Who Is a Critical Vendor?

As part of your third-party risk management activities, it's imperative to assess your vendors and mitigate any risks they pose to your organization. This is especially true when it comes to your critical third parties. Your critical vendors must perform well, or any incident involving them could have disastrous effects that will severely impact your operations or customers.

In fact, critical vendors are so named because your organization cannot function properly without them. Identifying these critical vendors is integral to your third-party risk management process. So, how do you know if a vendor is critical or not?

How Do I Know if a Vendor Is Critical?

Identifying your critical vendors is not only a best practice, but also a regulatory requirement for many industries. Despite slight differences in definitions across regulatory bodies, critical vendors do share certain characteristics that are universally applicable:

• The product or service provided by the vendor is essential for your day-to-day operations.
• The vendor's failure to provide the product or service as anticipated will cause material impacts on your organization or its customers.

The attributes above apply to all critical vendors; however, your organization should determine specific criteria you can use when determining whether your vendor is critical.

Questions to Determine if a Vendor Is Critical

For most organizations, the following questions can be used:

1. If we abruptly lost this vendor, would there be a significant disruption to our organization?
2. Would the sudden loss of this vendor impact our customers?
3. If the time to restore service requirement exceeds 24 hours, would there be a negative impact on our organization?

If you answer "yes" to any of these questions, the odds are that you're dealing with a critical vendor.

Depending on your organization, additional questions may be asked to determine if you have a critical vendor:

• Are significant costs, resources, or time involved if we must bring the outsourced activity in-house?
• Would our organization be subject to regulatory scrutiny, enforcement action, or fines if this vendor did not provide its products or services?
• Would this vendor's failure cause significant harm to our organization's brand or reputation?

How to Handle Critical Vendors

Be diligent when dealing with your critical vendors. Avoid cutting corners, which may leave hidden or unmitigated risks that may compromise your organization's security.

Here are a few best practices to keep in mind:

1. Critical vendors require the highest level of due diligence. Critical vendors pose the biggest threat to your organization if they fail, so your due diligence must be completely comprehensive. All identified risks should have appropriate compensating controls supported by verifiable documented evidence. Your vendor's controls should be assessed by professional risk experts with the proper certifications and credentials to provide a qualified opinion regarding their sufficiency and effectiveness.
2. Complete a review of their business continuity and disaster recovery plans. Business continuity planning ensures that significant operations, products, and services will continue to be delivered in full or at a predetermined and accepted level of availability.
3. Rely on your most experienced vendor managers. Managing critical vendors can be an exhaustive and overwhelming process, especially for those without the right level of experience. Ensure that you have someone in charge with the knowledge and skillset to effectively manage your critical vendors.
4. Identify your exit strategy and document an exit plan. This plan should formally outline what your organization will do if the vendor fails to meet certain criteria and termination is necessary. Will you switch to another vendor or bring the activity in-house? Your plan should include a detailed inventory of roles and responsibilities for your organization and the vendor. It should also contemplate the return of assets, destruction of data, and deprovisioning of vendor access to your data, networks, and facilities. Don't forget to identify contingency plans should the vendor be unwilling or unable to fulfill their responsibilities during the exit.
5. Report any critical vendor issues to senior management. Your senior management team and the board should be aware of and ready to act on any issues that could impact your organization.

To protect your organization from serious threats, it’s essential to understand who your critical vendors are, their role in your organization's operations, and the risks they pose. Even with their risks, critical vendors are integral to your organization's daily operations. By taking precautions and following best practices in third-party risk management, you'll establish a strong and healthy relationship.