Operational Risk Management for COVID-19

Earlier this week, we shared the Reciprocity response to COVID-19. As the seriousness of this pandemic grows, our thoughts are with all of our employees, customers, and partners who are affected. We want to reiterate that our priority is to uphold our commitment to our customers. We know that many of you are concerned about the impact on your business operations, specifically supply chain issues you might be experiencing or anticipating. Vendor risk management is central to our ZenGRC platform, and we wanted to share steps to manage operational risk in light of COVID-19

“Pandemic” is a term that is documented in the threat catalogs of nearly every organization’s third-party risk management program. With the outbreak of the COVID-19 pandemic, that theoretical threat has manifested and is testing supply chain resiliency and business continuity plans across the globe. Most organizations have found themselves struggling to deal with the disruptions to their supply chain and vendor networks. After years of focusing on efficiency, supply chain resiliency has quickly risen to the forefront of boardroom concerns as many companies deal with COVID-19 as an existential threat.

The past few weeks and months have brought a new focus on vendor risk management processes and third-party risk management programs as a whole. Organizations with existing robust vendor risk management programs are finding that the effort put into not just vetting, but building relationships with their third-party vendors, is providing a massive return on investment. As supply chains have become increasingly interdependent, organizations that are working closely with their vendors as partners, and ensuring that their values are aligned are finding themselves in a much better position to deal with the disruptions brought about by COVID-19.

Looking forward, building and maintaining a robust vendor risk management program doesn’t have to be difficult or even time consuming. It does, however, require a bit of planning. Successful programs often share these characteristics:


  • A strong organizational understanding of overall third-party risk posture and an executive team that is heavily involved in the risk management process 
  • Continuous monitoring of, and regular communication with, vendors to prevent any surprises 
  • Understanding and documenting the complete end to end supply chain that your organization relies on 
  • Tiering of vendors to ensure that effort can be focused on critical supply chain relationships that introduce the most risk to an organization 
  • Understanding your vendor’s third-party risk posture. Does your risk posture align with that of your vendor? Do they apply the same level of scrutiny to their vendors as you do to them?


Successful vendor risk management programs demonstrate their value in times of crisis. To help you build on your current program, or to help get you started on your journey, please contact us at 877-440-7971 or engage@reciprocity.com. As always, our team of information security risk and compliance experts are standing by to help you tailor your organizational risk management program to your specific needs.