When it comes to third-party risk management, we cannot overstate how important it is to understand who your critical vendors are. For better or worse, they can have a significant impact on your organization. That being said, in order to best mitigate risk, your third parties should be ranked as critical or non-critical for business disruption and ranked high, moderate or low, on all regulatory items.
How to Handle Critical Vendors
For critical third parties, it’s crucial to:
- Do a deep dive on certain portions of their due diligence. For example: how will you notice if there is a business disruption or breach, change in leadership or change in financial condition?
- Complete a review of their business continuity plan. Business continuity planning ensures that significant operations and products/services will continue to be delivered in a full, or at a predetermined and accepted, level of availability.
- Create an exit strategy. This should consider both a sudden and gradual unwind.
How Do I Know if a Vendor Is Critical?
There are a wide range of interpretations on defining a critical vendor. The critical designation is up to the business unit to determine.
Here are two definitions that can help:
- The OCC defines critical activities as significant functions (e.g., payments, clearing, settlements, custody), significant shared services (e.g., information technology) or other activities that could:
- Cause an organization to face significant risk if the third party fails to meet expectations
- Have significant customer impacts
- Require significant investment in resources to implement the third-party relationship and manage the risk
- Have a major impact on the organization’s operations if the organization has to find an alternate third party or if the outsourced activity has to be brought in-house
- Another definition is: “Any service provider that could attract regulatory scrutiny or have an impact on the business, including the risk of loss in the event of a service disruption.” American Banker, May 27, 2014
Chip MacDonald, a partner at the law firm Jones Day in Atlanta
Questions to Ask When You Review a Vendor
As your organization decides on who your critical vendors are, here are some simple questions to help you see if they’re a critical vendor or not:
- Would the sudden loss of this third party cause a significant disruption to the business?
- How bad is it if they go down? (core)
- Would the sudden loss impact customers?
- How bad is it if they are compromised? (internet banking/bill pay/cards)
- How bad is it if they fail to deliver? (network security provider)
- Would the time to restore service without this third party be greater than one business day or greater than what your organization’s business continuity plan calls for as a recovery time?
- What kind of data do they have and for how many consumers/employees? (payroll/benefits provider)
- Are there contractual protections built in surrounding breaches or loss of data?
Critical third parties can bring a great deal of additional risk to your business but are also very important. Appropriately managing and mitigating the risk can make it a very healthy relationship.
Learn how to identify your critical vendors. Download the infographic.