Policy, Program and Procedures

 View Only
  • 1.  % of critical vendors

    Posted 11-02-2022 11:42 AM
    As a new member, I was not sure which community to post this in - I am wondering what is the best practice for the percentage of your vendors that are critical? I have heard 5-10%.  Also, does anyone know if this percentage changes in different industries (I am in the insurance industry)?  Thank you.


  • 2.  RE: % of critical vendors

    Posted 11-02-2022 06:21 PM

    Currently, 6% of our vendors are considered Critical, based on our definition which is better standard.  We do not attempt to keep the percentage at a certain amount as each new vendor is evaluated independently of the others.  It doesn't make sense to not move forward with a potentially new Critical vendor without having to get rid of an existing one. And by the shear definition of Critical, each would be extremely important to business operations and therefore warranted.

     

    Tracy

     

    Tracy J. Wilson, PMP, FLMI, PCS

    Enterprise Services Manager

    Enterprise Services

    Modern Woodmen of America








  • 3.  RE: % of critical vendors

    Posted 11-03-2022 02:09 PM
    Christi,

    Great question. When I started the TPRM process for Penn National Insurance I talked to several individuals who work in the space. As a rule of thumb they mentioned the 5 - 10% you referenced. However, that can vary by your organization's definition of what is critical and the due diligence process followed when selecting vendors in the first place.

    When I started we identified over 3000 potential vendors. During that initial identification phase almost 200 were ranked critical. After some refinement to our exception, combining duplicates, education, time and normal vendor attrition we are now tracking about 700 vendors with about 45 unique vendors ranked critical. This process started over 5 years ago.

    As mentioned by another contributor, don't gear your program to a percentage. It is important that all of your critical vendors are identified so you adequately assess the risk and identify appropriate controls to manage the risk.

    I hope this helps.


    ------------------------------
    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance
    ------------------------------



  • 4.  RE: % of critical vendors

    Posted 11-03-2022 07:50 PM
    The word that is overly abused and misused so often it should be it's own risk category. (j/k) :-) 
    I've gotten to the point that we have Strategically Critical (where most just use Critical) 
    The definition is: 
    Strategically Critical Third Party shall be defined as any third party the Bank relies on to provide or support a mission critical service, and:
    - Whose failure to perform could significantly and directly impact a significant number of customers, or
    - Could not be replaced (either by an alternative third party or bringing affected services in-house) without significant disruption to operations and/or significant resource investment, or
    - Whose services are crucial to multiple business units.

    It's not a great definition; but it's what we have. I've also thought of using the term Operationally Critical as ranking just below Strategically Critical; so we have an demarcation that defines an operational risk to the use of the third party. That is. Operationally Critical would be those third parties where the business unit has a greater than 50% dependency on the third party supporting a business process.

    All that said... I've seen 80/20 rule apply to those third parties you should care about; that is ~20% of the third party population should be part of your on-going monitoring process. Based on the Risk, that may follow re-assessment every 3 years for Low, 2 years for Medium and 1 year for High risk third party engagements. That said, in the 20% you care about. 10% - 20% you will classify as both Strategically and/or Operationally Critical.  Those stats kind of fit for me. I have 3000 third parties; I have just over 400 that are "monitored" and 77 Operationally Critical and 8 that are Strategically Critical. So not perfectly aligned, but close.  

     


    ------------------------------
    Bradley Martin

    ------------------------------



  • 5.  RE: % of critical vendors

    Posted 11-04-2022 09:01 AM
    I 100% second all of the comments in this thread!  Critical vendor creep is real.  

    We had gone through all of our critical vendors about 18 months ago, re-reviewed and risk rated and got the number down to about 13% of total vendor population.  That percent however has started to creep back up so looking at doing another re-review.  Also looking at the questions we ask, and how we ask them, to assess risk and assign criticality.  

    One recommendation that I would make is to ensure that your third party risk policy gives TPRM the final say in assessing any rating risk.  Our TPRM policy allows TPRM to make changes to the risk rating assigned by the business owner.  It's really helpful and we have found a great opportunity to have a conversation with the business unit about what we see as the risk versus how they were perceiving it.  In my experience it comes down to critical to a specific business unit or business function but not critical to the enterprise.  

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------