Policy, Program and Procedures

For financial institutions greater than 5 billion in assets, what is your criteria for determining whether a third party vendor is critical (e.g., operational importance, data sensitivity, compliance impact, etc.)?  Do you use some sort of matrix or questionnaire?  

Good morning! We use both a matrix and a questionnaire. The risk impact matrix we have created derives from our risk appetite which informs our questionnaire. Within our system, the questionnaire will deliver us a result based on the answers to questions regarding cost, financial impact, data shared, operational impact, transaction reliance, and third-party reliance. The weighting is based on our risk appetite. Whatever the vendor calculates out to, we will discuss with our vendor owners what that means for oversight, and if the vendor should be upgraded, downgraded, or accepted at their calculated classification level. 

This is a fairly dated response but I thought of one thing to add.  I agree with the approach Debbie stated, first of all.

In a prior shop where I worked, we established criticality very early on, actually at the procurement level which was during contract review before a vendor had really any other assessment done by vendor risk at all.   We used a series of 2-3 if then, else screening questions.  Example: Does (will) the vendor store, process, access, or transmit Bank XYZ data such that a disruption or significant delays in processing will cause a material inability to process company, client, or employee informational or data functions (add in for greater than X amount of time) etc.   

Then if yes, designate as Mission critical, Important etc. Then you have one other question before or after that question that cascades together to establish a criticality level based on how the questions are answered.  Bear in mind that this was a very very large fortune 100 company and not a bank (so large that large national banks were our vendor), and these questions were extremely complex and vetted by scores of people but worked well.

I'm mainly just mentioning one way that doing what Debbie mentioned could work.  We did exactly what she suggests.  We just did screening questions ( I think 3 of them) and wrote them very carefully so that any manager who went through our required managers VRM / TPRM training (if you signed contracts you had to attend) were able to simply answer yes/no and then our system would set the criticality level accordingly.

We use first a materiality assessment of 7 questions that include- Will this vendor access borrower or employee confidential data?  Will this vendor have major impact on our ability to operate our business? Are there significant internal resources needed to manage and monitor this vendor? Will this vendor process financial transactions?  Will this borrower have direct or indirect communication with our clients, customers or board?   Does this vendor market products or services for  us? 

If the answer to any of these are yes, the vendor is considered material and then goes through a risk assessment. We have a series of weighted responses that will calculate based on the overall weight a risk tier of the vendor. The tiers range from Enterprise Critical Tier 0 (very high risk tier) Critical  Tier 1 (high risk) Medium Risk Tier 2, Low Risk Tier 3.   The vendors who are not material are assigned a Tier 4 rating.    Think of the risk assessment questions in terms of what risks your organization could face through the engagement- Will this vendor access restricted borrower data- High weight assigned. If no, then no weight is assigned.   What are our Recovery times for this vendor should they become inoperable? Immediate- Highest weight assigned,  24-72 Hours- High weight, >72- 1 week medium, indefinitely, low or no weight.  These are just quick examples- we have around 25 questions in ours that will aggregate and assign a tier. If TPRM has a vendor that tiers lower than we think appropriate or we think the vendor use could be expanded in a way that might impact the risk tier in the future (think pilot vs. permanent relationship) TPRM can elevate the tier accordingly.   I hope that helps!  We built our own but there are lots of places that offer examples that you can research. 

This message was posted by a user wishing to remain anonymous

We think of "critical" in terms of impact - what would happen to our operations if something happened with this vendor? An example: If the electricity went out, that would have a huge impact on our operations (critical) but has a relatively low risk of happening.  (Only an example - utilities are technically de-scoped from our VM policy because we have no influence.)

For risk ratings we have high, medium, and low.  Starting with basically the same questions Jennifer mentioned in her post along with guidance from our regulator, we weigh a vendor's risks.  Our risk appetite is such that it's usually member/employee data, system/physical access, and impact to operations (including compliance) that make a vendor high risk.   We also created our questionnaire ourselves.