You could think about unpacking some of your risk indicators from one single risk rating and move toward a more multi faceted view of risk where operational criticality is one factor. That was part of how we reduced our volume of vendors risk rated as critical. We moved toward a risk program that measures operational criticality based on ease of replacement and length of time services could be down before operations impacted.
We have a separate risk rating for data confidentiality that looks at NPPI, kinds of NPPI and volume of NPPI.
We then measure annual spend, foreign based third parties, IT/InfoSec risk separately.
We drive some processes based only off the operational criticality rating (how frequently we review, board reporting) and other requirements based off the other risk factors, specifically the kinds of due diligence that we obtain.
We reassessed all of our previously critical vendors using our new methodology which reduced the volume. We also monitor new vendors assessed as critical with a "critical" eye and gave TPRM the ability by policy to change risk ratings we don't believe are appropriate.
Thanks,
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------
Original Message:
Sent: 02-01-2022 09:12 AM
From: Anonymous Member
Subject: Determining the Criticality (materiality) of the Third Party
This message was posted by a user wishing to remain anonymous
We are looking to tighten (reduce our number) of critical (material) third parties. Our current criteria is:
- Sensitive data (PII, HI, PCI) and >100K records or
- 24/7 availability and an outage or >12 hours impact customer facing systems or
- >10M total contract value and 3 or more arrangements.
Does anyone have suggestions on additional criteria or best practices?