(270) 506-5140 CONTACT US
Due Diligence

Three Qs You Must Ask to Find Out if a Vendor is Critical

Jul 26, 2017 by Branan Cooper

You need to know the business impact risk of your vendors. Once you know that, you can figure out how they play into your financial institution’s business continuity plan. A way to start is to know which of your vendors are critical.  

What is a critical vendor? 

A critical vendor is a third party on whom your institution is so reliant that, if they suddenly disappeared for some reason, you’d have a huge problem on your hands.  Business would stop in its tracks and you’d be scrambling to recover.   

Think of your core processor and another Superstorm Sandy type of incident. The storm is far worse than expected and their processing has stopped for the time being. Complete chaos ensues. It happens – but, fortunately, with a little preparation and rigorous testing, you can minimize the impact. 

3 Questions to Ask to Determine If They're Critical 

Ask yourself these questions about each of your vendors to determine if they are critical to your institution: 

  1. Would a sudden and unexpected loss of this vendor cause a material disruption to your institution? 
  2. Would that loss impact your institution’s customers? 
  3. Would the time to recover be greater than one business day or 24 hours (timing could vary based on service provided)? 

What to Do Next With Your Critical Vendors 

If the answer to any of these is “YES” – this is a Critical vendor. You should then do a few things: 

  1. Ensure your disaster recovery plan is up-to-date 
  2. Ensure your due diligence analysis, risk assessment and your own disaster recovery planning include a thorough review of their business continuity plans and the results of testing around both plans (yours and theirs)
  3. Ensure you have a comprehensive and actionable exit strategy, contemplating both a sudden disappearance and a gradual unwind of the relationship 
  4. Develop and maintain an adequate notification and escalation plan 
  5. Contractually commit them to provide reporting and notification in the event anything changes  

Examples of Critical Vendors 

  • Your call center provider (unless you have multiple ones and can easily re-route calls)  
  • Your core processor is critical
  • The electric company is critical
  • The internet banking provider is critical

Examples of Non Critical Vendors  

  • Your shred vendor is not critical; they can easily be replaced.  
  • Your landscaper is not critical 
  • Your marketing agencies are not critical 

Spending a few minutes to ask 3 simple questions with each vendor can save you HUGE headaches down the road. The best time to prepare is NOW. 

To learn more about differences between your high risk and critical vendors, download our free infographic. 

differences between a high risk vendor and critical risk vendor

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog