Learn the recommended standards for identifying your vendors, how to properly identify your scope and three questions to ask to determine if a vendor is critical.
Infographic: Differences Between a High Risk and Critical Vendor
Blog post: Criticality and Risk Rating Your Vendors
Welcome to today's Third Party Thursday! My name is Branan Cooper and I'm the Chief Risk Officer here at Venminder. Today we are going to talk about how to identify your critical vendors properly.
One of the most challenging exercises you face as a third party risk manager is establishing standards for identifying your vendors. The best way to do so is to set up comprehensive guidelines on what type of risk you’re going to evaluate and the scope of third parties that may fall into that scope.
A best practice is to look at categories of risk separately. Think first of the business impact risk – this is where you will identify your critical third parties.
Ask yourself these questions for EVERY SINGLE VENDOR in your scope; it is essential you don’t overlook any, even if they can be quickly dismissed:
If the answer to any of these is “Yes”, they are a critical third party.
You’ll likely want to include the lines of business, your information security team and even the business continuity manager in this determination, but it’s really important that you make this determination consistently and objectively, as you’ll want to develop contingency plans.
Examples of critical third parties include:
We’ll talk about other categories of risk in future informational series, but it really does all start with properly identifying your scope and determining who is critical to your day-to-day business.
If you haven’t already done so, please subscribe to our Third Party Thursday series. Again, I'm Branan and thank you for watching!