Risk management and Covid-19: monitoring of service providers.
Third party risk management is being addressed in most organizations where services are being rendered by external service providers, such as IT datacenters and cloud service providers. Based on contracts and service level management agreements the quality of services delivered is being managed, monitored and discussed between parties. In 'usual times' this takes place on a regular basis, let's say quarterly. But in these unprecedented times, dealing with Covid-19, one can argue whether the regular monitoring and reporting still suffices from a risk management perspective. What should organizations do additionally in managing the risks in the external service provider relationship?
Questions to take into account
It speaks for itself that the regular points of attention regarding services delivered by external service providers need to be assessed, monitored and discussed. But additional questions should be raised:
- What is the financial situation at my service provider(s); is continuity of services safeguarded or are issues expected due to liquidity problems or bankruptcy of other clients of service providers?
- Which service providers are essential for the continuity of business operations; do we need to make additional agreements or increase the frequency of communication on certain topics?
- How does the quality of services provided develop; is there a fallback in quality of services due to illness or shortage of staff, do we see an increase in incidents?
- Are security and data privacy agreements still being respected; How is working from home facilitated by external service providers, taking into account information security and data privacy requirements?
- Are contractual arrangements still 'fit for purpose' in Covid-19 times?
Qualitative third party risk management
Answering the above questions is of importance to manage dependencies on external service providers, foresee any issues on quality of services and discuss solutions in a timely manner in order to safeguard continuity of operations.
KPMG can assist you in addressing these questions and asses the quality of the third party risk management in the organization. In case you would like to discuss your approach on managing third party risks, please feel free to contact Brigitte Beugelaar.