Skip to main content

Risk mitigation strategies to keep the conversation going and the messages flowing.

The risks arising from third-party contractors and business continuity preparedness are more complex, more industry-specific, and more time-sensitive than ever before. If your third-party risk management (TPRM) and business continuity plan (BCP) don’t include your mobile messaging service provider, you’re more exposed than you think—even more so if your business is financial services or debt collection.

Twilio recently published a list of “forbidden message categories” that it will not support for SMS/MMS services, many of which greatly impact the financial services and debt collection industries. Twilio’s customers who currently send text messages within the listed categories are likely reeling and scrambling to migrate their texting services to a trusted vendor with the ability to service them.

Complicating matters is the nature of the messaging industry in general, something I like to refer to as the “SMS supply chain.” Basically, if you aren’t buying directly from an aggregator, there can be any number of companies between you and the messages you send—meaning your risk may be significantly downstream and more difficult to manage.

So how do you mitigate this risk, and what do you do if your communications provider suddenly stops providing services?

Most importantly, businesses can and should adapt their TPRM and BCP management to address these industry-specific, complex risks. Let’s take third-party collection agencies as an example. These businesses make vital contributions to the American economy, and their ability to communicate is essential.

Did you know that:

Third-party collection agencies help government agencies and businesses recover money owed for unpaid taxes, fines, accounts receivable, and other fees, resulting in recouped funds that do not get passed on to future consumers.

They return billions of dollars of delinquent debt to the economy, lowering prices for consumers and lowering bad debt costs to U.S. businesses.

Government agencies realize decreased future tax and fee increases and/or spending cuts.

Vet Texting Service Providers as Part of TPRM and BCM

According to Gartner, more than 80% of legal and compliance leaders tell us that third-party risks were identified after initial onboarding and due diligence, suggesting traditional due diligence methods in risk management policy fail to capture new and evolving risks.

When vetting a messaging vendor, TPRM and BCM must work in lockstep to ensure that the services agreement has business continuity considerations where necessary. As part of the risk management process, the company also needs to consider all the BCM risks the contract and/or service provided may involve and identify appropriate mitigation measures if necessary.

Here are three key considerations to address when integrating TPRM and BCM to help protect company operations and third-party contracts, especially when engaging a messaging provider:

  1. At its core, the integration of TPRM and BCM must be risk-based. Have an “Evaluation Checklist” for the internal and external parties involved to ensure that all BCM risks are considered from both points of view. The Evaluation Checklist will evolve based on the current environment but should include review of the following topics:
  • Stakeholder restrictions: If a relationship stakeholder was suddenly unable to service your specific industry (by choice, by regulation, by law), what would you do?
  • Ownership of data: If you are working with a vendor that has access to, processes, and/or uses your company or customer data in any way, it needs to be clear who owns the data for the pendency of the relationship and after any separation.
  • Data retention: How long will the vendor keep your data? What specific data is being kept? Where is the data stored? Ensure any data storage providers are properly identified and vetted.
  • Data destruction: If the relationship ends, what options are available to you in terms of permanently deleting your company or customer data?
  • Indemnification: If something goes wrong, who is responsible for what? What is the process for requesting involvement from the other party?
  • Limitation of liability: Is liability for damages limited for either party? If so, does the limit make sense based on the services being provided?
  • Insurance: Ensure that your vendor has the type of insurance and sufficient coverage limit for the services being provided. Cyber liability insurance is becoming increasingly more specialized. Make sure the insurance coverage reflects the services being provided to your company.
  1. Identify the criticality of your vendors and establish standard mitigation requirements based on said designation. These may include contractual obligations to ensure suppliers have a BCM program in place, a dedicated resource plan covering the failure of that specific third-party, and preparedness plans with the supplier to establish a combined response in the event of a disruption.
  1. Have an exit strategy. No one wants to think about a critical third-party relationship ending, but it must be given careful consideration in the post-pandemic environment. Exit strategies should be carefully crafted based on worst-case scenarios and theoretically tested on a regular basis.

Bringing third-party risk management and business continuity management together will help your company’s resiliency and responsiveness to critical incidents and disruptions, and help you choose the right messaging partner for your business needs.

Author Dave Baxter


More posts by Dave Baxter