The Three Stages of Third-Party Risk Pandemic Response

Linda Tuck Chapman, a globally recognized expert on third-party risk management and President at Toronto-based Ontala Performance Solutions, outlined the three main stages of third-party risk as it relates to the pandemic.

“The first stage is where we are right now: keeping the lights on,” Tuck Chapman said. In this phase, companies are implementing work-at-home, where possible, and dealing with all the risks and variables related to it: availability of equipment, reliability of networks, and the actual risks that are surfacing.

The second stage is protecting the bottom line. “What strategies do we need to have in order to protect our organization and our bottom line? And where are we going to spend our effort?” Tuck Chapman said, describing the questions organizations will be asking themselves in this phase.

The third stage, according to Tuck Chapman, will the wider implementation of Robotic Process Automation (RPA). “There’s going to be a huge push on reducing the reliance on people to deliver services. It just seems inevitable to me,” she said.

“The third phase is basically preparing for a different future than the one you thought you were preparing for, or maybe you adjust at a faster pace,” she added.

For Tuck Chapman, companies that have not already invested in risk controls and resources to manage risk, will feel a lot of pressure to do that in the next couple of months and years as the wreckage of the pandemic becomes grows more clear.

The Risks of Work-At-Home

Work-at-home has become an essential strategy to maintain businesses as usual, or more appropriately, as best as possible. It is part of the stage one response, according to Tuck Chapman, and it is definitely a source of risk.

For Alan Arenson, Principal Consultant at ISG, the biggest third-party risks that arise from the pandemic are related to maintaining security in a work-at-home environment. These concerns range from equipment and software security to networks and the suitability of the physical space of work.

“In the outsourcing world, we spend a lot of time ensuring that our offshore delivery centers meet certain criteria. Everything is secure, from a client perspective you have lockdown areas,” Arenson said.

Arenson sees potential security risks arising from people working from home. But he also sees few alternatives. “We don’t have much choice, unfortunately,” he said.

Tuck Chapman considers work-at-home the most urgent risk. “Whether you’re having your employees work from home, and therefore, they’re relying on service providers such as the telecommunications networks, which are very strained right now, or whether you’re trying to impose your own code of conduct and privacy policies in a situation where you really have no insight into the environment that people are working in, it is quite challenging,” Tuck Chapman said.

“So, we do know that insider threat is on the rise, right? People do bad things. There’s no doubt about it, but generally speaking, insider threats are defined by the mistakes people make. They get taken in by someone who is malicious. Most companies want to have a clean-desk or clean-room policies, and that really isn’t possible in a work-from-home situation,” she added.

From a legal perspective, Tim Norton, Founder at VMO Benchmark, an ITO/BPO advisory firm focusing on Vendor Management and External Resourcing Programs, says that the COVID-19 pandemic has forced many client companies that did not allow work-at-home in their outsourced operations to amend their Master Service Agreements (MSAs) to allow it. This is particularly relevant in a location with mandatory lockdowns in countries like El Salvador, Honduras, and India.

“They had to develop not only the amendment to the MSA but then they had to inform every one of the resources in all the different parts of the world where they were working from, via a physical amendment sent to them that they would have to sign and send back, saying that they understand what it means not to be working in the office, which had its own set of terms and conditions, which now they would apply at home. And that’s a very big deal to get done,” Norton said.

BPO providers consulted by Nearshore Americas have confirmed they are working to guarantee network security and compliance with protocols like PCI. However, when this is not enough, or the risk becomes too high, some companies are said to preparing a “Plan B” for outsourced delivery. And this should be a red flag.

“I guess the real question basically is what services should you repatriate in-house? And in fact, some companies are moving some of their very high-risk critical processes to the domestic location of their third parties,” Tuck Chapman said.

“Most of these big companies that, depending on who you’re dealing with, they have operations all over the place, including inside of developed nations. So, does it make sense to either try to repatriate some of these services or to require that they’re moved to a domestic location where there’s more opportunity to determine whether or not proper controls are in place,” she added.

The Limits of Flexibility

Sergio Escobedo, a vendor management consultant with previous experience managing BPO relationships at Comcast and Time Warner, says flexibility is a crucial part of the discussion in times of turmoil.

“This was unexpected, and as such, more customers will be more understanding,” Escobedo told Nearshore Americas. However, he also warns that amidst the understanding, there will be frustration. So, flexibility has limits, and those limits will vary largely, depending on the industry.

Flexibility does have its limits, especially when having to consider legal implications. Most MSAs have clauses regarding backup and recovery, force majeure or similar language that becomes extremely relevant now, says Norton. “I think the clients that are going to survive are the ones that have flexibility outside of the MSA,” Norton said.

“Yes, you could always say the MSA says that you guys are going to get this project done. But the world’s changed so much here in the last several weeks. It’s not even possible to get it done. And therefore, to expect that it is I think is really going to cause a lot of difficulty between the client and the vendor,” he added.

As the voice of a client organization, Arenson recognizes the need for flexibility. But in the end, he would like his providers to stick as closely as possible to the Service-Level Agreements (SLAs).

“I understand that there are mitigating circumstances. I would rather that they stuck to the SLAs, and if they don’t meet the SLAs, we can do a deep dive or a root cause analysis as to why they’re not meeting those SLAs. And if it is specifically related to issues of working from home, we would understand the circumstances. I would not want to change the SLAs per se”, Arenson said.

All the interviewees agree that the key to keeping business going in these times is constant communication between clients and providers. And Tuck Chapman thinks this is already proving to work.

“Most companies are still meeting their SLAs, and they’re still providing services. So, there are some rays of good news in here, and that’s why I think that the panic is starting to subside, that the engine of commerce is continuing to churn on,” she said.

Mitigating Risks: Now and in the Future

Undoubtedly, the COVID-19 pandemic is delivering serious lessons around how to make one’s business more durable in a time of incredible instability and change. As we live through the experience, some issues will require attention immediately, and others will have to be addressed in the future.

One of the key lessons for Escobedo is the need for geography diversification. “I know of a friend of mine that is in a vendor management organization, and they were about 90% centralized in the Philippines, 90% of their operation was outsourced to the Philippines. When this pandemic happened, they really didn’t have a quick and fast way to react,” Escobedo said.

“Companies are going to have to reassess what their geodiversity looks like. Although they may have been in the Philippines for a particular reason, when it comes to overleveraging at any geography, when something like this happens it can affect you for a long time,” he added.

Escobedo recommends that providers build a plan that includes geographies where work-at-home is fortified by strong Internet infrastructure so that operations can transition seamlessly to a work-at-home model.

Norton also recommends having a group or organization that deals with vendor management, rather than just a procurement team, which tends to focus on reducing costs. He also thinks it is a time for providers to try to retain their talent, despite the turmoil.

“Vendors need to figure out on the people side, how to maintain their people, how to redeploy them to other places, other kinds of contracts that they can succeed on while trying to figure their hardware solution and work from home solution,” Norton said.

In the end, all interviewees agreed that first and foremost, this is a humanitarian crisis. Ensuring employees safety and well-being needs to be embedded in any new risk management strategies.