Due Diligence and Ongoing Monitoring

Can a company have too many critical vendors?

I am new to the company and tasked with building out the vendor and risk management processes.  After creating our vendor inventory (274), we have proposed that about 42 should be critical.  While presenting on this topic to our Business Analyst group, one of them asked if it was really possible to have 42 critical vendors and if we did, suggested that maybe our criteria and/or responses was wrong.  We are a life insurance company and have included vendors for things ranging from our re-insurer(s) to our firewall provider.  These determinations were made by answering the following:

1. Is there Day 1 impact to company and/or customer?
2. would there be a negative impact to the company if it took >24 hours to restore services?
3. If we needed to contract with a new vendor or bring the activity in house, would it require significant finances, resources or time?
4. Would the company be subject to regulatory scrutiny, enforcement actions or fines if this vendor failed to provide products or services?
5. Would this vendors failure cause significant harm to the company's brand or reputation?

Thanks in advance!

Thanks for articulating your question and the criteria.

On your criteria, #2 is the most relevant to criticality. The others are dealing with that impact of a vendor failure and not its criticality: reputation, replacement, and external examination or notification requirements are part of doing business. 

Perhaps thinking in terms of business continuity would provide criticality

For BC/DR plans, we asked two questions about the availability of our IT operations:

1. Until services are restored, can you operate even if manual?
2. If your access to your office is denied (no physical building access) can you continue to operate?
3. Are you maintaining processes to have all available resources that are must-have for your business unit (master case lists, court calendars, etc) until services are restored? (designated persons, call chains, secondary command centers, etc.)?

Now shifting to vendors, I also ask the following to determine criticality:

• what forms of governance and external assessments are readily available and conducted at least annually? which are available to us?
• will the vendor modify their contract to provide full cooperation including evidence gathering to fulfill formal requests and/or requirements by regulators, third party assessments and incident-related forensic discovery?  Is this standard operating procedures or one-off negotiation?
• what is the vendor's risk rating based on access (in any form or process) to non-public information?
• can the vendor operate with solely on-shore (US) personnel, even in terms of their backup, site failover and monitoring?
• do they have an operating and effective security posture with underlying program, policies, controls and procedures?
• do they have 24x7 monitoring, threat analysis, configuration due diligence, data encryption, access controls, awareness training, and software life cycle security?
• what is their history of vulnerabilities, security incidents, data breaches, external penetration testing, time to remediate, policy reviews?
• Do they guarantee access to our data even if the third party is out of business? Upon termination? During transition to replacement vendor?

Sorry if there are technical concepts mixed in, but with third parties, especially those that deliver services via a Software-as-a-Service (SaaS) model, the ability to be fully transparent to regulators, executives, board of directors requires a new meaning to criticality and vendor management to close the gaps or at least identify them to manage risk. 

The answer unfortunately is, it depends.   For your critical vendors, what requirements are different related to due diligence and ongoing monitoring?   Is the due diligence onerous and costly versus the potential risk?  Do you have sufficient resources to deliver the defined oversight?  The count is not as important as the risk.   If you look at the critical provider list, is there a high degree of duplicity? Can services be consolidated?  You question #3 is important, but is that really critical from oversight, versus critical to understand process to execute if you want to make a change?  As a suggestion, explore those who are elevated to critical but only because of Question #4, some of these could potentially be "important" but not critical.  You could also look at a score assigned to each of your 5 questions and possibly do a cut off that deems a smaller set critical due to the cumulative inherent risk, and below that score, deem them High Impact.   But again, that only makes sense if your oversight activities vary by the score.  If it helps, my organization has defined 4% of in scope vendors as critical. And you should also consider your organizations risk appetite. 

In answer to your question, yes you can have too many critical vendors. However based on how you have been determining criticality and the total number of vendors, I don't believe that you have too many.

The number, 42, is intimidating. When you see that the 42 is only 15% of your vendors it doesn't look bad. If you had said that 68, or more, we deemed critical, that would be concerning as you are now in excess of 25% of vendors. 

You can change your criteria to lower the number but at what cost? Unless someone is willing to accept the risk of using a lower criteria I would stick with the 42. If someone does step up to accept the risk, ensure that they are high enough in the organization to be able to accept it. Also provide them with a very detailed risk document so they understand what they are agreeing to.