No one likes to go into a relationship or situation thinking about the worst possible outcome. However, business continuity planning for the worst is necessary in order to know what to do to minimize impact when the worst happens. Few people enter into marriage expecting to get divorced, and it’s not a particularly pleasant outcome to consider as you’re gearing up for your big day. But divorces happen, and prenuptial agreements exist, so when you’re facing the worst possible outcome, you’re able to move through the process with a plan and defined expectations.
The same applies to third-party risk management. When you’re bringing on a new vendor that will solve significant business challenges, you don’t necessarily want to be thinking about the worst-case scenario. But planning for that scenario is a critical element that has gained a lot of regulatory attention, for if your high-risk and critical vendors cease to exist, what is your plan, and will it work?
When you think about the vendor lifecycle – from initial due diligence to contracting to continuous monitoring – where does “develop an exit strategy” fall? Best practice would be codifying the following ideas into the contract:
- What would the sudden loss of this third-party do to the company? What would the impact be to the company’s customers?
- What steps need to be taken to minimize disruption to the business and customers? Who would be involved?
- What are the alternatives?
- How long would the company need to stand in?
How can you comprehensively understand if your exit strategy is effective?
The sudden loss of the third-party could be due to a natural disaster, unexpected dissolution, or acquisition. You can test these scenarios and the exit strategy similarly to a BCP test: through a regularly scheduled “lights out” test at both the third-party and your organization. During these tests, notification and escalation guidelines should be carefully dictated throughout. Deciding what steps to take and improvements to make should always be determined through the lens of resilience and the goal to minimally impact the customer.
Exit strategies – in best practice – consider both the sudden loss and the gradual unwind of the vendor. The steps when considering these less-extreme scenarios or less-critical vendors are similar to the sudden loss of the critical third-party. What is the timeline, and what steps need to be taken? Who needs to be notified? What are the conditions for notification? Who holds accountability?
Clearly defining expectations at the start of an engagement with a third-party
As with an exit strategy, before contracting, it’s always good to have an alternative vendor in mind or understand how that service can be re-absorbed into the company. Additionally, notification deadlines around the desire to terminate and breach provisions should always be clearly described in the contract. Ending your relationship with a vendor can be similar to divorcing your spouse – it can get contentious. The more you can clearly define expectations at the start of the engagement and carefully track notification timelines, the easier the unwind will be.
We all know that the world is quickly changing. With the acceleration of digital business and expanding ecosystems of vendors, organizations are increasing in complexity. With that complexity comes evolving expectations to consider and define when to start/end a relationship with a third-party. In recent years, a trend and best practice we’ve noticed increasing is clearly defining standards around the rights to use/return/destroy any non-public information. Today, a well-meaning but poorly informed marketing company continuing to market to a company’s proprietary customers with new products and services after the contract expires is a reputational risk that could have been mitigated.
Documentation is key
What steps are in place? How is the company tracking this activity? Who is directing decisions? What testing is in place? Who is accountable to ensure that these are appropriately followed? These considerations should be documented in the contract, updated regularly with senior management and the board, and evidenced in the meeting minutes. Doing so is not only a well-informed regulatory expectation but also a sound business practice to protect the consumer and the institution.
To learn more, please contact Fusion Risk Management, visit the FFIEC website, or read this high-level analysis by the Corporate Finance Institute: Exit Strategies – Examples, List of Strategies to Exit an Investment (corporatefinanceinstitute.com).