Vendor Management in a Pandemic: A Proactive Approach

Has COVID-19 made managing your vendor management hard to, well, manage? Say that five times fast! Honestly, it might be easier than trying to deal with vendor management during a pandemic that has changed just about everything we once knew to be “normal.” Working from home, social distancing and relying heavily on technology are just some of the many things that have added layers of difficulty to managing and dealing with your credit union’s vendors.

If there’s anything that we have learned over the years – and particularly, in the last several months – it’s that being proactive is the best possible scenario, but it’s not always possible. When mass quarantines took over in mid-March, there was no choice for many institutions but to be reactive. In the long run, though, that’s certainly not the recommended path.

When it comes to your vendors, this is especially true. Much has changed for businesses across the board, so it’s also likely that any and all of your third-party providers have also experienced major operational shifts. And those changes may make waves that transfer over to your credit union as well. So the question is, how should you handle vendor management in a time that poses more risk than ever before?

Note Vendor Changes

Take a look at any circumstances that have changed for your vendor. Pay particular attention to those things that have the potential to cause the most impact to your credit union.

Remote work conditions.

Is much of your credit union’s workforce remote these days? The same is probably true of your vendors. Many companies have transitioned to remote working conditions to protect their staff and adhere to social distancing guidelines. But what does that mean for your credit union? It all boils down to one major risk – insecurities. Unsecured home Wi-Fi, heightened cybersecurity threats and the potential for information to be leaked (purposefully or not) all contribute to the lack of security posed by remote work. Even if your vendor has network security specialists and protocols in place, it’s much harder to identify, isolate and solve the issue when employees and company-issued equipment are at various locations.

Vendor supply and demand.

We all know the law of supply and demand. Business is either booming or waning, and that’s only been intensified by the Coronavirus. While your credit union’s business might still be booming in these difficult times, vendors may not be experiencing the same circumstances. What happens if they don’t have enough demand on their end to keep up operations? Unfortunately, due to economic hardships and lockdown restrictions from the pandemic, many businesses have closed permanently, including some fairly large organizations you may rely on for third-party operations. From clothing retailers like J. Crew and Lord & Taylor, to communications firms like Frontier Communications, businesses in a variety of industries have felt the stinging effects from lack of demand. So, if you have a vendor in this situation, you may want to start looking at other organizations to help you provide services. On the other hand, if a vendor is slammed with new clientele and doesn’t have the resources to handle the surge in business, your credit union may get lost in the shuffle. Getting overlooked is not acceptable, so keep an eye on your vendors to make sure they are holding up their end of your agreement.

Up-to-date documentation.

It’s been a whirlwind year, with lots of major changes going on. With all these changes, it’s important to make sure your vendor has updated documentation that details any revisions to their policies and yours. For example, if your credit union decides to change your SLAs for more rapid response during an emergency, make certain that your vendor acknowledges the change and provides written proof that they’ve documented it on their side as well. Also make sure you ask for the most recent SOC reports and have the ability to perform documentation audits of your vendor listed within the contract.

Amp Up Your Vendor Management Program

Now that you’ve assessed any COVID-related changes to your vendors’ operations, what’s next? It’s time to beef up your own vendor due diligence. Here are five things to get you started on a bigger and better vendor management program.

  1. Keep your program relevant. The pandemic has been eye-opening to say the least. If there are any outdated policies in your program, now is the time to change them. Check to see if there are any vendors you no longer need or areas where you may need more based on your current working conditions. Make changes that address any vulnerabilities in your program and have your board and security team review them. Ensure your own documentation is up to date, just like your vendors. The main goal here is to continue tweaking your vendor management process so it lines up with your institution’s most current needs.
  2. Look out for more cyberattacks and malware. Phishing, vishing, whaling and a multitude of other cyberattacks are increasing, playing on the fears and reactive nature of society. That means you need to be on the lookout for scams that appear to be coming from your vendors. Let’s say you receive an unexpected or strange email from your bill payment provider. Rather than engaging with the email, contact your vendor and validate the email and its purpose. The scam could be an attempt to glean information from your credit union, or even to quietly install malware onto your networks. The key here is to communicate regularly with your vendors. That way, there should be no surprises and cyberattacks will stick out like a red herring.
  3. Perform vendor risk assessments…often. As we all learned this year, things can change on a dime. What may not have been a risk yesterday could be a MAJOR one today. That’s why it’s important to keep tabs on your vendors and do regular risk assessments on them. You don’t want to be caught unaware if a vendor can no longer keep up with their workload or need to do a major overhaul of systems, among other things. The more frequently you perform your assessments, the less likely you are to experience issues from a vendor risk standpoint.
  4. Consider purchasing a centralized vendor management system. There are a lot of moving parts to vendor management, even in the best of times. But when there’s a pandemic afoot, those moving parts become even more critical to keep track of. There’s a solution to that, though, and it’s the use of a centralized vendor management system. If you can keep all documents, audit information, data and important dates in a single place, you’ll be less likely to miss information on your potential vendor risks.
  5. Incorporate your incident response plans in your program. How your credit union responds to something like a global pandemic (or any emergency, really) is going to have an impact on your vendors and vice versa. That’s where your incident response plan comes in. Review it to make sure your procedures line up with your vendor contracts and determine which vendors are most critical in a time of emergency. Then put that plan to the test, so you can see not only how it will look from your end, but how your vendors respond. This will provide insight into your vendor relationships and ensure your institution truly has the resources it needs to withstand challenges.

Without a doubt, vendor management is a process. Throw a pandemic in the mix, and it becomes even more complicated. At the end of the day, though, we rely on third-party providers for many of our operations. And the need for more technology and creative methods of operation that has arisen from the pandemic has only strengthened that need.

But let’s look at the positives that have emerged from the global health crisis. We’ve learned a lot of lessons. One of those lessons is to be proactive in your vendor management. Take the steps above to aid in the evolution of a solid vendor management program that will ensure the health and success of your credit union.


Belinda Mumma has over 12 years of experience implementing and maintaining vendor management and vendor due diligence software. During her career, she also has been responsible for policy and legal review processes; implementing, directing, and maintaining enterprise risk management software; and implementing and maintaining audit and exam findings software.