Tips for Reviewing Your Vendor’s Pandemic Plan

Traditional Business Continuity and Pandemic Planning require management to follow a periodic process of planning, preparing, responding, and recovering.

According to the Occupational Safety and Health Administration (OSHA), “With 85% of the nation’s critical infrastructure in the hands of the private sector, the business continuity plan plays a vital role in ensuring national pandemic preparedness and response.”

There are, however, distinct differences between business continuity and pandemic planning. Business Continuity Planning and Disaster Recovery (BCP/DR), often referred to as Resiliency and Recovery respectively, considers the effects of various events like natural or man-made disasters, technical disruptions, and cybersecurity breaches. These events may differ in their severity but are usually shorter in duration or limited in scope.

Pandemic Planning is defined by a unique set of obstacles, given how the impact is much more difficult to determine due to the difference in scale and unknown duration. As a result, the Pandemic Plan must be flexible enough to respond to an extreme range of possible effects that could result from a pandemic. Most importantly, Pandemic Planning should reflect the institution’s size, complexity, and business activities.

Why you should care

No individual or organization is immune to the adverse effects that might ensue from a pandemic event. The global economy must prepare and adapt to the effects of a pandemic disaster which will be widespread and threaten not just a limited geographical region or area, but potentially every continent. Additionally, it’s essential to plan for multiple waves of outbreaks that could last two to three months and occur over a year or more.

Pandemics will test every department’s preparedness and response from risk management, HR, and C-Suite to security, maintenance, and janitorial. Lax Pandemic Planning and pre-preparation can trigger a cascade of failures such as insufficient resources, procedures, and inadequate trainings for essential workers.

Pandemic Planning is an operational risk but includes strategic and reputational risks as well. Ensuring vendors have an adequate pandemic plan minimizes disruptions to operational delays and processes, loss of data, and maintains the trust and confidence of its customers.

What to Look For

Most likely, your organization already has a pandemic plan in place. But what about your vendors? Comprehensive pandemic risk management encompasses critical interdependence, meaning a failure at one of your vendors is a failure at your organization as well.  

5 Main Factors to Consider When Reviewing Your Vendor’s Pandemic Plan:

  1. Preventive Program

Reduces the probability that a vendor’s operations will be severely impacted by a pandemic event. A Preventive Program should include: monitoring of potential outbreaks, educating employees, communicating, and coordinating with critical service providers and suppliers, as well as providing appropriate hygiene training and tools to employees.

  1. Documented Strategy

Scales the vendor’s pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak. A Documented Strategy means defining parameters for action based on different assumptions, i.e., first case overseas, first case in United States, first case within the vendor itself. Make sure the strategy outlines additional plans for how that vendor will recover from a pandemic wave and proper preparations for any following wave(s).

  1. Comprehensive Framework of Facilities, Systems, or Procedures

Provides the vendor the capability to continue its critical operations in the event that large numbers of the staff are unavailable for prolonged periods. Procedures include social distancing measures like remote work and redirecting customers to online services as well as actions by public health and government officials.

  1. Testing Programs

Validate the vendor’s pandemic planning practices and capabilities are effective and will allow critical operations to continue.

  1. Oversight Programs

Confirm the vendor implements continuous monitoring with ongoing review and updates to the pandemic plan so that policies, standards, and procedures include the most up-to-date, relevant information.

A VRM Solution Can Help

Validating and reviewing a vendor’s Pandemic Preparedness and Response Plan requires a configurable and scalable vendor risk management (VRM) solution. Quickly react to an unexpected pandemic with automated tools and features that strengthen existing systems rather than developing new ones. Ideal VRM features Include:

Pandemic Preparedness Assessment

The foundation for a pandemic plan is a risk assessment of the potential effects of a pandemic on the ability to maintain or expand operations. A Pandemic Preparedness Assessment should include questionnaires that report on vital components outside the vendor, such as resilience of supply chains for essential goods and services.

Vendor Geographic Risk Concentration

In normal BCP/DR cases, malicious activity, technical disruptions, and natural/man-made disasters typically will only affect a specific geographic area, facility, or system. In the case of a pandemic, there could be a wave(s) of impacts that may affect regions differently in terms of timing, severity, and duration. 

Robust VRM solutions have geographic risk concentration feature maps that track your vendors’ location data, providing insight into an organization’s overreliance on a single third- or fourth-party vendor and/or geographic region. For example, you may want to determine how many of your vendors’ call centers will be most impacted by high absenteeism due to sickness or a natural disaster.

No part of your business can be minimized when looking at pandemic preparedness. Ensure your organization, and its third- and fourth-party vendors, has a comprehensive pandemic plan in place. Even with planning, during and after a pandemic strikes you’ll always think you didn’t plan enough. You need a powerful vendor risk management solution that can reduce your workload and ensure quality pandemic preparedness.

Discover PolicyHub

It's the Policy Management solution that’s easy to use, so you can build stronger compliance.

Learn more