You need to know the business impact risk of your vendors. Once you know that, you can figure out how they play into your financial institution’s business continuity plan. A way to start is to know which of your vendors are critical.
What is a critical vendor?
A critical vendor is a third party on whom your institution is so reliant that, if they suddenly disappeared for some reason, you’d have a huge problem on your hands. Business would stop in its tracks and you’d be scrambling to recover.
Think of your core processor and another Superstorm Sandy type of incident. The storm is far worse than expected and their processing has stopped for the time being. Complete chaos ensues. It happens – but, fortunately, with a little preparation and rigorous testing, you can minimize the impact.
3 Questions to Ask to Determine If They're Critical
Ask yourself these questions about each of your vendors to determine if they are critical to your institution:
- Would a sudden and unexpected loss of this vendor cause a material disruption to your institution?
- Would that loss impact your institution’s customers?
- Would the time to recover be greater than one business day or 24 hours (timing could vary based on service provided)?
What to Do Next With Your Critical Vendors
If the answer to any of these is “YES” – this is a Critical vendor. You should then do a few things:
- Ensure your disaster recovery plan is up-to-date
- Ensure your due diligence analysis, risk assessment and your own disaster recovery planning include a thorough review of their business continuity plans and the results of testing around both plans (yours and theirs)
- Ensure you have a comprehensive and actionable exit strategy, contemplating both a sudden disappearance and a gradual unwind of the relationship
- Develop and maintain an adequate notification and escalation plan
- Contractually commit them to provide reporting and notification in the event anything changes
Examples of Critical Vendors
- Your call center provider (unless you have multiple ones and can easily re-route calls)
- Your core processor is critical
- The electric company is critical
- The internet banking provider is critical
Examples of Non Critical Vendors
- Your shred vendor is not critical; they can easily be replaced.
- Your landscaper is not critical
- Your marketing agencies are not critical
Spending a few minutes to ask 3 simple questions with each vendor can save you HUGE headaches down the road. The best time to prepare is NOW.
To learn more about differences between your high risk and critical vendors, download our free infographic.