A vendor's criticality and risk rating are two different things, but they often get used interchangeably. We'll clarify them more for you to better understand.
- The terms and why they’re different
- A simple and straightforward approach to this; you’ll have some clear guidance and a good understanding of why the two terms can either help or hinder your oversight duties
- Examples of critical vendors with minimal risk attributes vs critical vendors with high risk attributes
These terms may often be confused in the vendor risk management realm, so it’s important to provide some clarification if you’re just starting out.
Criticality is the probability that the product or service used by the organization could potentially cause several severe events. which, in turn, will place the organization in harm’s way. Think of this as business impact.
These could be classified as:
- Major system outages which aren’t easily replaceable in 24 hours.
- Financial risk – the actions of the vendor may place the organization at financial risk. This could be in the space of litigation/enforcement or failure to perform as expected.
- Reputational risk – are you guilty by association? It’s a common mindset that you are judged by the company you keep.
The main point here is that criticality should be viewed as how important the product or service is on the day-to-day operations of an organization. Always ask yourself the following 3 questions:
- Would a sudden loss of this vendor cause a significant disruption to our organization?
- Would the sudden loss impact our customers?
- Would the time to restore service without this vendor be greater than one business day OR greater than what our organization’s business continuity plan calls for as a recovery time?
In our experience, if you answer yes to any of the above questions, then the vendor is critical.
Example of a Critical Vendor
Vendor ABC recently moved to a new payment processing platform. The vendor assisted with facilitating the organization’s payments, and while the system was up and running, operations for the organization ran smoothly. However, due to a major system crash, the organization was unable to access the system to process customer transactions.
The organization failed to confirm and assess any business continuity or disaster recovery plans with this vendor, which caused them to fall behind on transactions. The losses were both financial and operational in nature. It also concerned some customers and impacted the organization’s reputation.
The above is a perfect example of a critical vendor. Therefore, it would have been prudent to assess this as a critical vendor with considerable risk – or high risk. This would, in turn, determine the level of oversight required.
Low Risk Critical Vendors
On the other end of the spectrum, you may have a critical vendor with low risk. Meaning, that a critical vendor has a lower level of risk associated with it. A phone provider is a good example.
Clearly, the phone line is critical to the day-to-day operations to speak to clients, but the risks associated are much lower. While replacing a major phone provider may take some effort, it’s unlikely that a phone outage would bring your operation to a complete standstill.
Understanding Regulatory Risk
When we move on to regulatory risk, the vendor manager should consider the regulatory risk in addition to the business impact level. Regulatory risk is evaluated on categories like financial, operational, compliance, reputational and transactional risk. It determines the vendor’s risk rating – high, medium or low. Take a quick read of FDIC-FIL-44-2008 for more information regarding the categories of risk.
Can a Vendor Be Critical and High Risk?
Absolutely. This really points back to what the business impact result is should the high risk vendor cause you a system outage or other type of risk.
Here is a tip to mitigate this situation when you have a critical vendor who is high risk:
The criticality of a vendor type may be managed by utilizing multiple vendors who offer the same product or service. This creates the opportunity for an organization to offset the risk by either sharing the volume between “duplicate” vendor products, or simply having a back-up vendor in the wings to take up additional volume due to capacity, performance or outage incidents.
An example of this approach would be in the form of credit vendors. A credit reporting company has an elevated level of regulatory risk and plays a major part in the lending process. In a use case where the lender only uses one credit vendor and fails to have a back-up vendor in place, then by default, this moves the high risk vendor into a critical vendor category.
If the credit vendor's system were to go offline for several hours, how would the lender pull credit for new applications? It all points back to what the business impact could be if an outage were to occur.
Alternatively, in an example where the lender has elected to have three credit vendors in place to support their business, the regulatory risk level doesn’t decrease since they are all under the same rules and regulations. But because there are multiple vendors in place ready to pick up where one vendor fails, the business impact and, therefore to some extent, the criticality level should be reviewed and reconsidered.
In this example, I would recommend that the criticality is downgraded from critical to HIGH and the regulatory risk would remain as a HIGH rating. Compare this to the lender who has one credit vendor and no back up in place. In this instance, the rating would be CRITICAL / HIGH. The lender who has taken the wise decision to have a back-up vendor in place will be in a much better position to handle a system outage.
The importance of this approach is not to be underestimated. Simply assigning a risk level to a vendor and then moving on doesn’t really add value to your oversight effort.
The Rating Should Determine Your Level of Oversight Activity
Two factors you should consider:
- Frequency: Except for ongoing monitoring, how often will you actually perform an assessment on the vendor?
- Critical/high risk vendors: They should be assessed on an annual or as needed basis.
Again, there may be instances where this makes sense and can certainly help when trying to coordinate schedules and budgets for a given year. While this may seem like a very risky attitude to take regarding annual assessments, remember that you are, or at least should be, performing ongoing monitoring and performing scorecard calls, etc.
Your oversight activities should tell you exactly where you need to pay most attention. So, focus on the risk that a vendor presents to you as an organization and, most importantly, the risk the vendor presents to that of your consumers' non-public personal information (NPPI).
Keeping frequency and critical/high risk vendors at the forefront of your approach will help you develop a well-planned criticality risk rating approach.
How Can It Go Wrong? What’s the Impact?
It's very common for vendors to be miscategorized. Ultimately, if you have mistakenly risk rated all vendors as critical, and your policy and program states that you audit all critical vendors, then you may have unknowingly set yourself up for failure at the time of an examiner review. Examiners will want you to then explain your logic and, more importantly, explain why you haven’t reviewed your critical paper supply company!
In one real-life example, part of the criteria to qualify a vendor as critical or not was based on the annual spend of anything over $250,000. While this is viewed as a high dollar amount spend, the vendor product was a commodity, had no access to systems or NPPI and did not fall under any regulatory risk. But, based on the weighting given to the question of spend, this elevated a low risk vendor to that of critical.
Per the policy and program guidance, this vendor should have undergone review of financials, business continuity plan (BCP), disaster recovery (DR), SOC, etc. The vendor management team knew better than to actual perform a highly-detailed assessment of the vendor but did make the mistake of including it in their critical vendor list.
It wasn’t until the examiner reviewed the vendor list and requested annual assessment records of each of the listed vendors that the error was uncovered. The MRA recommended a revisit of vendor ratings and additional training for the vendor management staff.
Don’t Overthink It
The takeaway here is to use common sense when looking at your vendor ratings. Don’t overthink it and use the following guidance:
- Is there business impact risk in using this vendor?
- Are they easily replaceable in the case of an outage?
- Does the vendor have a strong BCP/ DR plan in place to get back online in a timely fashion with minimal disruption?
- Does the vendor have system access or NPPI or other confidential customer information?