COVID-19 and 3rd Party Suppliers: Questions Risk Managers Should be Asking

  • Global Risk Institute
Virus under a microscope


The COVID-19 virus continues to spread, bringing humanitarian challenges and accompanying effects on the global economy. Given the significant and increasing reliance on outsourcing and 3rd party supplier relationships in the financial services sector, risk managers should also be evaluating potential impacts on service levels from developments relating to the COVID-19 situation.

While OSFI Guideline B-10 on outsourcing applies to many members in this context, our comments are applicable to all financial sector participants evaluating 3rd party supplier arrangements, outsourcing or otherwise, in light of recent developments. B-10 lists examples of outsourcing arrangements covered which include information system management and maintenance, document processing, application processing, policy administration, claims administration, loan administration, investment management, marketing and research, real estate administration, back office management, human resources administration, and some professional services.

This range services covered by outsourcing and more broadly by other 3rd party relationships can be quite wide and can include parts of operations that may come to play a role in pandemic preparedness and response. Risk managers should be considering how to sustain operations and meet statutory obligations should key 3rd party suppliers, overseas or at home, experience operational disruptions during the COVID-19 outbreak.

Questions to Ask of your Own Institution:

  • Have you evaluated the impact of the COVID-19 outbreak on your 3rd party arrangements?

  • Has your assessment of your organization’s exposure to 3rd party suppliers changed on account developments related to the COVID-19 outbreak?

  • Have you identified key provisions of material contracts with 3rd party suppliers that may be affected by the COVID-19 outbreak, like Service Level Agreements?

  • Have you identified notice requirements that may have been or need to be triggered, for instance notices of changes you may be contemplating as part of your planning or should service interruptions occur?

  • Do you have the right call trees in place with key suppliers, so that effective lines of communications are in place to promptly act if service levels are impinged? Do these include adequate redundancies for key individuals like relationship managers?

  • Have you considered organizing regular touch points with key 3rd party suppliers, to monitor with them the ongoing evolution of COVID-19’s possible impact on service levels?

  • Are you in a position to prioritize together with your service providers what “mission critical” services to maintain should only partial service delivery be possible for some period?

  • Have you updated your due diligence evaluations of your 3rd party suppliers in light of the COVID-19 outbreak?

  • How diversified are your material 3rd party supplier relationships?

Questions to Ask your 3rd Party Suppliers:

  • Do you have a pandemic preparedness plan?

  • Has your pandemic preparedness plan been updated to reflect specifics relating to the COVID-19 outbreak?

  • Do you have dedicated resources for responding to disruptions generally, and COVID-19 specifically?

  • What are your specific recovery objectives for each of the services and products you deliver to us?

  • Have you invoked any stage of your preparedness plan (e.g. travel restriction policies, home office policies)?

  • Have you conducted a disaster recovery exercise in the last 12 months, and what were the outcomes?

  • What procedures do you have in place to manage your own 3rd party supplier relationships?

The humanitarian and related challenges posed by COVID-19 concern us all, and GRI continues to monitor developments closely. Continuing to deliver effective risk management practices in financial institutions is an important contribution our members will be making as we meet these challenges.