A vendor's criticality and risk rating are two different things, but they often get used interchangeably. We'll clarify them more for you to better understand.
From a non-bank lender's perspective, let's go through:
- Why the two terms should not be mixed up and what happens when you do.
- A simple and straightforward approach to this; you’ll have some clear guidance and a good understanding of why the two terms can either help or hinder your oversight duties
- Examples of critical vendors with minimal risk attributes vs critical vendors with high risk attributes
These terms may often be confused in the vendor management realm so it’s important to provide some guidance if you’re just starting out.
Criticality is the probability that the product or service used by the lender may cause several severe events which in turn places the lender in harms way. Think of this as business impact.
These could be classified as:
- Major system outages which are not easily replaceable in 24 hours.
- Financial Risk - The actions of the vendor may place the lender at financial risk, this could be in the space of litigation / enforcement or failure to perform as expected.
- Reputational Risk. Are you guilty by association? It’s a common mindset that you are judged by the company you keep.
The main point here is that criticality should be viewed as how important the product or service has on the day to day operations of a lender.
Mortgage Company ABC recently moved to a document imaging platform which allowed them to have a paperless processing operation. The vendor hosted all the loan documents and while the system was up and running, operations for the lender ran smoothly. However, due to a major system crash, the lender was unable to access loan documents to process, underwrite and close loans.
The lender failed to confirm and assess any BCP / DR plans with this vendor, which caused them to fall behind on mortgage production turn times and miss closing dates. The losses were both financial and operational in nature. In addition, most of the employees were disheartened by the event and viewed this new tool and workflow in a negative light.
The above is a perfect example of a critical vendor. Therefore, it would have been prudent to assess this as a critical vendor with considerable risk. This would, in turn, determine the level of oversight required.
Low Risk Critical Vendors
On the other end of the spectrum, you may have a critical vendor with low risk. Meaning, that a critical vendor has a lower level of risk associated with it. A phone provider is a good example.
Clearly, the phone line is critical to the day to day operations to speak to clients, but the risks associated are much lower. While replacing a major phone provider may take some effort, it’s unlikely that a phone outage would bring your operation to a complete standstill.
It’s worth pointing out that if you are a mortgage servicer where your key role is taking inbound calls, then clearly having a back-up system in place is a good step in maintaining your business continuity plan.
Where we move on to regulatory risk, the vendor manager should consider the regulatory risk and requirements on the product or service. As a straightforward guide, categories such as access to NPPI, Consumer facing in the loan transaction, CFPB oversight on specific functions will all point to vendors which represent an elevated level of risk to the lender.
Can a vendor be a critical vendor and be high risk?
This really points back to what the business impact result is should the high risk vendor cause you a system outage or other type of risk. Here are three tips:
- The criticality of a vendor type may be managed by placing multiple vendors who offer the same product or service. This creates the opportunity for a lender to offset the risk by either sharing the volume between “duplicate” vendor products, or simply having a back-up vendor in the wings to take up additional volume due to capacity, performance or outage incidents.
- An example of this approach would be in the form of credit vendors. A credit reporting company has an elevated level of regulatory risk and plays a major part in the lending process. In a use case where the lender only uses one credit vendor and fails to have a back-up vendor in place, then by default, this moves the high risk vendor into a critical vendor category.
If the credit vendor's system were to go offline for several hours, how would the lender pull credit for new applications? It all points back to what the business impact could be if an outage were to occur.
- Alternatively, in an example where the lender has elected to have three credit vendors in place to support their business, the regulatory risk level doesn’t decrease since they are all under the same rules and regulations. But because there are multiple vendors in place ready to pick up where one vendor fails, the business impact and therefore to some extent the criticality level should be reviewed and reconsidered.
In this example, I would recommend that the criticality is downgraded from critical to HIGH and the regulatory risk would remain as a HIGH rating. Compare this to the lender who has one credit vendor and no back up in place. In this instance, the rating would be CRITICAL / HIGH. The lender who has taken the wise decision to have a back-up vendor in place will be in a much better position to handle a system outage.
The importance of this approach is not to be underestimated. Simply assigning a risk label to a vendor and then moving on doesn’t really add value to your oversight effort.
The Rating Should Determine Your Level of Oversight Activity
Two factors you should consider:
- Frequency: Except for ongoing monitoring, how often will you actually perform an assessment on the vendor?
- Critical / high risk vendors: Should be assessed on an annual basis. While a best practice recommendation would be to revisit every vendor on an annual basis, you could make a business case that depending on the confidence level of an annual assessment you could extend the frequency to every 18 months.
Again, there may be instances where this makes sense and can certainly help when trying to coordinate schedules and budgets for a given year. While this may seem like a very risky attitude to take regarding annual assessments, remember that you are or at least should be performing ongoing monitoring and performing scorecard calls, etc.
Your oversight activities should tell you exactly where you need to pay most attention. So, focus on the risk that a vendor presents to you as an organization, and most importantly, the risk the vendor presents to that of your consumers' NPPI.
Keeping frequency and critical / high risk vendors at the forefront of your approach will help you develop a well planned criticality risk rating approach.
How can it go wrong? What’s the impact?
It's very common for vendors to be miscategorized. Ultimately, if you have mistakenly labeled all vendors as critical and your policy and program states that you audit all critical vendors, then you may have unknowingly set yourself up for failure at the time of a state examiner review. Examiners will want you to then explain your logic and, more importantly, explain why you haven’t reviewed your critical paper supply company!
In one real life example, part of the criteria to qualify a vendor as critical or not; was based on the annual spend of anything over $250,000. While this is viewed as a high dollar amount spend, the vendor product was a commodity, had no access to systems or NPPI and did not fall under any regulatory risk. But based on the weighting given to the question of spend, this elevated a low risk vendor to that of critical.
Per the policy and program guidance, this vendor should have undergone review of financials, BCP, DR, SOC, etc. The vendor management knew better than to actual perform a highly-detailed assessment of the vendor but did make the mistake of including it in their critical vendor list.
It wasn’t until the examiner reviewed the vendor list and requested annual assessment records of each of the listed vendors that the error was uncovered. The MRA recommended a revisit of vendor ratings and additional training for the vendor management staff.
The takeaway here is to use common sense when looking at your vendor ratings. Don’t overthink it and use the guidance below:
- Is there business impact risk in using this vendor?
- Are they easily replaceable in the case of an outage?
- Does the vendor have a strong BCP/ DR plan in place to get back online in a timely fashion with minimal disruption?
- Does the vendor have system access or NPPI and consumer lending regulatory requirements?
Learn about oversight on a contract mortgage underwriter. Download our infographic.