It can be tricky to separate the concepts of risk and significance when it comes to vendor management. Are they just two paths to say the same thing? Does one depend on the other? How does due diligence play into those ratings? If you've asked those questions before, or if this is your first time to see them, you've come to the right place. Let's explore this idea.
First, let's define vendor significance. Significance is about how much you rely on the vendor. How significant are they to your operations? A vendor could be insignificant, significant, or even critical. For example, a vendor would be critical if you absolutely needed their services for your business to survive, like your core provider. A vendor would be insignificant if their failure would have minimal effect on your business, such as your office supplies vendor. You could get by with a little bit of help from Amazon or Walmart until you got a new vendor in place.
Next, let's define vendor risk. When talking about risk rating relationships with vendors, we often hear the question: is it inherent risk or residual risk? I believe it's neither. When it comes to your vendors, what you are looking at is transferred risk. Transferred risk is not the level of risk the vendor has before they apply controls, and it's not even the level of risk the vendor has after they apply controls. Some people may describe the due diligence process as applying controls and feel like the risk level selected is residual after getting and reviewing those documents. Not at all. Instead, what you find in due diligence, combined with the vendor significance, gives you an accurate representation of the transferred risk. It is the risk your bank is taking on by being in a relationship with the vendor, as-is. However, if needed, there are other measures you could pursue to reduce the transferred risk, such as certain insurance or requesting the vendor to gain certain certifications.
One thing to note is that significance and risk are not necessarily correlated. Imagine a vendor that is insignificant, perhaps an office cleaning service. They are insignificant because (1) there are many companies to choose from and (2) if you had to go without the service for a few days, it wouldn't be particularly harmful to the bank. At the same time, this vendor could be considered high risk from a security standpoint. Their staff has more access than the average person to your documents and assets. If they allowed access to bad actors, or if they shared proprietary information, that could cause a lot of damage. There is a high risk, even though the vendor is insignificant.
Here's what it looks like when we put all the pieces together. First, you determine significance by considering if the vendor were to have a breach, be temporarily unavailable, or be permanently unavailable, would that be a problem for us? If so, they are significant or maybe even critical, depending on your criteria.
Then, you can get more specific with those problems to determine what due diligence documents would be valuable to review. Here are a few examples.
- If the vendor had a breach and that would be a problem, we need to review their SOC Audit Report to confirm they are considered secure by a qualified third party.
- If the vendor was to be temporarily unavailable, and that would be a problem, then we need to see enough of their BCP or SLA to make sure they have plans to keep our service moving.
- If the vendor was to go out of business and that would be a problem, we need to see their financials to confirm it looks like they are going to last a while.
If these things are not problems for us, then we don't need to look over, or even gather, the related documentation because it's not going to tell us anything we need.
Finally, knowing how significant the vendor is to us and knowing how stable and prepared they seem to be, based on the data in their due diligence, we can accurately define the transferred risk we are getting into by being in a relationship with the vendor.