.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
4 min read
One of the most important concepts to understand about third-party risk management is that all vendors aren't created equally. Criticality and level of risk play a big part in how your vendors will be managed throughout the lifecycle. As a reminder, critical and high-risk vendors are not the same.
Criticality speaks to the operational impact you would experience if your vendor were to fail. In other words, only the most essential vendors should be designated as critical. But, what exactly is a high-risk vendor and how should they be treated differently from vendors that have moderate or low risk? This blog will cover the basics so you'll have a better understanding of how to identify and manage high-risk vendors.
How to Identify a High-Risk Vendor
For the purpose of this blog, we'll be focusing on vendors with a high level of inherent risk, rather than a high level of residual risk. This essentially means that we're looking at the level of risk before any controls are put in place.
A high-risk vendor can generally be identified by considering the nature of its products or services. Here are a few questions to ask about the vendor:
- Does this vendor process financial transactions on behalf of your organization, customers or employees?
- Does this vendor require access to sensitive data, such as nonpublic information (NPI) or personally identifiable information (PII)?
- Does the vendor interact with your customers in any way?
- Are the vendor's products or services used by your organization to maintain regulatory compliance?
- Are the vendor’s products or services unique in the marketplace and without any available and reasonable substitutions?
4 Common Misconceptions About High-Risk Vendors
Now that you can identify your high-risk vendors, let's take a look at some common misconceptions. By gaining some more insight into high-risk vendors, you’ll be better prepared to handle them within your vendor management program.
Consider the following assumptions, which aren’t always true:
- High risk is always critical. These two terms may sound similar, but they have very different meanings. The difference is that critical is a category of vendors, not a risk level. Remember, critical is the term that identifies which vendors are most essential to maintain your business operations. And, as it happens, most critical vendors are also high risk, but not all high-risk vendors are critical. For example, a vendor that provides shredding services would be considered high risk because of its access to sensitive information. However, this wouldn't be a critical vendor because the sudden loss of its services wouldn't cause a major disruption to your operations or customers.
- Non-critical, high-risk vendors don’t require business continuity planning and testing. Just because your high-risk vendor isn’t considered critical, it doesn't mean there won't be severe impacts if they fail. Your vendor is considered high risk because of the product or service they provide. Your vendor's business interruption, data breach or another incident could really throw a wrench in the works. Business continuity planning is absolutely essential for high-risk vendors.
- High-risk vendors are irreplaceable. While high-risk vendors may have access to sensitive data, this doesn't always mean that they're irreplaceable. For example, a customer call center is high risk. They must comply with regulations, interact with your customers and access sensitive information. However, your organization could replace that call center with another provider if necessary.
- High inherent risk can’t be mitigated. Inherent risk refers to the state of risk before any controls are considered. In most cases, your vendor will have controls to address the inherent risk identified for their product or service. These controls might include information security practices, offsite data centers, employee training or business continuity planning. When you confirm your vendor has the proper controls to address the inherent risk, those risks are considered to be "mitigated."
Due Diligence for High-Risk Vendors
Certain due diligence should be collected on all vendors, regardless of the risk level. This includes items such as full legal name, address, state of incorporation, business license, and secretary of state check. While not a full list, for high-risk vendors, you'll also want to collect and review items such as the following:
- Policies and procedures
- Penetration and vulnerability testing results
- Network diagram
- Business continuity and disaster recovery plans
- Data flow diagram, including third parties and fourth parties
- A record of any outages and SLA violations
Identifying a vendor as "high risk" can cause some third-party risk professionals a lot of apprehensions. However, high risk doesn't necessarily mean that a vendor is dangerous to your organization. High-risk vendors are just a normal and necessary part of business operations, so it's essential to identify and properly manage them.
Infographic
People frequently ask, "is there a difference between a high-risk vendor and a critical vendor?" The simple answer is yes. Learn the differences.
Related Posts
Critical vs High-Risk Vendors – What's the Difference?
It’s a common misconception that critical vendors and high-risk vendors are the same. However,...
5 Things Every Vendor Owner Needs to Manage Vendor Risk Successfully
An effective vendor risk program depends on each stakeholder fulfilling their responsibilities, but...
What Is a Medium-Risk Vendor?
A lot of information is available about managing and monitoring high-risk vendors. Since these...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.