A fundamental component of a risk-based vendor management program is knowing who your most important vendors are – that is, your critical vendors.
It is a common misnomer that a ‘critical vendor’ and a ‘high-risk vendor’ are one in the same. They are not, and it’s important to delineate between the two when establishing your program.
Let’s break them both down.
A critical vendor is one that you rely on heavily to support the most important activities within your organization – oftentimes called ‘critical activities’. While critical activities will differ between organizations, examples of critical vendors might include those who:
- support the processing of your financial transactions;
- provide infrastructure that powers back-up servers and/or provides remote access to daily activity for employees; or
- perform a core business function that you have outsourced to them.
High Risk Vendors
On the other hand, a high-risk vendor is one that presents a heightened level of risk to your organization regardless of how critical they are to your operations. A common example is a vendor who processes, stores and/or has access to your non-public data. While these vendors are higher risk due to the fact they have access to your data, the actual services they provide may not be critical to your operations. Other factors that can elevate the risk of a vendor include:
- reliance on them to support for your own compliance with laws and regulations;
- provision of direct services to, or interface with, your customers;
- unsupervised access to your building/offices and direct contact with your employees; and
- use of downstream contractors or service providers (i.e. 4th parties) to provide the goods or services to you.
Is a Critical Vendor Always a High-Risk Vendor?
No. Every organization has a subset of vendors that are both critical but also lower risk. Your internet services provider is a good example. Clearly, your internet connection is critical to your day-to-day operations, but the risks associated with most internet service providers are relatively low.
Identifying Your Critical Vendors
Defining your critical vendors begins with being clear about your own critical activities. A good place to start is with your company’s business continuity/disaster recovery plan, which defines critical activities within your own operations. Knowing those activities will help you determine which vendors support those critical operational areas.
If you are new to third-party risk management, getting these critical vendors into your TPRM program is the first place you should start. Download our eBook How to Kick Start Your Vendor Management Program to learn more.