5 Ways to Ensure Third-Party Business Resilience During Economic Downturns

With some economic indicators pointing toward a possible recession, now is the time to ensure that your suppliers, vendors and partners have the business resilience practices necessary to weather the financial storm and mitigate the risk of resulting service or delivery disruptions. If a vendor or supplier misses its financial expectations, it may be forced to lay off employees, cancel contracts, or adjust business development efforts or investments.

Even if the economy is not headed toward a downturn, having strong third-party business resilience procedures in place can prepare your organization for other potential disruptions. To help you benchmark your processes, here are 5 best practices for assessing third-party vendor and supplier business resilience.

1. Build and Enforce Availability, Delivery and Business Continuity Measures in the Vendor Contract

The process of agreeing to and managing service levels, delivery timelines, and business continuity processes with vendors and suppliers can be quite complex. It starts with the contract. Manual methods of agreeing to terms, tracking changes to key provisions, and circulating for approval will almost certainly lead to missed key performance indicators (KPIs) and complicate contract renewal discussions. That’s why it is essential to automate the contract lifecycle – from distribution and discussion, to retention and review. A contract lifecycle management solution will:

• Centralize tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status
• Offer workflow capabilities (based on user or contract type) to efficiently move the contract through its lifecycle
• Automate reminders and overdue notices to streamline contract review
• Centralize contract discussion, storage and comment tracking – with audit trails of all access
• Provide version control tracking so that all parties review the current version of the contract
• Migrate the completed contract into a risk assessment platform for full due diligence

Simplifying the process of managing and chasing vendor contracts, redlines, dates, and other key attributes ensures that key availability, delivery or business continuity provisions are well-managed from the beginning of the relationship. SLAs and KPIs can then be extracted from the contract for ongoing review and management, providing a central repository to proactively track key metrics. If a supplier is unable to meet its commitments because of financial challenges, agreed-upon contract provisions can help mitigate the impact to your enterprise.

2. Profile and Tier Third Parties to Understand Criticality

Knowing which third-party vendors and suppliers are critical to your operations is an important step in assessing your risk exposure should they fail. If a vendor/supplier directly supports service or product delivery to your customers, consider the following tiering criteria:

• Location: Are there specific legal or regulatory considerations (e.g., additional data protection measures for GDPR)? Are they exposed to geo-political risks or in an area prone to natural disasters that might require failover sites?
• Processes and data: Is the third party directly interfacing with client-facing processes? Are they interacting with your protected customer data?
• Nth-party dependencies: Are there sub-outsourcing arrangements in place or is the third party heavily reliant on a particular 4^th-party technology supplier (indicating concentration risk)?
• Financial status and reputation: Is the vendor/supplier financially healthy, and do they have a good reputation?

An effective tiering and categorization process enables you to calculate inherent risk, while informing the scope and frequency of ongoing assessments and other due diligence efforts.

3. Assess Third-Party Business Resilience Practices Against Best Practices Frameworks

Once third-party suppliers are onboarded and an inherent risk assessment has been performed to determine criticality, you should then assess the third party against an industry-standard framework for business resilience. NIST, ISO, SIG, and other standards include business resilience provisions in their frameworks. A business resilience assessment solution will:

• Offer flexibility in assessment templates, automatically mapping responses to the framework for measuring best practices or compliance
• Automatically generate a risk register upon survey completion so you can see and prioritize missed or underperforming third-party controls
• Identify outliers across assessments that could warrant further investigation
• Automate actions based on assessment results, for example raising a risk score or kicking off an analysis process
• Provide remediation recommendations to help the third party mitigate a risk or control failure
• Map 4^th and Nth-party relationships, showing dependencies and flows of information

Third-party business resilience assessments should be performed regularly, not just at the start of a relationship, to ensure the vendor’s plans are up to date.