What Is a Moderate-Risk Vendor?

An important beginning step when vetting vendors is to rate the risk associated with them. The standard rating system seen is low, moderate and high. You may already be familiar with how to identify high-risk and critical vendors. A simple set of questions can be used to help you determine whether the sudden loss of the vendor would cause a significant disruption to your business operations or customers, which would make it critical, or whether they have access to any sensitive data, which is just one criteria example that would make it high risk.

Low-risk vendors are probably a little easier for you to identify. These vendors have no access to sensitive data and are easily replaceable when needed. A landscape company or janitorial service company would generally fall into this category.

So, that leaves us with the more ambiguous category of moderate-risk vendors. How exactly can we identify these vendors and why is it important to do so? Let’s review some simple guidelines that will help you categorize this more indeterminate level of risk.

Is the Risk Lower Than High?

Since there isn’t a clear set of guidelines for what is considered moderate risk, it may help to start at the top and work your way down. This will ensure that you appropriately identify your high-risk vendors first. Use your basic risk-driving questions to determine if the vendor’s inherent risk is high:

• Does this vendor have access to or store highly sensitive data?
• Does the vendor directly interact with our customers?

If the answers to one or both questions are yes, you’ll proceed with the pre-determined due diligence for high-risk or critical vendors.

Is the Risk Higher Than Low?

If the answers to the above questions are no, the vendor will likely fall somewhere between low or moderate. The questions below will help you determine if there’s enough risk to categorize the vendor as moderate.

• Does the product or service have any effect on our customer?
• Does this vendor have physical access to our facilities?
• Does this vendor provide a product or service that we use to maintain regulatory compliance?
• Is the product or service a significant expense?
• Does this vendor process any financial transactions for our organization?

Answering no to all these questions probably means that you’re dealing with a low-risk vendor. However, your vendor is most likely moderate-risk if one or more of these questions is applicable.

Three Additional Considerations for Moderate Risk Vendors

1.  Follow the Data: Another indicator that a vendor is moderate risk could solely depend on the level of data they manage, store or have access to. A good example of this would be “company confidential,” business sensitive or trade secrets. While this is still information worth protecting, it doesn’t fall under the same level of regulatory scrutiny as an individual’s PII/NPI/PHI or PCI. Refer to your organization’s data classification policy. If the level of data accessible to a vendor falls somewhere in the middle, then that might just be the most appropriate inherent risk rating for that vendor.
2. Risk Quantification: Another big factor to consider when determining moderate risk is how your methodology is designed, and any tools or quantification used to assist the process. If you’re assigning weights or scores to individual risk-driving questions, then you might find that the gray-area between low and high sorts itself out as you quantify each individual question. It’s important, though, to trust your gut. You should always circle back to your own logic and gut feeling on what a vendor’s risk should be. If your quantification is spitting out ratings that don’t make sense to what you feel the inherent risk should be, it’s time to go back to the drawing board and tweak your numbers. In my experience, knowing what you think or feel should be “moderate” risk is a good way to test the quality and practicality of your calculations.
3. Due Diligence: This is probably what complicates vendor due diligence automation more than anything else. Unlike low and high risk, where you can probably set standards for due diligence that are applicable 90% of the time, moderate risk is a different story. This is mostly because you’re basing this rating on the fact that only a portion of your risk-driving questions apply. Which portion? To standardize what is necessary for a moderate risk vendor, you may often be missing the mark on what exactly the elevated risk is by looking at too much, too little or simply not the right thing. The point, here, is that the best due diligence for moderate risk is that which addresses the specific inherent risk.

What Does This Mean for Moderate Information Security?

This is a call only your organization can make. Perhaps you’re more okay with an attestation or whitepaper over an entire controls assessment. Maybe you’re willing to accept a SOC 1 or a simple review of their information security policies. Perhaps you’ll allow for some control weaknesses that you wouldn’t in cases that involve NPI or PII. The choice is yours, and it’s best to define a standard that can be spoken to and also justified by the resources available to you.

It’s ultimately the decision of your organization to determine what warrants a moderate-risk rating. You may decide that while there’s some level of risk associated with a vendor, it isn’t necessarily high and doesn’t need to be as heavily vetted and monitored as your high and critical vendors, but you know you need to do more that the bare minimum. That is your moderate-risk sweet-spot.

Remember: There’s no ONE right answer; don’t over complicate things and trust your gut.

Now that you understand what a moderate-risk vendor is, learn the other types of third-party vendor risk. Download the eBook.