The word that is overly abused and misused so often it should be it's own risk category. (j/k) :-)
I've gotten to the point that we have Strategically Critical (where most just use Critical)
The definition is:
Strategically Critical Third Party shall be defined as any third party the Bank relies on to provide or support a mission critical service, and:
- Whose failure to perform could significantly and directly impact a significant number of customers, or
- Could not be replaced (either by an alternative third party or bringing affected services in-house) without significant disruption to operations and/or significant resource investment, or
- Whose services are crucial to multiple business units.
It's not a great definition; but it's what we have. I've also thought of using the term Operationally Critical as ranking just below Strategically Critical; so we have an demarcation that defines an operational risk to the use of the third party. That is. Operationally Critical would be those third parties where the business unit has a greater than 50% dependency on the third party supporting a business process.
All that said... I've seen 80/20 rule apply to those third parties you should care about; that is ~20% of the third party population should be part of your on-going monitoring process. Based on the Risk, that may follow re-assessment every 3 years for Low, 2 years for Medium and 1 year for High risk third party engagements. That said, in the 20% you care about. 10% - 20% you will classify as both Strategically and/or Operationally Critical. Those stats kind of fit for me. I have 3000 third parties; I have just over 400 that are "monitored" and 77 Operationally Critical and 8 that are Strategically Critical. So not perfectly aligned, but close.
------------------------------
Bradley Martin
------------------------------
Original Message:
Sent: 11-02-2022 11:41 AM
From: Christi Osburn
Subject: % of critical vendors
As a new member, I was not sure which community to post this in - I am wondering what is the best practice for the percentage of your vendors that are critical? I have heard 5-10%. Also, does anyone know if this percentage changes in different industries (I am in the insurance industry)? Thank you.