Podcast Transcript

Welcome to today's Third Party Thursday! My name is Branan Cooper and I'm the Chief Risk Officer here at Venminder. Today we are going to talk about how to identify your critical vendors properly. 

One of the most challenging exercises you face as a third party risk manager is establishing standards for identifying your vendors. The best way to do so is to set up comprehensive guidelines on what type of risk you’re going to evaluate and the scope of third parties that may fall into that scope. 

A best practice is to look at categories of risk separately. Think first of the business impact risk – this is where you will identify your critical third parties.

Ask yourself these questions for EVERY SINGLE VENDOR in your scope; it is essential you don’t overlook any, even if they can be quickly dismissed:

1. Would the sudden loss of this third party cause a significant disruption to our business?
2. Would the sudden loss impact our customers?
3. Would the time to restore service without this third party be greater than a business day?

If the answer to any of these is “Yes”, they are a critical third party.

You’ll likely want to include the lines of business, your information security team and even the business continuity manager in this determination, but it’s really important that you make this determination consistently and objectively, as you’ll want to develop contingency plans.

Examples of critical third parties include:

• Your core processor
• The telephone company
• Your internet banking provider
• And –  I’ve even seen some financial institutions include the postal service!

We’ll talk about other categories of risk in future informational series, but it really does all start with properly identifying your scope and determining who is critical to your day-to-day business.

If you haven’t already done so, please subscribe to our Third Party Thursday series. Again, I'm Branan and thank you for watching!