Monitoring critical vendors’ response to COVID-19 and the effectiveness of their ongoing business continuity management (BCM) remains a key element of vendor management.
The pandemic has raised questions about assessing critical vendors’ business continuity that even has financial institutions with strong vendor management programs scratching their heads.
Here are three of the most frequently asked questions:
Does my vendor have to continue testing its business continuity plan (BCP) even though its currently using it?
Yes, your vendor should still be testing its BCP. There are still many threats beyond the pandemic that could cause further disruptions, including cyber breaches and natural disasters.
Just because we are currently living through one crisis doesn’t mean we don’t have to protect against others.
One critical vendor sent us a FAQ on how it’s responding to COVID-19. Is this enough documentation?
Maybe. If the document is only focused on what the vendor is doing to address the risk of staff shortages and what it’s doing to protect personnel and ensure it has a team in place, that’s helpful but it may not go far enough.
The vendor needs to go into the details of BCP, such as the security measures in place while working from home (WFH). Information like this is highly relevant to the safety, security, and resiliency of the vendor.
What if a vendor isn’t responsive to our questions about its COVID-19 response?
This happens a lot. Vendors are very busy, and they are getting a lot of requests, yet your FI needs this information to make important decisions about operations.
The key is to outline your framework. Make it clear which questions you need answered as a regulated financial institution and give a reasonable deadline. Make sure you have a clear contact and know who to escalate queries to. You can also try to escalate by reaching out to your salesperson or talking with other institutions working with the vendor.
If at the end of the day you can’t get a response from your vendor, document your attempts to communicate and whether the vendor is still operating and conducting business as normal. If all of that is working well for you and you’ve documented the communication process, you can at least demonstrate that you tried.
The final option, and one that I don’t recommend, is getting a new vendor. It’s an extreme action.
There’s no silver bullet for making your vendor give you all the information you’re looking for. The more regular dialogue you have with your vendor, the more likely they are to respond to you.
To learn more about vendor management during COVID-19 and what to expect going forward, download our whitepaper, COVID-19, Vendor Management & Managing the New Normal.