1 (888) 836-6463 CONTACT US
Risk Assessment

Who Is a Critical Vendor?

Jul 7, 2020 by Branan Cooper

When it comes to third-party risk management, we cannot overstate how important it is to understand who your critical vendors are. For better or worse, they can have a significant impact on your organization. That being said, in order to best mitigate risk, your third parties should be ranked as critical or non-critical for business disruption and ranked high, moderate or low, on all regulatory items.

How to Handle Critical Vendors 

For critical third parties, it’s crucial to:

  • Do a deep dive on certain portions of their due diligence. For example: how will you notice if there is a business disruption or breach, change in leadership or change in financial condition?
  • Complete a review of their business continuity plan. Business continuity planning ensures that significant operations and products/services will continue to be delivered in a full, or at a predetermined and accepted, level of availability.
  • Create an exit strategy. This should consider both a sudden and gradual unwind.  

How Do I Know if a Vendor Is Critical?

There are a wide range of interpretations on defining a critical vendor. The critical designation is up to the business unit to determine.

Here are two definitions that can help:

  1. The OCC defines critical activities as significant functions (e.g., payments, clearing, settlements, custody), significant shared services (e.g., information technology) or other activities that could:
  • Cause an organization to face significant risk if the third party fails to meet expectations
  • Have significant customer impacts
  • Require significant investment in resources to implement the third-party relationship and manage the risk
  • Have a major impact on the organization’s operations if the organization has to find an alternate third party or if the outsourced activity has to be brought in-house
  1. Another definition is: “Any service provider that could attract regulatory scrutiny or have an impact on the business, including the risk of loss in the event of a service disruption.” American Banker, May 27, 2014
    Chip MacDonald, a partner at the law firm Jones Day in Atlanta

Questions to Ask When You Review a Vendor

As your organization decides on who your critical vendors are, here are some simple questions to help you see if they’re a critical vendor or not:

  1. Would the sudden loss of this third party cause a significant disruption to the business? 
  • How bad is it if they go down? (core)

  1. Would the sudden loss impact customers?
  • How bad is it if they are compromised? (internet banking/bill pay/cards)
  • How bad is it if they fail to deliver? (network security provider)

  1. Would the time to restore service without this third party be greater than one business day or greater than what your organization’s business continuity plan calls for as a recovery time?
  • What kind of data do they have and for how many consumers/employees? (payroll/benefits provider)
  • Are there contractual protections built in surrounding breaches or loss of data?

Critical third parties can bring a great deal of additional risk to your business but are also very important. Appropriately managing and mitigating the risk can make it a very healthy relationship. 

Learn how to identify your critical vendors. Download the infographic.

Identifying Critical Vendors - 3 Fool-Proof Questions

Branan Cooper

Written by Branan Cooper

Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog