Risk Assessments

I am new to my company and am charged with developing and implementing a formal Vendor Management Program.  We are in the process of classifying our vendors (Strategic, Tactical, Operational, or Commodity).  I also understand that as a part of our Risk Analysis we need to determine if a vendor is Critical or Non-Critical, and I know the questions to answer to make that determination.  My question/confusion is around the relationship of Critical vendors and Strategic vendors.  Is vendor classification a totally different data point from "criticalness"?  Can a vendor be Strategic but not Critical and vice versa?  

Any help from the community is appreciated!

This is an interesting question, and I would be curious if others are classifying vendors as you are doing. We do not break ours down into the Strategic, Tactical, Operational, or Commodity. We do things like identify if a vendor is a Fintech, is cloud-based, or handles NPI/PII. 

Per our program, vendors can be categorically placed into 5 levels of risk. Very Low, Low, Medium, High, Very High. For both inherent and residual risk. Risk is calculated with a vendor risk assessment.

As far as criticality goes, we have Not Critical and Critical vendors. Critical vendors are vendors that we have operational dependence on. Meaning any prolonged outage, or loss of data is not as tolerable. Technically this measured with 4 questions here, but you can look to the OCC guidance on vendor management for a good framework. 

To answer your question, I suppose it could be possible for a vendor to be Strategic, yet not critical, but I think that would not be rare. It depends on how you break down the categorical differences between strategic and operational.