It’s a common misconception that critical vendors and high-risk vendors are the same. However, critical and high risk aren't interchangeable terms and shouldn't be regarded as such. It’s essential to understand that classifying a vendor as critical serves an entirely different purpose than rating a vendor as high risk. Understanding the key differences and the appropriate application of these terms is essential for effectively managing your vendor risk and protecting your operations from serious business interruptions or failures.
Two Primary Risk Traits
First, let’s cover the basics and review the two fundamentals of risk:
- Criticality – This specifically addresses business impact. The classification of critical is used to identify those vendors that could significantly impact your organization or its customers, should the vendor experience a business interruption or failure. All vendors should be classified as critical or non-critical. At a minimum, critical vendors should be accounted for in your organization's business continuity and disaster recovery planning. Critical vendors must carry suitable types and amounts of insurance and have specific and actionable exit plan should the need arise to terminate or replace the vendor.
- Inherent Risk – The inherent risk rating or level is used to measure the amount of risk present in the relationship and the types of risks associated with the product or service provided. Typically, risk ratings or level are expressed as high, moderate or low. Inherent risk ratings measure the risk before any controls (risk mitigation tools, processes or techniques) are applied. The also help the organization determine the extent of risk identification and management activities necessary to effectively manage the vendor relationship.
Inherent risk usually examines the different types of risk in the relationship, some of which may overlap. Examples include:
- Compliance risk
- Financial risk
- Information security and privacy risk
- Reputational risk
- Geopolitical risk
3 Questions to Deem Critical vs Non-Critical
In addition to these risk levels, you need to determine if a vendor is critical or non-critical to your organization. In other words, how essential is the vendor to your daily operations? A simple way to establish criticality is by asking three questions:
- Would there be a significant disruption to our organization if we suddenly lost this vendor?
- Would our customers be affected by the sudden loss of the vendor?
- Would there be a negative impact to operations if the time to restore service took longer than 24 hours?
Answering yes to any single question will mean the vendor is critical. If every answer is no, the vendor is non-critical.
Critical vs High-Risk Vendors
Now that you understand how to measure risk level and determine criticality, it should be clearer why these two categories are separate. Let's review how and why different risk levels and criticality can overlap.
In actuality, most critical vendors are rated as high risk because the products and services required to maintain operations tend to have many high-risk attributes, such as information security concerns or the ability to negatively impact the customer.
The vendor is Non-Critical, but is High Risk: Not all high-risk vendors are critical. In fact, most of them won't be considered critical. A company that provides shredding services would fall into this category. This third party would be considered non-critical because it's easily replaceable. Operations will not cease if the shredding vendor is no longer viable. However, they’re high risk because they can access confidential company information and client data.
Spend some time with your vendor list and investigate which vendors are truly critical to your organization. Suppose you find that many of your low or moderate-risk vendors are classified as critical. In that case, it's a good sign that your criteria for critical are not stringent enough, or your risk rating methodology needs to be reevaluated. Remember, most critical vendors will be high risk, but not all high-risk vendors are critical.
Understanding the difference between criticality and inherent risk ratings is essential for preventing severe vendor-related business interruptions. It will also help your organization determine the appropriate levels and timing for due diligence, risk reviews and monitoring for every vendor.