.


“The IMF is responding to an unprecedented number of calls for emergency financing – from 102 countries so far. The Fund has doubled the access to its emergency facilities allowing it to meet the expected demand of about $100 billion in financing.” 4


Macro-Economic – Decrease in country’s economic health may result in inflation/consumer pricing, interest rates, currency fluctuations, stock market fluctuations that even the best stock trading app can’t predict, and as mentioned previously, impacts could be reduced tax revenue and as severe as sovereign defaults.


Scalability – Industry shrinkage due to bankruptcies, exit of third-party players or reduction in government investments, shrinking talent pool and graduates, and increases in attrition and absenteeism may be significant.


Infrastructure – Work from home requirements may overtax the local internet infrastructure, and companies may be unable to replace technology equipment as supply chains are hindered. In France, for instance, Amazon was unable to deliver non-essential products.  In India, employers were not allowed to deliver laptops to new hires required to work from home.


Quality of Life – Government restrictions on movement, overtaxed healthcare infrastructure, and increases in crime may all reduce quality of life in certain locations.



The impact of COVID has been so far-reaching that it’s almost inevitable that the cascade of risks will in some way affect your supply chain and third parties.  Many leaders will continue to say the current situation is novel, and we can’t predict the future. While I agree that the next shoe or shoes to drop may be difficult to predict, the unpredictable nature is exactly where continuous monitoring is not only helpful but necessary. Continuous monitoring across a broad framework of risks beyond financial enables successful navigation of the challenges ahead.  When leaders are provided with the early warning and intelligence that true continuous monitoring provides, they not only understand where the changes are occurring, but most importantly are empowered to take quick action on proactive and effectively targeted risk mitigation decisions.   With continuous monitoring, you get an early warning of the next shoe or shoes to drop before it happens or as soon as it happens.  Simply stated the sooner you know, the faster you can take action. 


It’s clear the only way to effectively keep ahead of what’s next is to enable a continuous monitoring solution across a broad framework of risk.  But one more consideration during a crisis like COVID is information overload.  Risk intelligence must be curated because you can’t efficiently and effectively mitigate risk if your team is sifting through the noise on the pandemic to find information relevant to your supply chain and third parties.


I am convinced that we will be in “modified crisis management mode” as we continue to grapple with the virus and the second order effects described here for the next two to three years.  Therefore, organizations must access a curated and continuous monitoring solution covering a broad framework of risks to ensure that they are prepared for the next shoe to drop.



Sabine Zimmer

Sabine is Vice President of Marketing and Sales for Shared Assessments. Sabine enjoys collaborating across teams to build a stronger risk management community. When she's not at work, she is outdoors in the Southwest with her family.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics