Determining a Critical Vendor

Before determining if a vendor is critical, you’ll need to align on what a critical vendor is. Best practice states that it is a vendor that is vital to the operation of the company. From a business impact perspective, it’s the type of vendor that would cause significant disruption to the business if they suddenly ceased to operate as planned. Critical vendors vary from industry to industry, company to company. In the case of a financial services company, their critical vendor might be the core processor; for a manufacturing company, it might be their top supplier.

During vendor risk management assessments, there are numerous different types of rating scales that companies use on third parties. Some create vendor tiers based on the type of product or service that the vendor supports. Others rate vendors across a broad spectrum of categories to develop an overall high, moderate, or low score. No matter how a vendor is initially tiered, leverage a business impact rating to ultimately identify the most critical vendors.

Although this list can evolve based on a company’s experience and needs, the following questions will identify critical vendors:

• Would a sudden loss of this vendor cause significant disruption to the business?
• Would a sudden loss of this vendor impact the business’s customers?
• Would the time to recover be greater than __ hours?

If the answer to any of these is “Yes,” then it is a critical vendor.

While critical vendors come with additional risks, they are also important. Taking the following steps helps appropriately manage and mitigate risks throughout the vendor lifecycle:

• Dive deeper during due diligence
  • Critical vendors require deeper dives, including a thorough review of their business continuity plan, a record of any historical outages, a more frequent review of their financials, and an in-depth analysis of their SOC2 report.
• Establish guidelines and alerts for continuous monitoring
  • Set strict guidelines for service level reporting and, along with the contractual obligations, requirements to alert the company of any significant changes in the business, operational failures, and breach notification.
• Understand status and impact with robust reporting
  • It is important to report any significant changes within the third party that might impact the business, not only the number of critical third parties.
• Outline expectations and obligations in contracting
  • In the contract, delineate a clear statement of work and expectations around notification requirements and individual accountability. The contract should also identify the exit strategy for a sudden loss of the vendor and a gradual unwind. Outlining expectations protects data and minimizes the customer and business impact.

While additional steps and considerations are needed with critical third parties, there is no need to shy away from defining critical vendors. Critical vendors are crucial to the operation of a business. Identifying them, taking the appropriate steps to mitigate risk, and continuously learning and adapting brings a proactive approach that helps build resilience throughout your organization.

For more information on some of the best guidance in managing outsourced technology and vendors in general, please contact Fusion or refer to the FFIEC guidance in the IT examination handbook or the guide to outsourced technology: Risk Management of Outsourced Technology Services – November 28, 2000 (ffiec.gov).