Criticality and Risk Rating Vendors 101

Vendor criticality and risk rating are often used interchangeably. But, they're two distinct concepts. It's essential to understand the difference and how each is applied within vendor risk management. Read on to learn more.

We're going to cover:

• How to define each term
• How critical is different from high risk
• Inherent vs. residual risk
• The practical application of criticality vs. risk rating
• The level of oversight and monitoring required for high-risk and critical vendors

Risk Rating vs. Criticality

These terms are often confused in the vendor risk management realm. If you’re new to vendor risk management or simply require a refresher, you can review the details below.

Risk Ratings

The risk rating refers to the inherent risk of a product or service before considering the control environment. All engagements should have a risk rating.

Most organizations use ratings of high, moderate or low, or similar rating systems. The risk rating informs the organization of the level of due diligence to conduct, what is expected as far as monitoring and the frequency of risk reviews and assessments. Depending on your organization, it also may indicate that specific minimum contract terms and conditions must be included or that additional review or approvals are necessary.

Inherent vs. Residual Vendor Risk

Inherent risk exists within the product or service and cannot be separated from the third party. A good example of an inherently risky vendor would be a call center because the nature of this activity requires outside individuals/vendors to directly interact with your customers. Inherent risk can, however, be mitigated through a variety of controls such as proper employee training or implementing a clear set of procedures. After these mitigating controls are put in place, you are then left with the residual risk which you can further assess to determine if it’s acceptable to your organization.

Criticality

Critical is not a risk rating; rather, it’s a specific subset of your vendors. All vendors are either critical or non-critical. Critical denotes that if the vendor fails to provide the product or service, as expected, there could be materially negative impacts to the organization or its customers and consumers. Criticality is essentially determined by the service's impact on your day-to-day operations. In other words, how dependent is your organization on that product or service? Suppose that product or service is not available or delivered incorrectly. Can your organization continue to conduct organization-wide mission-critical functions?

The following are examples of risk types that can affect the criticality:

• Operational risk – This can include a significant system outage of the service that may not be back online within 24 hours.
• Financial risk – Occurs when the actions of the vendor may place the organization at financial risk. Suppose the product or service is not provided as expected. In that case, this risk might manifest as lost revenue or paying for rework, litigation or regulatory fines.
• Reputational risk –The public makes no distinction between your company and your third-party vendors. It may have been the vendor's fault, but it is your reputation on the line.
• Regulatory risk – This risk relates to industry specific laws and rules that may be broken if there are issues with the product or service. For example, a customer service agent who provides false or misleading information to your customer would make your company responsible for a direct regulatory violation. These direct violations almost always have a material adverse impact.

To verify if a product or service is critical, ask yourself the three following questions:

1. Would a sudden loss of this vendor cause significant disruption to our organization?
2. Would the sudden loss impact our customers?
3. If the vendor service is disrupted, would there be a negative impact on your operations if the time to restore service took more than 24 hours?

In our experience, if you answer yes to any of the above questions, then the vendor is critical.

However, depending on your organization, other factors may also be considered as you identify your critical third-party vendors. Here are some examples of considerations:

1. Are significant financial investments, resources and time required to implement the third-party relationship and manage the risk?
2. Would there be a material impact to the organization's operations or resources to engage an alternate third party or if the outsourced activity has to be brought in-house?
3. Could the third-party vendor failure attract regulatory scrutiny or result in enforcement actions, including fines?
4. Could the third-party vendor failure negatively impact your reputation and brand?

Example of a Critical Vendor

Let's review a hypothetical situation that involves a critical vendor. ABC Company recently moved to a new payment processing platform. The vendor assisted with facilitating the organization's payments. While the system was up and running, operations for the organization ran smoothly. However, due to a major system crash, the organization could not access the system to process customer transactions.

Do we need both criticality and risk rating?

You might be questioning the purpose of having a critical category when you already have a high-risk rating. Wouldn't that high-risk rating be enough? The answer is no. You may have many high-risk vendors that provide products and services which are not essential to your core business functions. Make no mistake; a high-risk vendor failure will impact the company, but not to the extent and severity of a critical vendor.

