If you had an examination starting tomorrow, would you be ready? If one of your critical third parties announced it was ceasing business, would you be prepared? If there’s a big data breach at one of your third parties, are you notified?
Unfortunately, sometimes the answer to any of these is, “No, I didn’t see that coming.”
Be Proactive
That’s the reason to always be prepared. You can’t prevent every problem, of course, but you can still greatly reduce the amount of future vendor issues and headaches. Here are some tips:
1. Have a solid foundation for your third-party program. Include things like:
- Strong notification requirements in your contracts
- Robust system for monitoring for negative news or outages
- A well-documented approach to categorizing risk
- Regularly review of documentation
2. Have proper support
- Get involvement from business leaders, such as senior-level and or board-level personnel (without this commitment, funding is not available, and policies cannot be approved)
- Utilize subject matter experts throughout everything
- Don’t be afraid to use subject matter experts outside of your institution
3. Assess risks through risk analysis and decide to mitigate, transfer, avoid or accept the risk
- Results of risk assessment are used to create the business impact analysis
- Use standardized criteria to measure and assess the financial, operational, customer related, regulatory or reputational impacts, Recovery Time Objectives and Recovery point Objectives
- Don’t forget about reputational impact – so make sure you respond to all situations and are able to continue operations
4. Do drills – run through various scenarios of what could happen
- Involve audit or business continuity management, legal or compliance
- This ensures everyone involved in the plans has knowledge and experience in the activities they will be required to perform
- The results of this allow your teams to adjust and improve plans
5. Review processes often
- New risks and answers to those risks emerge and evolve constantly
- Assure that the vendor is prepared to respond to whatever situations arise
It takes a coordinated effort to get it all done, but it’s manageable if you start with a defined process and detailed steps to follow. Again, you can’t prevent all problems but you can minimize impact.