Previewing Interact 2020: Why Is This a Critical Moment for Vendor Risk Management?
Among the many other hard lessons the COVID-19 pandemic has been teaching businesses, there’s this one: Vendor risk management has become even more complex than before. Frighteningly complex, in fact, making it even more essential.
According to Jay G. Fitzhugh, Chief Regulatory Officer at Mitratech, the swift pivot to working from home has created a new galaxy of compliance hazards for organizations.
“One of the most pervasive new problems,” he points out, “is that we now see employees operating off home networks and routers that are shared with other people in the home. Their kids are playing games, for instance, while somebody else is watching a streaming service, and all sorts of ports are opening up that could allow bad actors to enter though their modem.”
This demands that an organization’s data protection strategies should be adjusted to reflect how business data being managed in a remote location has the proper protections. Such as encryption and email filters set up to detect confidential data, provisioning hardware for home-based staff, and leveraging secure collaboration platforms. Even policy and procedure management during these highly dynamic times should use solutions capable of keeping up with the challenge.
Unprecedented dimensions in vendor risk management
This is just one of the areas Jay and Adrian Rodriguez, VP, Internal Controls Manager at Amerant Bancorp and Hector Jimenez, Director, Operational and Vendor Risk Management at Sterling National Bank will touch on during their Interact 2020 session, Vendor Risk Management: The Moment is NOW.
As Jay points out, “People expected this to be temporary; what if we’re still operating this way months from now, or next year?” The session will focus, in part, on how HR and compliance teams can focus on that possibility, and the steps they can take today to manage the issue.
Among the other challenges at hand? People become more complacent when working from home, and can relax into bad habits and casual behaviors. Zoom, which has become such so prevalent, might expose organizations to the presence of videochat lurkers who are waiting to eavesdrop on confidential conversations. Policies and safeguards have to address these, especially when it comes to third-party vendors: Who are they inviting to Zoom chats pertaining to your business?
Our best intentions can’t keep up
As Jay explains, everyone’s best intentions can lag reality at a time like this. Executives and employees need to remember there are new problems cropping up they didn’t need to previously address, like how to secure no-contact deliveries of confidential documents. In financial services, there’s been an immediate focus on the liquidity of the client base, not on operational matters, so shortcuts have been taken in the interim that can have dire consequences.
Business continuity is, he reminds us, “like changing the tire on a moving vehicle.” Multiple measures have to be taken at the organizational level to instill best practices in the hear-and-now. Meanwhile, there’s the question of how to get back to doing the work that’s been set aside: Audits and reviews, operational and technology updates, and much more. “How long can you delay the delayed?”
In light of all that, what are a few of the questions an organization needs to ask itself about its vendor risk management efforts, according to Jay?
- Have you seen impacts to the support required from your directly contracted third-party vendors?
- Has the evaluation of supporting fourth parties to your critical and material third-party vendors escalated as result of the pandemic?
- Do you have needed due diligence on fouth parties supporting critical and material processes or products?
- Is a two-deep vendor review enough? If not, s there a practical reason or rule to go beyond two-deep review?
- How comfortable are you in your evaluation of the financial viability of your key suppliers, given the financial impacts of the last 3-4 months?