Count The Case of the Vanishing Vendor among the many pandemic-related unknowns and challenges third party risk management (TPRM) professionals were forced to contend with in 2020. Solving this mystery and developing virtual assessment strategies qualify as top 2021 priorities for TPRM teams, notes Shared Assessments Senior Vice President and CSO Brad Keller.
“The pandemic not only caused service disruptions,” Keller says, “it also caused vendors to disappear.” Those business closures, and the exit strategies that should cover such scenarios, mark one of several other challenges looming for TPRM groups during the next 12 months. “We all need to optimize the way we function virtually because this is going to go on for a while,” Keller continues. “Many companies dipped their toe into virtual assessments prior to the pandemic. Now, there’s essentially no option besides performing most, if not all, assessments in a virtual manner.”
Keller will also be keeping close tabs on a handful of other TPRM issues in 2021, including:
- Assessment Virtualization: While it is fortunate that many outsourcers and third parties made headway on virtual assessments throughout 2019, substantial progress is needed. Prior to the pandemic, virtual assessments were primarily viewed as a way to keep costs down while reducing the drain on vendors’ resources. Now, amid public and corporate social-distancing and travel restrictions, virtual assessments are often the only type of control testing that can be performed. This requires TPRM professionals and their vendors to bone up as quickly as possible on virtual assessment strategies and tactics, especially the process of remotely testing controls. While virtual assessment processes are crucial to implement and improve, Keller stresses that supporting technologies and human interactions represent equally important enablers. “Adapting how you collaborate is key,” he says. “Virtual assessments require a different set of planning and collaboration skills. You need to focus on how to get the vendor comfortable sharing their information electronically. A Zoom call alone is not going to cut it.”
- Homing in on Policy Overhauls: The widespread move to work from home (WFH) models has companies and their vendors scrambling to catch up from a policy perspective. “Companies need to create new requirements for how their employees conduct themselves in the home work environment,” Keller notes. “Do they have any voice-activated devices in the room? If so, those need to be unplugged.” If not, those devices may be recording conversations between outsourcer and third-party employees, including any sensitive information regarding IT security controls, that are discussed. “This year, many organizations figured out how to do a lot more work virtually,” Keller says. “Those adjustments are great, but the question remains whether or not corporate policies and procedures allow you to perform those activities that way. That needs to be addressed in 2021 or more organizations are going to get flagged by internal auditors, external auditors and/or regulators.”
- Exit Strategies: COVID-19’s impacts exposed flaws in TPRM processes, Keller says. One of the most common shortcomings concerns the process for exiting a third party relationship when the unexpected strikes. “There have been numerous instances where vendors have thrown their hands up and said, ‘We’re shutting down,’ Keller reports. “Most TPRM programs aren’t prepared for that. When we typically consider termination, we’re referring to a lengthy decision-making process — not a sudden disappearance.” Plus, while most contracts include a force majeure clause to give an outsourcer an out if the vendor cannot deliver a service, enacting that clause may not be in the outsourcer’s best interest. COVID’s sudden business impacts require rethinking exit strategies (to better align those approaches with organizational resilience objectives) and the ways contracts are adjusted — as opposed to simply being cancelled — when unexpected events disrupt service delivery.
- Expanded Remote Access Issues: Prior to COVID, a vendor may have only permitted client data to be accessed data via a secure office network. A recent study by E&Y and IAPP found that 60% of the companies that rolled out new technology due to Covid bypassed or expedited security reviews. “With many vendor employees now accessing systems and data via remote access, even vendors who were recently assessed should be evaluated for the security of their remote access implementations” Keller notes. “Consider what your company needed to do — or should have done — to ensure that remote connections are secure. Every one of your vendors have to do the same thing. The question is: How well did they do it?”
Getting to the bottom of that disquieting mystery will be one of the top priorities TPRM teams address in 2021.