Policy, Program and Procedures

 View Only

  • 1.  Percentage of critical and high risk vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-16-2024 02:15 PM
    This message was posted by a user wishing to remain anonymous

    I'm working on a study of how many vendors are labeled high or critical risk. I currently have 15% of vendors who meet the high/critical risk combined. I read a venminder article that said it should be around 10-15% for the two risk ratings combined. I would love everyone's feedback on where your organization is, even if anonymous. Thank you.



  • 2.  RE: Percentage of critical and high risk vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-16-2024 02:26 PM
    This message was posted by a user wishing to remain anonymous

    We currently have 12% of our vendors in the critical or high risk category.


    Original Message


  • 3.  RE: Percentage of critical and high risk vendors

    Posted 09-16-2024 04:00 PM

    We have roughly 10% of our vendors listed as Critical/High Risk.   

     

     

     

    Greg Schilder

    Vendor Manager

    ONE AMERICAN BANK

     

     

     

    IMPORTANT CONFIDENTIALITY NOTICE: The contents of this email from ONE AMERICAN BANK and any attachments are confidential and may be subject to legal privilege and/or protected by copyright law. Copying and/or communicating any part of either this message or any attachments in full or in part to others is strictly prohibited and may be unlawful. If you are not the intended recipient of this message and/or any attachments contained within, you may not read, use, copy, distribute or rely on this email and any attachments. If you have received this transmission in error, please delete it immediately and notify the sender via email. Unless stated to the contrary, any opinions expressed in this message are personal and may not be attributed to ONE AMERICAN BANK.




    Original Message


  • 4.  RE: Percentage of critical and high risk vendors

    Posted 09-16-2024 04:03 PM

    We have 161 vendors and 12 are Critical. That represents 7.5%.

     

    Sincerely,

     

    Cheryl Turner

     




    Original Message


  • 5.  RE: Percentage of critical and high risk vendors

    Posted 09-16-2024 04:25 PM

    12% of our vendors are either considered Critical or tier 1 vendors.



    ------------------------------
    Tracy J. Wilson
    ------------------------------

    Original Message


  • 6.  RE: Percentage of critical and high risk vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-16-2024 04:16 PM
    This message was posted by a user wishing to remain anonymous

    We have 26.6% of vendors listed as critical or high. 


    Original Message


  • 7.  RE: Percentage of critical and high risk vendors

    Posted 09-16-2024 05:04 PM

    We have 157 vendors, 24 which are critical (15.3%).  Earlier this year, we had close to 41 which I knew was higher than industry standard and meant additional work for my team.  We surveyed our product owners as to whether they considered vendors critical or not, and also did a review on our own.  We determined that our infrastructure had grown over the past several years and some vendors weren't as critical as they the once were and we also had some duplication of services from alternative vendors that lessened the criticality.  After our review, we reduced this to 24 vendors.

     

    Since we are a financial institution , I drafted a letter to our internal audit team documenting the analysis, defined our definition of  a critical vendor, and provided a list of vendors that we re-categorized and the basic reason why.  I had minimal pushback from internal audit or the FDIC.  I plan to revisit this every two years going forward.

     

     

     

    Michael Magone, CISM
    Director of Technology Services



     

     




    Original Message


  • 8.  RE: Percentage of critical and high risk vendors

    Posted 09-18-2024 10:32 AM

    Thanks Michael, I appreciate your update and sharing the cadence of your criticality refreshes. What is everyone else doing in terms of Criticality updates? I have heard a variety of update timelines that go from weekly/monthly to every 2 years, i am curious to see where this crew is as far as the most common update cycle.


    Original Message


  • 9.  RE: Percentage of critical and high risk vendors

    Posted 09-18-2024 10:42 AM

    In speaking with our Fannie consultant and then internal auditor, we came up with similar time lines while establishign our vendor management program. Our critical vendors are managed by a 3rd party and on 24/7 "watch" with annual renewals of data. Our less critical are reviewed in the following sequence... 12 month, 18 month and 24 month. The company that delivers our coffee needs to be reviewed annually because he has door access but our paper delivery company... every 24 as they only come during normal business hours and check in at the front desk. Any new vendors we review at 18 months, prior to contract renewals to establish the relationship is still working and we want to proceed. 


    Original Message