Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Criticality and Risk Rating Vendors 101

6 min read
Featured Image

A vendor's criticality and risk rating are two different things, but they often get used interchangeably. We'll clarify them more for you to better understand.

Let’s cover:

  • The terms and why they’re different
  • A simple and straightforward approach to this; you’ll have some clear guidance and a good understanding of why the two terms can either help or hinder your oversight duties
  • Examples of critical vendors with minimal risk attributes vs critical vendors with high risk attributes


Criticality Approach

These terms may often be confused in the vendor risk management realm, so it’s important to provide some clarification if you’re just starting out.

Criticality is the probability that the product or service used by the organization could potentially cause several severe events. which, in turn, will place the organization in harm’s way. Think of this as business impact.

These could be classified as:

  • Major system outages which aren’t easily replaceable in 24 hours.
  • Financial risk – the actions of the vendor may place the organization at financial risk. This could be in the space of litigation/enforcement or failure to perform as expected.
  • Reputational risk – are you guilty by association? It’s a common mindset that you are judged by the company you keep.

The main point here is that criticality should be viewed as how important the product or service is on the day-to-day operations of an organization. Always ask yourself the following 3 questions:

  1. Would a sudden loss of this vendor cause a significant disruption to our organization?
  2. Would the sudden loss impact our customers?
  3. Would the time to restore service without this vendor be greater than one business day OR greater than what our organization’s business continuity plan calls for as a recovery time?

In our experience, if you answer yes to any of the above questions, then the vendor is critical.

Example of a Critical Vendor 

Vendor ABC recently moved to a new payment processing platform. The vendor assisted with facilitating the organization’s payments, and while the system was up and running, operations for the organization ran smoothly. However, due to a major system crash, the organization was unable to access the system to process customer transactions.

The organization failed to confirm and assess any business continuity or disaster recovery plans with this vendor, which caused them to fall behind on transactions. The losses were both financial and operational in nature. It also concerned some customers and impacted the organization’s reputation.

The above is a perfect example of a critical vendor. Therefore, it would have been prudent to assess this as a critical vendor with considerable risk – or high risk. This would, in turn, determine the level of oversight required.

Low Risk Critical Vendors 

On the other end of the spectrum, you may have a critical vendor with low risk. Meaning, that a critical vendor has a lower level of risk associated with it. A phone provider is a good example.

Clearly, the phone line is critical to the day-to-day operations to speak to clients, but the risks associated are much lower. While replacing a major phone provider may take some effort, it’s unlikely that a phone outage would bring your operation to a complete standstill.

Understanding Regulatory Risk

When we move on to regulatory risk, the vendor manager should consider the regulatory risk in addition to the business impact level. Regulatory risk is evaluated on categories like financial, operational, compliance, reputational and transactional risk. It determines the vendor’s risk rating – high, medium or low. Take a quick read of FDIC-FIL-44-2008 for more information regarding the categories of risk.

Can a Vendor Be Critical and High Risk?

Absolutely. This really points back to what the business impact result is should the high risk vendor cause you a system outage or other type of risk.

Here is a tip to mitigate this situation when you have a critical vendor who is high risk:

The criticality of a vendor type may be managed by utilizing multiple vendors who offer the same product or service. This creates the opportunity for an organization to offset the risk by either sharing the volume between “duplicate” vendor products, or simply having a back-up vendor in the wings to take up additional volume due to capacity, performance or outage incidents.

An example of this approach would be in the form of credit vendors. A credit reporting company has an elevated level of regulatory risk and plays a major part in the lending process. In a use case where the lender only uses one credit vendor and fails to have a back-up vendor in place, then by default, this moves the high risk vendor into a critical vendor category. 

If the credit vendor's system were to go offline for several hours, how would the lender pull credit for new applications? It all points back to what the business impact could be if an outage were to occur.

Alternatively, in an example where the lender has elected to have three credit vendors in place to support their business, the regulatory risk level doesn’t decrease since they are all under the same rules and regulations. But because there are multiple vendors in place ready to pick up where one vendor fails, the business impact and, therefore to some extent, the criticality level should be reviewed and reconsidered. 

In this example, I would recommend that the criticality is downgraded from critical to HIGH and the regulatory risk would remain as a HIGH rating. Compare this to the lender who has one credit vendor and no back up in place. In this instance, the rating would be CRITICAL / HIGH. The lender who has taken the wise decision to have a back-up vendor in place will be in a much better position to handle a system outage.

The importance of this approach is not to be underestimated. Simply assigning a risk level to a vendor and then moving on doesn’t really add value to your oversight effort.

The Rating Should Determine Your Level of Oversight Activity

Two factors you should consider:

  1. Frequency: Except for ongoing monitoring, how often will you actually perform an assessment on the vendor?

  2. Critical/high risk vendors: They should be assessed on an annual or as needed basis. 

    Again, there may be instances where this makes sense and can certainly help when trying to coordinate schedules and budgets for a given year. While this may seem like a very risky attitude to take regarding annual assessments, remember that you are, or at least should be, performing ongoing monitoring and performing scorecard calls, etc. 

    Your oversight activities should tell you exactly where you need to pay most attention. So, focus on the risk that a vendor presents to you as an organization and, most importantly, the risk the vendor presents to that of your consumers' non-public personal information (NPPI).

Keeping frequency and critical/high risk vendors at the forefront of your approach will help you develop a well-planned criticality risk rating approach.

How Can It Go Wrong? What’s the Impact?

It's very common for vendors to be miscategorized. Ultimately, if you have mistakenly risk rated all vendors as critical, and your policy and program states that you audit all critical vendors, then you may have unknowingly set yourself up for failure at the time of an examiner review. Examiners will want you to then explain your logic and, more importantly, explain why you haven’t reviewed your critical paper supply company!

In one real-life example, part of the criteria to qualify a vendor as critical or not was based on the annual spend of anything over $250,000. While this is viewed as a high dollar amount spend, the vendor product was a commodity, had no access to systems or NPPI and did not fall under any regulatory risk. But, based on the weighting given to the question of spend, this elevated a low risk vendor to that of critical.

Per the policy and program guidance, this vendor should have undergone review of financials, business continuity plan (BCP), disaster recovery (DR), SOC, etc. The vendor management team knew better than to actual perform a highly-detailed assessment of the vendor but did make the mistake of including it in their critical vendor list.

It wasn’t until the examiner reviewed the vendor list and requested annual assessment records of each of the listed vendors that the error was uncovered. The MRA recommended a revisit of vendor ratings and additional training for the vendor management staff.

Don’t Overthink It

The takeaway here is to use common sense when looking at your vendor ratings. Don’t overthink it and use the following guidance:

  • Is there business impact risk in using this vendor?
  • Are they easily replaceable in the case of an outage?
  • Does the vendor have a strong BCP/ DR plan in place to get back online in a timely fashion with minimal disruption?
  • Does the vendor have system access or NPPI or other confidential customer information?

Mitigate the risk of your critical vendors during the contract stage. Download the infographic to find out key provisions to look for.

Regulatory Developments Impact Your Next Vendor Management Exam eBook

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo