Fusion Risk Management Introduces Generative AI-powered Assistant to Help Businesses Build Resilience
Determining a Critical Vendor
Posted on: December 1, 2021 Author:
Before determining if a vendor is critical, you’ll need to align on what a critical vendor is. Best practice states that it is a vendor that is vital to the operation of the company. From a business impact perspective, it’s the type of vendor that would cause significant disruption to the business if they suddenly ceased to operate as planned. Critical vendors vary from industry to industry, company to company. In the case of a financial services company, their critical vendor might be the core processor; for a manufacturing company, it might be their top supplier.
During vendor risk management assessments, there are numerous different types of rating scales that companies use on third parties. Some create vendor tiers based on the type of product or service that the vendor supports. Others rate vendors across a broad spectrum of categories to develop an overall high, moderate, or low score. No matter how a vendor is initially tiered, leverage a business impact rating to ultimately identify the most critical vendors.
Although this list can evolve based on a company’s experience and needs, the following questions will identify critical vendors:
Would a sudden loss of this vendor cause significant disruption to the business?
Would a sudden loss of this vendor impact the business’s customers?
Would the time to recover be greater than __ hours?
If the answer to any of these is “Yes,” then it is a critical vendor.
While critical vendors come with additional risks, they are also important. Taking the following steps helps appropriately manage and mitigate risks throughout the vendor lifecycle:
Dive deeper during duediligence
Critical vendors require deeper dives, including a thorough review of their business continuity plan, a record of any historical outages, a more frequent review of their financials, and an in-depth analysis of their SOC2 report.
Establish guidelines and alerts for continuous monitoring
Set strict guidelines for service level reporting and, along with the contractual obligations, requirements to alert the company of any significant changes in the business, operational failures, and breach notification.
Understand status and impact with robust reporting
It is important to report any significant changes within the third party that might impact the business, not only the number of critical third parties.
Outline expectations and obligations in contracting
In the contract, delineate a clear statement of work and expectations around notification requirements and individual accountability. The contract should also identify the exit strategy for a sudden loss of the vendor and a gradual unwind. Outlining expectations protects data and minimizes the customer and business impact.
While additional steps and considerations are needed with critical third parties, there is no need to shy away from defining critical vendors. Critical vendors are crucial to the operation of a business. Identifying them, taking the appropriate steps to mitigate risk, and continuously learning and adapting brings a proactive approach that helps build resilience throughout your organization.
Cookie Authorization Preferences
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!