All companies must have a comprehensive plan in place in case of a disaster, according to Lisa Beth Lentini Walker, CEO and founder, Lumen Worldwide Endeavors, and Amanda Hill, internal audit manager for Western Union. Lentini Walker and Hill will discuss best practices regarding third-party relationships, disaster planning, and recovery strategies at FRA and Compliance Week’s Third-Party Risk Management & Oversight Summit San Francisco 2019 at Marines’ Memorial Club, Dec. 9-10.
A good business continuity plan takes three components into consideration: possible risks, an understanding of capabilities, and an awareness of any blind spots or gaps that may exist throughout the overall operations, explains Lentini Walker. An imperative subset to an effective business continuity plan is disaster recovery. When it comes to preparedness, Lentini Walker recommends extensive planning and practice to ensure the plan is second nature should a disaster arise.
“Practice makes it permanent. The permanency is the skills that you’re learning through those practices to be able to utilize them in a variety of different ways should something happen,” she says.
It’s difficult to plan and prepare for the unseen, she says, but it’s the consistent practice that develops the skillsets needed to handle the unexpected.
Disaster recovery calls for creativity
When it comes to a recovery situation, time is of the essence. A tactical, rehearsed disaster recovery plan is critical to moving operations forward during a crisis. In moments of stress and chaos, people tend to become very myopic, so you must help them “get the blinders off” in order to develop a creative solution, advises Lentini Walker. Communication and collaboration allow everyone to evaluate the situation from a variety of angles.
Resolving a disaster event from start to finish requires long, hard hours. Therefore, she says, it’s important to “allow people to be agile” to maintain stamina, perseverance, and persistence throughout the recovery process.
Communication will be your greatest tool in moments of disaster, so plan for multiple modalities. “Really know your escalations and make sure that you have that backup means of communication that is uniformly understood and abided by should there be a compromise to the primary means of communication,” she says.
Lentini Walker recommends arranging several backup forms of communication ahead of time, such as alternate emails, alternate phones, and a texting tree via mobile devices.
Hill shares similar sentiments and recalled the operational impacts her firm faced due to hurricanes that hit Texas and Florida in 2017. With little time to prepare, communication was key.
“Really making sure the employees internally, and our customers externally, knew we were aware of what was coming and backup plans were communicated to let them know on the front-end, in case of a pending disaster or emergency, these are the steps you need to take,” she says.
Hill credits communication and a reliable plan for the company’s smooth recovery: “We had an established continuity plan that was tested on a regular basis and communicated timely across all stakeholders.”
Selectivity with a third party is crucial
The standard to which you hold your company’s level of preparedness should be the same you expect from a third party. Hill recommends performing a thorough risk assessment throughout the onboarding process.
When establishing a third-party relationship, Hill says you must understand that company’s existing controls, business continuity plans across all operations, policies and procedures, any stock reports, and even the location of backup servers.
The level of involvement with a third-party doesn’t end with the onboarding process, however.
“Once the vendor is onboarded, and you’ve established a relationship with the vendor, I think it’s very important to continue to manage and monitor them,” she says. “Given the level of risk they pose to your company, I think it’s very important to continue to measure, monitor, and manage the vendor periodically on a risk-basis.”
An effective vendor management program “suited for the risk appetite of your company” is critical, according to Hill. “It’s a mirror effect; how we manage risk internally, we should hold our vendors to that same level of expectation,” she says.
Lentini Walker echoed Hill’s thoughts, noting the importance of conducting due diligence around those third-party vendors. “Their reputational risk is also your reputational risk,” she says. “And it could be an actual liability.”
It’s a growing conversation that continues to expand, according to Lentini Walker. “Third-party oversight is changing. And the expectations of customers and stakeholders are at a point of flux.”
It used to be enough to simply understand cyber-security and existing data privacy protections when working with a third party, but it goes much deeper now due to growing concerns around environmental, social, and governance issues, she explains. “As this continues to grow and develop and becomes more complex, the level of collaboration and the level of due diligence is slowly but surely shifting. And people who work in this space need to know that.”