Something that has helped me with classifying and discussing vendor ratings is to separate out criticality from risk rating. Each vendor should be assessed if they are critical to the business or not, and separately what level of risk comes with that vendor/product/service.
A vendor is critical to the business function (e.g. only vendor available, or critical to day-to-day functions to where if they are down for a day my own organization cannot function properly [core banking software]) or not critical (e.g. easy to replace with another vendor, or if they are down for a little bit of time we can keep going [janitorial staff]).
The vendor also has a level of risk that is outside of if they are critical or not. E.g. I can have a vendor who is non-critical, like the janitorial staff, but they could be considered medium to high risk since they are contracted to work unattended in our back offices and branches to clean. They are not critical as we can get another janitorial service and our employees could clean for a few days if there were to be a break in service, but they are high risk due to the unattended access.
For the benefits providers, I think it might be good to do this thought exercise to walk the Business Owner through your reasoning for the higher level of risk. It may be that since you are using the term "critical" similar to how we would assess risk; it may muddy the waters for their decision. The risk might be high, since they have the NPPI, but possibly they aren't critical to the function of your business (e.g. you could get another benefits company, and your business could still function if there were outages). The Business Owner may be thinking moderate would be appropriate since business criticality is being taken into account in their decisions, not just the risk.
Hopefully that makes some sense, it isn't the most intuitive thing to separate these out.
Original Message:
Sent: 11-26-2024 07:51 PM
From: Anonymous Member
Subject: Benefit Providers Classification
This message was posted by a user wishing to remain anonymous
Hello All,
I am curious as to how you classify your Benefit Providers (Anthem, Delta Dental, Kaiser) considering the fact that they have access to NPPI such as NAME, SSN, DOB, ADDRESS, to mention a few? These providers not only have access to employees data but their families and dependents. I am currently working on onboarding a provider and they classifies as Critical vendor due to the type of employees data they would have access to. The Business Owner argues the provider should be classify as Moderate and not Critical.
What are your thoughts?
Thank you!