Risk Assessments

 View Only
Venminder Venmonitor Demo
Back to discussions
Expand all | Collapse all

Polling the audience, so to speak

  • 1.  Polling the audience, so to speak

    Posted 10-03-2019 10:27 AM
    What percentage of your vendors do you consider to be Critical vendors (i.e., from a Business Impact perspective)?  Please feel free to answer anonymously, if you need to / prefer to....


  • 2.  RE: Polling the audience, so to speak

    Posted 10-04-2019 08:27 AM
    I feel that going by a percentage could limit or exceed the an organizations need for additional vendor management activities.  There are characteristic such as revenue loss,  impact to the other operations and reputation (future revenue) that should drive the quantity.
     
    Example:  High Risk vendor because they have access governed data for billing and collections.  If there is an operational impact such as a site outage, it may be a delay in revenue or alternative collection channels.  However, a High Risk vendor that delivers the SaaS solution to process those activities having an outage could have an operational impact if that repository is used for other customer activities such as sales.  Then the ability to sell or collect revenue are unavailable and the ability to make up days of sales may not be realistic (depending on your business).
    Original Message


  • 3.  RE: Polling the audience, so to speak

    Posted 10-04-2019 08:28 AM
    ​We currently have 16% of our vendors listed as Operationally Critical vendors.
    Original Message


  • 4.  RE: Polling the audience, so to speak

    Posted 10-04-2019 09:06 AM
    Thanks - great information! We typically find about 10 -12% of vendors are rated as Critical. So you're right in line with that!
    Original Message


  • 5.  RE: Polling the audience, so to speak

    Posted 10-04-2019 09:25 AM

    We have about 300 vendors in scope for the Vendor Risk Management Program.  Our Critical vendors represent about 3.5% .  Highly Significant vendors represents about 4.5%.

    I gave you both Critical and Highly Significant % because we perform the same level of due diligence on the two groups, the only difference being that Critical vendors are reviewed on a yearly basis, while the Highly Significant vendors are reviewed every two years.

    Best regards

     

     

    Mirella Coleman

    Vendor Risk Manager, CBCP

     




    Original Message


  • 6.  RE: Polling the audience, so to speak

    Posted 10-04-2019 10:25 AM
    We categorize our vendors based on our definitions of a critical, important, and incidental vendor, according to our Vendor Management Policy.  The bank currently has over 200 vendors, of which 3% have been identified as critical.
    Original Message


  • 7.  RE: Polling the audience, so to speak

    Posted 10-04-2019 02:58 PM
    5%
    Original Message


  • 8.  RE: Polling the audience, so to speak

    Posted 10-16-2019 01:56 PM
    ​About 6% - 7%.  We have about 10 or 11 "critical subcontractors."

    ------------------------------
    Ivan A. Martin
    Senior Contract Administrator
    -----------------------------

    Original Message


  • 9.  RE: Polling the audience, so to speak

    Posted 10-17-2019 10:47 AM
    ​We are at 16% or 25 Critical vendors. This includes all utility (gas, water, electric) providers that our external auditor insisted needed to be in our vendor management program. Not much due diligence can be done on those and what difference would it make anyway!!
    Original Message


  • 10.  RE: Polling the audience, so to speak

    Posted 10-18-2019 09:19 AM
    We have 15 critical out of 350 total, so 4.3%.
    Original Message


  • 11.  RE: Polling the audience, so to speak

    Posted 10-17-2019 12:57 PM
    ​9 of 222 active vendors, so 4% today.
    Original Message


  • 12.  RE: Polling the audience, so to speak

    Posted 10-16-2019 03:01 PM
    4% of our vendors are considered critical.​
    Original Message


  • 13.  RE: Polling the audience, so to speak

    Posted 10-16-2019 03:54 PM
    ​We are at about 3%.

    ------------------------------
    RJW
    ------------------------------

    Original Message


  • 14.  RE: Polling the audience, so to speak

    Posted 10-22-2019 07:49 PM
    We are at 22%, but we don't segregate data risk vs. business impact as reason.  Perhaps we should!  I hear tell some banks select or designate vendors as critical rather than automatically saying, for example, all tier 1s are critical.
    Original Message


  • 15.  RE: Polling the audience, so to speak

    Posted 10-23-2019 10:17 AM

    I would tend to be on the side that perhaps not all Tier 1's should be considered critical and here's why: that Tier designation, at least to us, reflects a higher risk score, mainly stemming from access to sensitive data. It does not mean they could not be easily replaced (in some cases it does, not all). So, to me, there are different categories or meanings to "critical" – from a risk side and from a "can't live without them" side.

     

     

    Bob Warja

    Assistant Vice President
    Business Continuity & Telecom




    Original Message


  • 16.  RE: Polling the audience, so to speak

    Posted 10-23-2019 10:37 AM
    When we started our program​ we placed all of our vendors into tiers, tier 1 being mission critical, hardest to replace and highest dollar spend.  Then we added vendor risk management and in addition to the tier every vendor had a risk level associated with it.  Now we've identified critical vs non-critical vendors plus product classifications and we're struggling what to do with the vendor tier classifications.  Our VRM monitoring was developed around the vendor tiering but seems like it should focus on our critical vendors and those products with the highest risk level, not all necessarily tier 1 vendors.
    Original Message