Amanda Hill, MBA, CISA, senior manager, corporate IT audit, Arrow Electronics, shared insights at last year’s summit, and she’s back by popular demand! Hill will join a panel discussion on best practices regarding third-party relationships, disaster planning (including the coronavirus outbreak), and recovery strategies at FRA and Compliance Week’s Third-Party Risk Management & Oversight Summit New York in March.
Hill, pictured right, will join Richard Cooper, MBCI, principal-financial services, Fusion Risk Management; Miguel Machado, director, third party risk management, The Options Clearing Corporation; and Doris Miranda, director of global logistics and warehousing, Royal Caribbean Cruises, for the panel. The panelists will be able to use the coronavirus epidemic as a prime example of a “worst-case scenario” as Miranda, Royal Caribbean Cruises, and public health experts deal with growing concerns about ship travel and how to contain the virus.
The discussion will take place on April 1, the second day of the Third-Party Risk Management & Oversight Summit New York at the Westin Times Square. In November, Hill shared with FRA the following life lessons she’s learned firsthand in disaster recovery and working with third parties:
Prepare for the unexpected
A tactical, rehearsed disaster recovery plan is critical to moving operations forward during a crisis. An inventory of all processes, key roles, and business plans enables a prompt recovery, Hill says.
She recalled the operational impacts her firm faced due to hurricanes that hit Texas and Florida in 2017. With little time to prepare, communication was key, she says. “Really making sure the employees internally, and our customers externally, knew we were aware of what was coming and back-up plans were communicated to let them know on the front-end, in case of a pending disaster or emergency, these are the steps you need to take; these are the steps we’re going to take.”
Hill credits communication and a reliable plan for the company’s smooth recovery. “We had an established continuity plan that was tested on a regular basis and communicated timely across all stakeholders,” she says.
Selectivity with a third-party is crucial
The standard you hold your company’s level of preparedness to is the same caliber you must set for a third-party. Hill recommends performing a thorough risk assessment throughout the onboarding process.
When establishing a third-party relationship, Hill says you must understand that company’s existing controls, business continuity plans across all operations, policies and procedures, any stock reports, and even the location of back-up servers.
The level of involvement with a third-party doesn’t end with the onboarding process, however. “Once the vendor is onboarded, and you’ve established a relationship with the vendor, I think it’s very important to continue to manage and monitor them,” she says. “Given the level of risk they pose to your company, I think it’s very important to continue to measure, monitor, and manage the vendor periodically on a risk-basis.”
An effective vendor management program “suited for the risk appetite of your company” is critical, according to Hill. “It’s a mirror effect; how we manage risk internally, we should hold our vendors to that same level of expectation,” she says.
Hill will present “The Worst-Case Scenario Guide to Vendor Risk Management,” at 10:00 a.m. Wednesday, Apr. 1, the second day of the Third-Party Risk Management & Oversight Summit New York at the Westin Times Square. Click here to see the full agenda and here for registration information.