Policy, Program and Procedures

Hello,

I'm currently supporting a project to enhance our Critical Third Party program. As we consider criteria for identification I'm curious from this community how many align to your BC plans and third party dependencies supporting your most critical processes. Does anyone see a downside to this approach? Is there other criteria that should be considered?

Hello, I can share that we've defined criticality in our TPRM Framework as being a third party performing any activity deemed crucial to the organization's operations or is the sole provider of an essential business function.  Additionally, any sudden interruption of that activity (or failure to perform it as required) can cause significant disruption to core operations if not quickly and easily remedied.  I hope this may be helpful in how you go about determining criteria for your program.

I work for an insurance company and we have a similar definition of critical suppliers, with a few variations.

This is our general enterprise wide definition of critical suppliers: A supplier whose product or service is essential to our company's most critical operations. Failure of the supplier to provide their product or service would cause a significant negative impact to the organization.

This is our specific definition for suppliers supporting our Europe operations: For engagements in support of Europe operations, Business Critical suppliers also include suppliers providing a 'material' function, activity or service to Europe operations. For the purposes of this definition, a function, activity or service is 'material' if it is essential to the operation of Europe operations as it would be unable to deliver its services to policyholders without such function, activity or service. 

We also have a separate category for suppliers that may not meet the business critical definition, but which our organization is highly dependent on.  We call this category "High Dependency": Suppliers providing a service or product that is highly specialized and/or a long-term supplier disruption would significantly impact the business area. Products or services that fall into this category cannot be replaced within a period of time that is acceptable to the business area and it is not practical to perform those services in house for an extended period of time. Suppliers that fall into this category could also include those used throughout the enterprise where a supplier disruption would cause an impact across numerous products, services, and/or lines of business.