Due Diligence and Ongoing Monitoring

Good morning,

I am hoping to get a better understanding of your criteria for determining a critical vendor?  As well as how you handle applications that are critical but installed on prem, so you are responsible for the recovery and may only be dependent on the vendor for support or patching. Do you still classify those as critical?

Thank you in advance

Hello,

We have some guiding questions to help determine if the vendor should be critical. We do not currently consider any applications installed on prem as critical.

Critical
The following list of questions should be considered when determining the impact of a Critical
third-party relationship. Approval of Critical third-parties are approved by the Enterprise Risk
Management Committee.
1. If we abruptly lost this third-party, would there be a significant disruption to our organization?
2. Would the sudden loss of this third-party impact our customers?
3. If the time to restore service required more than 24 hours, would there be a negative impact to
our organization?
4. If we need to involve a different third-party or bring the outsourced activity in house, will this
require significant finances, resources or time?
5. If this third-party failed to provide its products or services, would our organization be subject to
regulatory scrutiny, enforcement actions or fines?
6. Would this third party's failure cause significant harm to our organization's brand or reputation?

This is how we determine if a vendor is critical:

We have not identified vendors with installed on-prem applications as critical because if that vendor goes out of business or goes down the application is on-prem and we can continue to use it.

Determining criticality can be challenging as you did not specify which industry you are in, as each sector has different qualifiers. For a financial institution, criticality could be assessed based on several factors, such as whether the outsourced party hosts restricted information like NPI data, the Recovery Time Objective (RTO) which drives reliance on the vendor, the ability to move funds, and the connection to the infrastructure. If all these factors are present, the vendor might be rated as high risk. Conversely, if only one factor is present, it might be considered moderate risk, which still requires due diligence.  If none of these apply, maybe it is low risk.

For on-premise applications, you need to evaluate your reliance on the vendor and the risk exposure in case of a system disruption. For example, if you purchased the application, installed it in your infrastructure, and only rely on the third party for support and maintenance or troubleshooting during patch updates etc., you need to determine your reliance timeframe (RTO). Is it 0-4 hours or 12-48 hours? A 0-4 hour reliance might make the application more critical compared to a 12-48 hour window.

Consider the impact on your organization without the application. Would you be crippled, or could you continue to serve your customers with minimal impact? Are there manual workarounds available? Another important factor is who controls the restoration in case of a disruption, your IT teams or the third party?

All these factors should help determine the criticality of the application to your organization. Conducting a Business Impact Analysis (BIA) can also help define if this application is part of your most critical functions or processes.