It’s a common misconception that critical vendors and high-risk vendors are the same. However, critical and high risk aren't interchangeable terms and shouldn't be regarded as such. It’s essential to understand that classifying a vendor as critical serves an entirely different purpose than rating a vendor as high risk. Understanding the key differences and the appropriate application of these terms is essential for effectively managing your vendor risk and protecting your operations from serious business interruptions or failures.
In addition to these risk levels, you need to determine if a vendor is critical or non-critical to your organization. In other words, how essential is the vendor to your daily operations? A simple way to establish criticality is by asking three questions:
Answering yes to any single question will mean the vendor is critical. If every answer is no, the vendor is non-critical.
Now that you understand how to measure risk level and determine criticality, it should be clearer why these two categories are separate. Let's review how and why different risk levels and criticality can overlap.
The vendor is considered Critical, but is not rated as High Risk: It's possible to have a vendor who is considered critical, but isn't high risk. An example might be a printing company that provides printed privacy policies for your customers. Regulatory requirements state that you must furnish a privacy policy to your customers at the beginning of the relationship and annually after that. Despite the increase in digital documentation, many customers still want a hard copy of the policy. That printing company is essential to help you maintain compliance. Other than the compliance factor, the vendor has few other risks and is classified as moderate risk. But, what if that is the only printer providing you the policies and the lead time for production is long? What happens if the printer suddenly goes out of business and your organization can't meet its compliance requirement? That moderate-risk printer could be considered critical to your organization.
In actuality, most critical vendors are rated as high risk because the products and services required to maintain operations tend to have many high-risk attributes, such as information security concerns or the ability to negatively impact the customer.
The vendor is Non-Critical, but is High Risk: Not all high-risk vendors are critical. In fact, most of them won't be considered critical. A company that provides shredding services would fall into this category. This third party would be considered non-critical because it's easily replaceable. Operations will not cease if the shredding vendor is no longer viable. However, they’re high risk because they can access confidential company information and client data.
Spend some time with your vendor list and investigate which vendors are truly critical to your organization. Suppose you find that many of your low or moderate-risk vendors are classified as critical. In that case, it's a good sign that your criteria for critical are not stringent enough, or your risk rating methodology needs to be reevaluated. Remember, most critical vendors will be high risk, but not all high-risk vendors are critical.
Understanding the difference between criticality and inherent risk ratings is essential for preventing severe vendor-related business interruptions. It will also help your organization determine the appropriate levels and timing for due diligence, risk reviews and monitoring for every vendor.