Policy, Program and Procedures

 View Only
  • 1.  Cost Consideration for Criticality

    This message was posted by a user wishing to remain anonymous
    Posted 03-09-2023 01:17 PM
    This message was posted by a user wishing to remain anonymous

    In addition to the standard criticality considerations (operational disruption, customer impact, etc.) our organization will also consider a vendor critical if the initial investment or annual commitment is over a certain dollar threshold. Is anyone else employing this methodology or does anyone see any concerns with this approach? 

    Thank you



  • 2.  RE: Cost Consideration for Criticality

    Posted 03-09-2023 01:31 PM

    We currently do not use a monetary threshold for our critical vendors.  




  • 3.  RE: Cost Consideration for Criticality

    Posted 03-09-2023 02:01 PM

    We look at several things to determine whether a vendor is critical, significant or non-essential. Cost is one of them. There is a formula that is applied based on answers to several questions, to determine their classification. They are as follows:

     

    Information Sharing: Whether the vendor accesses, stores and/or shares personal information of our members

    Cost: Critical if over $100K a year

    Operational Impact: Based on how much a disaster would impact operations.

    Financial Impact: What it would cost us

    Third Party Reliant: Based on how much we rely on the vendor and if we could easily replace them.

    Transactional: Whether they have a role in our member transactions and how much.

     

    I hope this helps.

     

    Cheryl Turner, CRVPM II

    Vendor Manager

    1521426811111

     

    Thank you for partnering with Farmers Insurance Federal Credit Union.

     

     

     








  • 4.  RE: Cost Consideration for Criticality

    Posted 03-09-2023 02:09 PM

    We have just formalized out TPRM approach, and our approach is much like Cheryl's. 

    We rank the risk of the vendor 0-10 in each of four areas, and track the annual expense. 

    Trivial vendors have ALL risk factors of 2 or less AND annual spend less than $#,000 - reviewed every three years 
    Critical vendors have ANY risk factor of 8 or money OR annual spend greater than $###,000 - reviewed every year
    Normal vendors are anything in the middle - reviewed every other year. 

    I think this is a good approach for us. 
    Cheers,
    Andy




  • 5.  RE: Cost Consideration for Criticality

    Posted 03-09-2023 03:27 PM

    We were using a cost consideration.  It had been previously set at $100k, but we bumped it to $250k last spring.  Now after some internal changes, we just tossed it out altogether, which I was not 100% in favor of to be honest.    




  • 6.  RE: Cost Consideration for Criticality

    Posted 03-09-2023 03:35 PM

    Cost is not a risk factor, however risky vendors can cost!.  For example:  A vendor that we spend $2k with that has a ton of PII, could have poor controls, which could lead to "bad" things which could cost your company mare than just the $2k you spend with them.

     

    Pam Streifel, SILA-F

    Ethics & Compliance, Third Party Risk Management

     

    Allianz Life Insurance Company of North America | www.allianzlife.com

    Allianz. For all that's ahead.


    We were using a cost consideration.  It had been previously set at $100k, but we bumped it to $250k last spring.  Now after some internal changes, we just tossed it out altogether, which I was not 100% in favor of to be honest.    


    Original Message:
    Sent: 03-09-2023 01:31 PM
    From: John Swenson
    Subject: Cost Consideration for Criticality

    We currently do not use a monetary threshold for our critical vendors.  


    Original Message:
    Sent: 03-09-2023 01:04 PM
    From: Anonymous Member
    Subject: Cost Consideration for Criticality

    This message was posted by a user wishing to remain anonymous

    In addition to the standard criticality considerations (operational disruption, customer impact, etc.) our organization will also consider a vendor critical if the initial investment or annual commitment is over a certain dollar threshold. Is anyone else employing this methodology or does anyone see any concerns with this approach? 

    Thank you



  • 7.  RE: Cost Consideration for Criticality

    Posted 03-09-2023 03:40 PM

    Pam makes a good point.  Cost and risk are not necessarily linked.  While one might argue that there is some correlation between vendor cost and criticality or risk, I think it is more important to assess what the vendor does, what the loss of that vendor might mean to your operations and customers and how difficult it might be to replace that vendor if faced with a sudden loss of their service(s).




  • 8.  RE: Cost Consideration for Criticality

    Posted 03-10-2023 04:26 AM

    Cost / spend does not really drive our criticality rating, but it does inform our DD requirements. 

    For example a critical service with a spend over $250k will need a credit assessment at onboarding. All critical vendors will have a credit assessment periodically,  and any vendor at onboarding with a spend over $1MM will need an assessment irrespective of criticality or risk.