Exams or Audits

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.

Hi Chrysti!

Welcome to Vendor Management!

You didn't say, but it sounds like you, as I do, work in a Financial Services company. If that's so, I'll share that in my experience regulatory examiners are, unfortunately, quite varied in their experience and opinions. There tends to be more consistency and maturity in the "big" regulators, but not also so.

Regardless, having spent much of my career in risk management and working in/running multiple TPRM programs, I am in agreement with your view on this. Here's how I've summarized it (not verbatim) in various program materials/responses:

Criticality and risk ratings, while related, are different concepts within risk management. While criticality focuses on the importance of a vendor's service to an organization's objectives, a risk rating (H/M/L) assesses the likelihood and potential impact of negative events associated the failure of that service provider to perform a given service.

Hope that helps - good luck with the discussion!

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.

Thank you so much, Kevin. I appreciate your summary. It will help me to communicate more effectively in the future!

Hi Chrysti!

Welcome to Vendor Management!

You didn't say, but it sounds like you, as I do, work in a Financial Services company. If that's so, I'll share that in my experience regulatory examiners are, unfortunately, quite varied in their experience and opinions. There tends to be more consistency and maturity in the "big" regulators, but not also so.

Regardless, having spent much of my career in risk management and working in/running multiple TPRM programs, I am in agreement with your view on this. Here's how I've summarized it (not verbatim) in various program materials/responses:

Criticality and risk ratings, while related, are different concepts within risk management. While criticality focuses on the importance of a vendor's service to an organization's objectives, a risk rating (H/M/L) assesses the likelihood and potential impact of negative events associated the failure of that service provider to perform a given service.

Hope that helps - good luck with the discussion!

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.

Hi Chrysti,

I agree with Kevin! Here is my understanding of it. 

Critical or non-critical is not a rating but a classification. The vendor is going to be critical or non-critical based off your business impact risk because criticality indicates impact on your operations such as a sudden loss, that would cause a disruption to your business and customers, a negative impact on your operations etc.  Your inherent risk rating is determined by your risk assessment and that will be low, moderate or high. This helps to identify the amount of risk or types of risk in the product or services your business is using. In your example your vendor is classified as non-critical with a high-risk rating. 

I hope this helps as well. Please do not get discouraged and keep moving forward there is such much to learn with TPRM. It is a working progress for sure, and every day is a new day.  

Thank you so much, Kevin. I appreciate your summary. It will help me to communicate more effectively in the future!

Hi Chrysti!

Welcome to Vendor Management!

You didn't say, but it sounds like you, as I do, work in a Financial Services company. If that's so, I'll share that in my experience regulatory examiners are, unfortunately, quite varied in their experience and opinions. There tends to be more consistency and maturity in the "big" regulators, but not also so.

Regardless, having spent much of my career in risk management and working in/running multiple TPRM programs, I am in agreement with your view on this. Here's how I've summarized it (not verbatim) in various program materials/responses:

Criticality and risk ratings, while related, are different concepts within risk management. While criticality focuses on the importance of a vendor's service to an organization's objectives, a risk rating (H/M/L) assesses the likelihood and potential impact of negative events associated the failure of that service provider to perform a given service.

Hope that helps - good luck with the discussion!

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.

Hi Christi,

I would suggest that you work with your CRO organization and ensure that the program you are creating is in alignment with  your firms Risk Appetite.

Remember that setting a risk appetite for a firm and then the TPRM program is a top-down, iterative process that balances risk and opportunity, enables informed decision-making, and supports the company's resilience and strategic goals

Risk appetite in the financial services industry is set through a structured process led by the Board and senior management levels, ensuring alignment with the company's strategic objectives, regulatory requirements, and stakeholder expectations.

The process typically involves the following key steps:

Defining Strategic Objectives where the company first clarifies its business goals and risk philosophy, ensuring that the risk appetite supports its mission and long-term strategy.

Assess Risk Capacity and evaluating the firms ability to absorb losses, considering financial strength, capital adequacy, and operational resilience.

Categorizing Risks and then classifying them into categories such as financial, operational, compliance, reputational, and cybersecurity, ensuring comprehensive coverage across all domains.

For each risk category, the company should sets clear risk tolerance levels.  These are the boundaries within which risks are acceptable and this is how they establish tolerance levels that are both qualitative (e.g., statements about risk culture) and quantitative (e.g., specific loss limits, capital ratios). You then must develop measurement metrics that are both qualitative and quantitative metrics which are defined, such as maximum acceptable loss, earnings volatility, capital ratios, or operational incident thresholds etc.

Setup a Governance and a Monitoring Framework  where the governance structure is established to oversee the risk appetite implementation, including roles, escalation procedures, and regular risk assessments. Create monitoring dashboards and reporting mechanisms to track adherence to the established risk appetite, this slums be consistent and ofter like weekly, monthly or quarterly basis based on the risks.

The Risk Appetite must be aligned with Business Units and the Risk appetite should be cascaded down to business units and functions, with specific limits and metrics tailored to their activities, ensuring that risk-taking is consistent across the organization.

Remember that it's important to have continuous review and calibration of the risk appetite statement and to regularly review and update the risk appetite statement to reflect changes in the business environment, regulatory landscape, and internal strategy.

I've found that best practices include involving stakeholders throughout the process, using both forward- and backward-looking metrics, and embedding risk appetite into the company culture so that it guides decision-making at all levels.

Hope this helps.

Hi Chrysti!

Welcome to Vendor Management!

You didn't say, but it sounds like you, as I do, work in a Financial Services company. If that's so, I'll share that in my experience regulatory examiners are, unfortunately, quite varied in their experience and opinions. There tends to be more consistency and maturity in the "big" regulators, but not also so.

Regardless, having spent much of my career in risk management and working in/running multiple TPRM programs, I am in agreement with your view on this. Here's how I've summarized it (not verbatim) in various program materials/responses:

Criticality and risk ratings, while related, are different concepts within risk management. While criticality focuses on the importance of a vendor's service to an organization's objectives, a risk rating (H/M/L) assesses the likelihood and potential impact of negative events associated the failure of that service provider to perform a given service.

Hope that helps - good luck with the discussion!

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.

If you assess criticality and risk separately, can you please share your experiences on how this is reflected in your program and your experiences with the regulators?

I am new to vendor management and just went through my first exam as the VM contact. The examiner really beat me up for having a separate criticality category and risk rating for each third party. An example, we have a shred service categorized as non-critical (easily replaced and won't halt bank operations if they fail) and high risk (due to their access to our customer's sensitive data).

The examiner stated she had never seen the use of two separate "ratings" before and said that it is risk rating 101 to come to a single point of [something I didn't catch]. I tried to explain that the criticality determination is not the risk rating, they are separate things. She said she had never seen or heard of doing this. I developed the program based upon information learned from seasoned VM professionals and resource documents, blogs, etc. Although I know not everyone handles it this way, it makes sense to me that we could have a determination for critical/non-critical vendors and a separate risk rating for each. Have I completely missed the boat and interpreted the information and/or implemented it incorrectly? 

An additional note, our program states that all critical and high-risk vendors will undergo annual risk assessment and due diligence, so I can't figure out why she was so distressed about the separate criticality and risk determinations. She also stated that I "may" be overcomplicating things and suggested a critical/high, medium, and low risk. I get that that is an option, but I can't make sense of how that would be any different than what I have in place other than it looks like what the examiner is accustomed to seeing. 

Thanks in advance for your thoughts! I may be way off base here and really need some assistance to ensure my program is good and sound.