New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

5 Ways to Ensure Third-Party Business Resilience During Economic Downturns

Use these best practices to determine whether your vendors and suppliers are able to handle operational or financial disruptions during recessions and other challenges.
By:
Scott Lang
,
VP, Product Marketing
August 24, 2022
Share:
Blog financial operational assessment 0822

With some economic indicators pointing toward a possible recession, now is the time to ensure that your suppliers, vendors and partners have the business resilience practices necessary to weather the financial storm and mitigate the risk of resulting service or delivery disruptions. If a vendor or supplier misses its financial expectations, it may be forced to lay off employees, cancel contracts, or adjust business development efforts or investments.

Even if the economy is not headed toward a downturn, having strong third-party business resilience procedures in place can prepare your organization for other potential disruptions. To help you benchmark your processes, here are 5 best practices for assessing third-party vendor and supplier business resilience.

1. Build and Enforce Availability, Delivery and Business Continuity Measures in the Vendor Contract

The process of agreeing to and managing service levels, delivery timelines, and business continuity processes with vendors and suppliers can be quite complex. It starts with the contract. Manual methods of agreeing to terms, tracking changes to key provisions, and circulating for approval will almost certainly lead to missed key performance indicators (KPIs) and complicate contract renewal discussions. That’s why it is essential to automate the contract lifecycle – from distribution and discussion, to retention and review. A contract lifecycle management solution will:

  • Centralize tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status
  • Offer workflow capabilities (based on user or contract type) to efficiently move the contract through its lifecycle
  • Automate reminders and overdue notices to streamline contract review
  • Centralize contract discussion, storage and comment tracking – with audit trails of all access
  • Provide version control tracking so that all parties review the current version of the contract
  • Migrate the completed contract into a risk assessment platform for full due diligence

Simplifying the process of managing and chasing vendor contracts, redlines, dates, and other key attributes ensures that key availability, delivery or business continuity provisions are well-managed from the beginning of the relationship. SLAs and KPIs can then be extracted from the contract for ongoing review and management, providing a central repository to proactively track key metrics. If a supplier is unable to meet its commitments because of financial challenges, agreed-upon contract provisions can help mitigate the impact to your enterprise.

2. Profile and Tier Third Parties to Understand Criticality

Knowing which third-party vendors and suppliers are critical to your operations is an important step in assessing your risk exposure should they fail. If a vendor/supplier directly supports service or product delivery to your customers, consider the following tiering criteria:

  • Location: Are there specific legal or regulatory considerations (e.g., additional data protection measures for GDPR)? Are they exposed to geo-political risks or in an area prone to natural disasters that might require failover sites?
  • Processes and data: Is the third party directly interfacing with client-facing processes? Are they interacting with your protected customer data?
  • Nth-party dependencies: Are there sub-outsourcing arrangements in place or is the third party heavily reliant on a particular 4th-party technology supplier (indicating concentration risk)?
  • Financial status and reputation: Is the vendor/supplier financially healthy, and do they have a good reputation?

An effective tiering and categorization process enables you to calculate inherent risk, while informing the scope and frequency of ongoing assessments and other due diligence efforts.

3. Assess Third-Party Business Resilience Practices Against Best Practices Frameworks

Once third-party suppliers are onboarded and an inherent risk assessment has been performed to determine criticality, you should then assess the third party against an industry-standard framework for business resilience. NIST, ISO, SIG, and other standards include business resilience provisions in their frameworks. A business resilience assessment solution will:

  • Offer flexibility in assessment templates, automatically mapping responses to the framework for measuring best practices or compliance
  • Automatically generate a risk register upon survey completion so you can see and prioritize missed or underperforming third-party controls
  • Identify outliers across assessments that could warrant further investigation
  • Automate actions based on assessment results, for example raising a risk score or kicking off an analysis process
  • Provide remediation recommendations to help the third party mitigate a risk or control failure
  • Map 4th and Nth-party relationships, showing dependencies and flows of information

Third-party business resilience assessments should be performed regularly, not just at the start of a relationship, to ensure the vendor’s plans are up to date.

Operational and Financial Resilience Questionnaire

Determine whether your vendors and suppliers are prepared to handle business challenges with this free, customizable assessment.

Access Now
Feature operational financial resilience questionnaire

4. Continuously Monitor Third Parties for Financial and Operational Disruptions

Point-in-time assessments are a valuable and necessary part of third-party risk management, but a lot can happen in between regular assessments. That’s why you should continuously track and analyze public and private sources of vendor business and financial information in addition to cybersecurity data to validate assessment responses. Common sources include:

  • Cyber: Criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; data breach history
  • Business news: M&A activity, business updates, negative news, regulatory and legal information, operational updates
  • Financials: Organizational changes and financial performance, turnover, profit and loss, shareholder funds, liquidity
  • Reputation: Sanctions lists, politically exposed person profiles

The challenge that many organizations face when trying to monitor their vendors is the sheer number of data sources that require regular manual curation. A consolidated third-party risk monitoring solution will collate data from these sources and integrate with assessment platforms to validate findings. A more automated approach will help you be more proactive in spotting potential third-party business disruptions or financial concerns and taking the appropriate action before your company is impacted.

5. Get Your Own House in Order

Before chasing vendors and suppliers for their business resilience plans, make sure your company has one in place. Key elements of a business resilience and continuity plan include:

  • Vendor and asset inventory: This is where a tiering and profiling plan is helpful.
  • Business continuity procedures: Identifying the severity of outages or failures, and documenting plans to implement responses.
  • Communications plan for disruptions: Collating lists of internal and third-party contacts to keep up to date as the situation evolves.
  • Failover or back-up plans: What the plans are, when to implement them, and what constitutes a normal operation.
  • Timelines: Defining recovery and return to operations.

Your organization’s business continuity and resilience plan should be regularly reviewed by a multi-disciplinary team to ensure it is current and relevant to all parts of the business. It’s important to note that a business resilience plan is equally valuable in a natural disaster, pandemic, supplier disruption, financial problem or during a cybersecurity incident such as a ransomware attack.

Next Step: Download the Free Third-Party Operational and Financial Resilience Questionnaire

To help you and your team get started on the path to determining your vendor’s and supplier’s business resilience practices (and to shore up your own), we have developed a 10-question assessment for evaluating operational and financial risk. The questionnaire is specifically designed to determine whether third parties have implemented business resilience measures necessary to sustain operations during recessions and other economic disruptions. The survey can also be adapted to meet your organization’s specific requirements and policies. We also offer additional business resilience resource templates to address broader resilience issues.

Download the third-party operational and financial resilience questionnaire or schedule a demo today to learn how Prevalent can help.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo