It can be tricky to separate the concepts of risk and significance when it comes to vendor management. Are they just two paths saying the same thing? Does one depend on the other? How does due diligence play into those ratings? If you have asked those questions before, or if this is your first time to see them, you have come to the right place. Let us explore this idea.
First, define vendor significance. Significance is about how much you rely on the vendor. How significant are they to your operations? A vendor could be insignificant, influential, or even critical. For example, a vendor would be vital if you needed their services for your business to survive, like your core provider. A vendor would be insignificant if their failure would have minimal effect on your business, such as your office supplies vendor. You could get by with help from Amazon or Walmart until you have a new vendor in place.
Next, define vendor risk. When talking about risk rating relationships with vendors, we often hear the question, is it inherent risk or residual risk? I believe it is neither. When it comes to your vendors, what you are looking at is transferred risk. Transferred risk is not the level of risk the vendor has before they apply controls, and it is not even the level of risk the vendor has after implementing them. Some people may describe the due diligence process as applying controls, and so feel like the risk level selected is residual after getting and reviewing those documents. Not at all. Instead, combined with vendor significance, due diligence is what provides you an accurate representation of transferred risk. It is the risk your bank is taking on by being in a relationship with the vendor, as-is. However, if needed, there are other measures you could pursue to reduce the transferred risk, such as specific insurance or requesting the vendor gain necessary certifications.
One thing to note is that significance and risk are not necessarily correlated. Imagine an insignificant vendor, perhaps an office cleaning service. Insignificant because (1) there are many companies from which to choose, and (2) if you had to go without the service for a few days, it would not be particularly harmful to the bank. At the same time, from a security standpoint, this vendor could be considered a high risk. Their staff has more access than the average person to your documents and assets. If allowed access to bad actors or shared proprietary information, that could cause a lot of damage. There is a high risk, even though the vendor is insignificant.
When talking about risk rating relationships with vendors, we often hear the question, is it inherent risk or residual risk? I believe it is neither. When it comes to your vendors, what you are looking at is transferred risk.
Here is what it looks like when we put all the pieces together. First, you determine significance by considering: if the vendor were to have a breach, be temporarily unavailable, or be permanently unavailable, would that be a problem for us? If so, they are significant or maybe even critical, depending on your criteria.
Then, you can get more specific with those problems to determine what due diligence documents would be valuable to review. Here are a few examples.
- If the vendor were to have a breach and that would be a problem, we need to review their SOC Audit Report to confirm they are considered secure by a qualified third party.
- If the vendor was temporarily unavailable, thereby creating a problem, we need to see enough of their BCP or SLA to make sure they have plans to keep our service moving.
- If the vendor was to go out of business, thereby creating a problem, we need to see their financials to confirm it looks like they will last a while.
If these conditions are not problems for us, we do not need to look over, or even gather, the related documentation because it will not tell us anything we need.
Finally, knowing how significant the vendor is and knowing how stable and prepared they appear to be, based on the data in their due diligence, we can accurately define the transferred risk we are getting into by being in a relationship with the vendor.
After earning a B.A. and an M.A. in Mathematics, Leticia joined CoNetrix, where she served as the Tandem Software Support Manager for several years. She built and directed Tandem’s first team of support specialists. Leticia now serves as Chief of Staff, focusing on corporate strategy, employee development, and training. In her free time, she enjoys mentoring college students, teaching phonics, and solving jigsaw puzzles.
