Vendor criticality and risk rating are often used interchangeably. But, they're two distinct concepts. It's essential to understand the difference and how each is applied within vendor risk management. Read on to learn more.
We're going to cover:
These terms are often confused in the vendor risk management realm. If you’re new to vendor risk management or simply require a refresher, you can review the details below.
The risk rating refers to the inherent risk of a product or service before considering the control environment. All engagements should have a risk rating.
Most organizations use ratings of high, moderate or low, or similar rating systems. The risk rating informs the organization of the level of due diligence to conduct, what is expected as far as monitoring and the frequency of risk reviews and assessments. Depending on your organization, it also may indicate that specific minimum contract terms and conditions must be included or that additional review or approvals are necessary.
Inherent risk exists within the product or service and cannot be separated from the third party. A good example of an inherently risky vendor would be a call center because the nature of this activity requires outside individuals/vendors to directly interact with your customers. Inherent risk can, however, be mitigated through a variety of controls such as proper employee training or implementing a clear set of procedures. After these mitigating controls are put in place, you are then left with the residual risk which you can further assess to determine if it’s acceptable to your organization.
Critical is not a risk rating; rather, it’s a specific subset of your vendors. All vendors are either critical or non-critical. Critical denotes that if the vendor fails to provide the product or service, as expected, there could be materially negative impacts to the organization or its customers and consumers. Criticality is essentially determined by the service's impact on your day-to-day operations. In other words, how dependent is your organization on that product or service? Suppose that product or service is not available or delivered incorrectly. Can your organization continue to conduct organization-wide mission-critical functions?
In our experience, if you answer yes to any of the above questions, then the vendor is critical.
Let's review a hypothetical situation that involves a critical vendor. ABC Company recently moved to a new payment processing platform. The vendor assisted with facilitating the organization's payments. While the system was up and running, operations for the organization ran smoothly. However, due to a major system crash, the organization could not access the system to process customer transactions.
You might be questioning the purpose of having a critical category when you already have a high-risk rating. Wouldn't that high-risk rating be enough? The answer is no. You may have many high-risk vendors that provide products and services which are not essential to your core business functions. Make no mistake; a high-risk vendor failure will impact the company, but not to the extent and severity of a critical vendor.
Remember, all critical vendors are high-risk, but not all high-risk vendors are critical.
Several regulations stipulate that an organization report the critical vendors and their performance to the board of directors. Essentially, the regulators want to ensure that vendor risk management activities for critical vendor activities are overseen at the highest possible level of the organization.
It’s simply not possible to monitor all vendors with the same rigor and frequency. Nor would it benefit the board to review hundreds, perhaps thousands, of vendor relationships. Paring down to a subset of vendors enables senior leadership and the board to focus on those critical vendor relationships that can materially affect the company's operations, revenue, reputation, and regulatory compliance.
Another reason for identifying an organization's critical vendors is reflected in the organization's internal business continuity and disaster recovery plan. Those vendors are deemed critical because they are essential to effective business resumption. Critical vendors should be incorporated into all BC/DR plans, desktop exercises and tests after an unplanned event.
For those and other reasons, critical vendors are always in scope for audits and regulatory exams.
Remember that effective vendor risk management activities should be commensurate with the level of risk and the complexity of the third-party relationships and the organization's organizational structure. So, your vendor risk management program should have identifiable thresholds. While a low-risk vendor may not require monitoring or performance reviews, a high-risk vendor (including all critical) requires quarterly performance reviews, contract monitoring and an annual risk assessment and review.
Critical/high-risk vendors: At a minimum, these vendors should have quarterly business reviews. On an annual basis, the vendor must be expected to confirm your organization has their most recent due diligence documents or provide new ones. Each year the subject matter experts must review the documentation and provide a written report.
Your oversight activities should tell you exactly where you need to pay the most attention. So, focus on the risk that a vendor presents to you as an organization and, most importantly, the vendor's risk to your customers and consumers.
It's very common to miscategorize your vendors. Let's say that you have rated all your vendors as critical. Since your policy and program state that all critical vendors are audited, you'll have much explaining to do during an examiner review. Examiners will want you to detail your reasoning for those critical ratings. They will question why your "critical" paper supply company hasn't been reviewed!
In one real-life example, part of the criteria to qualify a vendor as critical was based on the annual spend exceeding $250,000. Although this is considered a high dollar spend, the vendor product was a commodity. It, therefore, didn't fall under any regulatory risk because the vendor didn't have access to systems or NPPI. This low-risk vendor was elevated to critical simply because of the spend amount.
Per the policy and program guidance, this vendor should have undergone a review of financials, business continuity plan (BCP), disaster recovery (DR), SOC, etc. The vendor management team knew better than to perform a highly-detailed assessment of the vendor. Still, it made the mistake of including it in their critical vendor list.
It wasn't until the examiner reviewed the vendor list and requested annual assessment records of each of the listed vendors that the error was uncovered. The MRA recommended a revisit of vendor ratings and additional training for the vendor management staff.
The takeaway here is to use common sense when looking at your vendor ratings. Don't overthink it, and use the following guidance:
Mitigate the risk of your critical vendors during the contract stage. Download the infographic to find out key provisions to look for.