Remember, all critical vendors are high-risk, but not all high-risk vendors are critical.

How is criticality used in vendor risk management?

Several regulations stipulate that an organization report the critical vendors and their performance to the board of directors. Essentially, the regulators want to ensure that vendor risk management activities for critical vendor activities are overseen at the highest possible level of the organization.

It’s simply not possible to monitor all vendors with the same rigor and frequency. Nor would it benefit the board to review hundreds, perhaps thousands, of vendor relationships. Paring down to a subset of vendors enables senior leadership and the board to focus on those critical vendor relationships that can materially affect the company's operations, revenue, reputation, and regulatory compliance.

Another reason for identifying an organization's critical vendors is reflected in the organization's internal business continuity and disaster recovery plan. Those vendors are deemed critical because they are essential to effective business resumption. Critical vendors should be incorporated into all BC/DR plans, desktop exercises and tests after an unplanned event.

For those and other reasons, critical vendors are always in scope for audits and regulatory exams.

How is risk rating used in vendor management?

The risk rating tells you how much you need to do and how often

Remember that effective vendor risk management activities should be commensurate with the level of risk and the complexity of the third-party relationships and the organization's organizational structure. So, your vendor risk management program should have identifiable thresholds. While a low-risk vendor may not require monitoring or performance reviews, a high-risk vendor (including all critical) requires quarterly performance reviews, contract monitoring and an annual risk assessment and review.

Two factors you should consider:

• Frequency
  1. How often will you gather core documents and perform a risk assessment on the vendor?
  2. How often will you review their performance?
  Critical/high-risk vendors: At a minimum, these vendors should be assessed on an annual basis or as often as necessary in response to a business interruption event or declining performance.
• Level of oversight and monitoring
  1. To what extent are you going to monitor the vendors?
  2. What level of detail, documentation or other evidence is expected from the vendor as part of the monitoring?

Critical/high-risk vendors: At a minimum, these vendors should have quarterly business reviews. On an annual basis, the vendor must be expected to confirm your organization has their most recent due diligence documents or provide new ones. Each year the subject matter experts must review the documentation and provide a written report.

Your oversight activities should tell you exactly where you need to pay the most attention. So, focus on the risk that a vendor presents to you as an organization and, most importantly, the vendor's risk to your customers and consumers.

How can it go wrong? What's the impact?

It's very common to miscategorize your vendors. Let's say that you have rated all your vendors as critical. Since your policy and program state that all critical vendors are audited, you'll have much explaining to do during an examiner review. Examiners will want you to detail your reasoning for those critical ratings. They will question why your "critical" paper supply company hasn't been reviewed!

In one real-life example, part of the criteria to qualify a vendor as critical was based on the annual spend exceeding $250,000. Although this is considered a high dollar spend, the vendor product was a commodity. It, therefore, didn't fall under any regulatory risk because the vendor didn't have access to systems or NPPI. This low-risk vendor was elevated to critical simply because of the spend amount.

Per the policy and program guidance, this vendor should have undergone a review of financials, business continuity plan (BCP), disaster recovery (DR), SOC, etc. The vendor management team knew better than to perform a highly-detailed assessment of the vendor. Still, it made the mistake of including it in their critical vendor list.

It wasn't until the examiner reviewed the vendor list and requested annual assessment records of each of the listed vendors that the error was uncovered. The MRA recommended a revisit of vendor ratings and additional training for the vendor management staff.

Don't Overthink It

The takeaway here is to use common sense when looking at your vendor ratings. Don't overthink it, and use the following guidance:

• Is there a business impact risk in using this vendor?
• Are they easily replaceable in the case of an outage?
• Does the vendor have a strong BC/DR plan in place to get back online in a timely fashion with minimal disruption?
• Does the vendor have system access or NPPI or other confidential customer information?

Mitigate the risk of your critical vendors during the contract stage. Download the infographic to find out key provisions to look for.