From a best practices perspective, did you know there is a distinct difference between a critical vendor and high risk vendor? It’s common to see these two vendor types grouped as one, however it’s a best practice to clearly define a line between the two classifications. They do NOT mean the same thing and are NOT treated the same way.
Two Fundamental Divisions of Risk
First, let's discuss what risk means. There are two divisions of risk:
- Business Impact Risk – This risk is identified as business reliance.
- Regulatory Risk – This type of risk is based on the guidance in place which outlines the categories of risk you should consider. For example, OCC Bulletin 2013-29 and Bulletin 2017-7. Due to the guidance, you must formalize questionnaires to assess the level of risk each vendor poses to you.
Rolled up into regulatory risk are numerous categories clearly called out in the guidance (e.g., FDIC FIL 44-2008 and OCC Bulletin 2013-29), including items such as:
- Operational Risk
- Compliance Risk
- Reputation Risk
- Strategic Risk
- Credit Risk
After considering these areas and asking your vendor a set of questions, you will deem whether your vendor is low, medium or high risk.
3 Questions to Deem Critical vs Non Critical
In addition to level of risk, you also need to determine if a vendor is critical or non critical. That means how important the vendor is to the business for daily function. A way to figure that out is to ask three particular questions. Those are:
- Would the sudden loss of this third party cause a significant disruption to our business?
- Would the sudden loss impact our customers/members?
- Would the time to restore service without this third party be greater than a business day?
If the answer to any of these is "Yes," they are a critical third party. If not, they are not considered a critical third party.
Critical vs High Risk Vendors
Now, that we've gone over what's considered critical/non critical and determining risk, it should be clear they are two separate items. To further show the differentiation, let's explain how they can work together/have different combinations and why.
Critical and Low Risk: It's possible to have a vendor who is critical but low risk. An example of this is your telephone company. While you are highly dependent on the telephone company daily to continue operations, the third party does not have access to sensitive information.
Non Critical and High Risk: It's also possible to have a vendor who is non critical but high risk. An example of this would be the shred company. That vendor can be replaced easily, but they have access to all your confidential company information and client data, and literally walks out the door with it. That makes them high risk.
I encourage you to review your vendor list and really dig deeper to determine if the vendor is critical or not to the organization. And then, determine what level of risk they pose. This should always be well-documented with a plan in place to rectify a situation quickly should you lose a critical or high risk vendor.
To learn about what due diligence to do for your low, medium and high risk vendors, download our checklist.