I was in a similar position with my program and we landed on a few questions with a scoring system and based on the answers we score our vendors as Critical, Material, or Non-Critical. We assess the following:
Separately, we assess risk level as well and evaluate things like brand risk, financial risk, business impact, BCP criticality, and vendor location: i.e., offshore, onshore
Original Message:
Sent: 07-08-2024 01:05 PM
From: Glory Polonia
Subject: General Guidelines for Criticality
Hi Mac,
I was in your shoes about a year ago. After a long trial and error process, we ended up with a risk rating matrix. I recommend your organization determine how many points they want to assign to each answer, but here are some common questions we ask:
- What type of data does this product/service have access to?
- What is the impact to the organization if the product or service fails?
- How quickly can the product or service be replaced? (Based on options in the market and onboarding period)
- Does the product or service process payments on behalf of the organization?
- Does the product or service require access or integration to organization systems or facilities?
- How often will the product or service be used?
- Is the product or service internal-facing, client-facing, or vendor-facing?
That last question will be important as some internal or vendor facing products/services may not have as high of an impact if failed as the ones directly used by your customers.
Good luck!
Glory Polonia
Original Message:
Sent: 07-08-2024 12:57 PM
From: Mac Chapman
Subject: General Guidelines for Criticality
Hello to all the lovely folks here on 3rd party think tank!
I am new to my role as vendor manager / risk management analyst at a medium sized credit union, and I am essentially re-doing our entire Vendor Management process from top to bottom. Unfortunately, our organization is fairly siloed and requires overcommunication through informal channels (i.e. no formal process for assigning a vendor number to vendors, just requiring a business unit owner to message our accounts payable team and then a vendor number will be established).
I give this context because one decision I will be making very frequently is designating which vendors are "Critical" "Material" "Minor" and "Exempt". We have an established vendor management system in play, however it has laid essentially dormant for the past 2 years, so that is not a source of truth in the organization. Within this vendor management system, we have 3 multiple choice questions that help determine criticality, those being the following
1.) If the vendors product or service failed, how quickly should it be restored before facing significant losses?
2.) How quickly could a suitable replacement for this product / vendor be identified and implemented should the need arise?
3.) Does the vendor have access to sensitive member data?
We are using the criticality assessment outlined by the vendor management system that was in place before I arrived here. My question(s) are as follows
1.) Is this a robust enough set of questions to answer to determine criticality? These questions are asked to business units who have already identified the vendor in mind (completed a handful of demos with various providers) but we have not signed any contracts at this point in time. Will business unit owners know the answers to these questions, or is that my responsibility as vendor manager?
2.) Given that our vendor management system is dormant, we do have some overdue due diligence and criticality assessments. The point of contact for many of the vendors in our system is no longer with the firm. How might I go about assessing the criticality of an existing vendor? Are there any heuristics that can help me answer the first two questions? (for example, I am aware that our core systems are critical because we would need to restore it almost immediately if it failed, likewise a suitable replacement is difficult to quickly implement, and they certainly have access to sensitive member data. But for something like the platform that our collections team uses, how can we determine the answers to the criticality questions?)
3.) I am having some trouble differentiating between material vendors and critical vendors. Conceptually, it makes sense: critical vendors are extremely important to keeping the doors open at our organization, and a failure here would lead to significant losses. Material vendors are also important to keeping the doors open, and a failure could lead to loss. Is there a firm threshold that separates critical and material vendors?
4.) Once we clean up the backlog of vendor criticality assessments, are there any thresholds we should hold? I.e. I have heard that no more than 15% of vendors / products should be critical, and that concentration risk becomes an issue after a certain amount of products are with the same vendor.
I hope these questions make sense, and that someone who is willing to share their expertise would be willing to reach out! I am eager to learn about this space and ensure our credit union operates within our risk appetite.