Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder. Today we are going to talk a little bit about 'bucketing' your vendors and what to do with that.
Unlike what the advertisement may say – one size does not fit all when it comes to third party risk management. In fact, there are too many categories of service providers to possibly list them all, so you probably want some high level classification system.
Remember high school biology when you learned about Kingdom, Phylum, Class, Order, Family, Genus, Species? The same applies to vendors – but not so detailed, perhaps. Creating buckets certainly helps you identify what due diligence you need to do and make sure it applies to your vendors correctly. You obviously don’t expect the office cleaners to have a detailed network diagram, as an easy example.
I recommend creating at least three categories of vendors at a primary level – this should not be confused with doing a full risk assessment; this truly is to create an inventory list and then determine the level of risk assessment and due diligence. At a minimum, your buckets could be:
Yes, there will be some overlap between categories and that’s fine as a starter and may lead you to create smaller discrete buckets so that each third party only falls on one list, but starting with just those three, even if there is overlap, will make sure you don’t miss any.
Be sure to work with your business unit contacts and make sure you don’t miss any – perhaps even set up a process of checking with accounts payable a couple of times a year to run a query of all payments over a certain dollar threshold.
Remember, overlooking a vendor can lead to problems down the road, so make this an important exercise on a regular basis – ask for help, ask for input, ask pertinent follow up questions.
I'm Branan Cooper and thank you for watching! If you haven’t already, subscribe to the Third Party Thursday series.