David Medrano, Director of Third Party Risk Management at MorganFranklin Consulting 

Determining the risk rating of a third-party vendor is a key factor in any third-party/vendor risk management program. While there are many ways to determine your third-party’s risk rating (e.g., weighted questions scoring, roll up to highest risk domain, subjective decision making, matrix scoring), some organizations have used the term “high-risk vendor” and “critical vendor” synonymously.  Although both can show that a vendor has a level of importance and has multiple areas of risk to consider, these two ratings should be differentiated for several factors: 

1. High-Risk May Not Equal Critical 

If a vendor’s service hits multiple domains of risk (e.g., data risk, compliance risk, reputational risk, etc.,) and, depending on your scoring methodology, it would be fair to say that this vendor is “high-risk”. The main question that this rating may not capture, is the importance of the service. Let’s walk through an example:  Your organization uses a 4-tiered risk rating (critical, high, moderate, and low). Vendor ABC has access to your organization’s data, and that vendor’s services help drive revenue. This vendor could easily impact your organization’s reputation if they were to halt services. All these factors combined sound like a risky vendor, but if that vendor were to stop its services, will your organization still be able to meet its goals and objectives? If the answer is “yes”, then it may not be considered a “critical” vendor however, if you only rely on aggregating total risks, your vendor risk rating methodology may flag this vendor as “critical” when in reality it is high risk. Your organization should consider how important the service being rendered is prior to classifying a vendor as “critical”.

2. Identifying your Important Vendors 

Differentiating between “critical” and “high” risk also serves one key function that your senior management will want to know. How many times have you been asked by your committee “Who are our most important vendors?”. If your organization only uses vendor risk ratings of “high”, “moderate” and “low”, you may not be able to answer this question. Ensuring you include questions on gauging your vendor’s importance will let you answer this question and, moreover, allow your committee to see what conditions were taken into consideration when classifying that vendor as “critical”. 

3. Overreliance 

A “critical” risk rating is important because, not only does it tell you what important processes are being outsourced, but it also lets you gauge the level of reliance your organization may have on its third parties. Many organizations do not consider the number of critical processes that are outsourced to a third party. Although your organization may consider outsourcing as a cost-efficient approach (and it commonly is), over-reliance on third parties could be a risk to your organization. Moreover, consider the number of critical processes outsourced to each individual vendor. An organization that prefers to outsource its critical processes and decides to use the same vendor for most of those services is at a higher risk than those organizations that decide to bring those critical processes in-house or distribute those critical processes across multiple vendors. 

How MorganFranklin Can Help 

MorganFranklin can help your company implement a third-party/vendor risk management program that best fits your needs. With experience from certified third-party risk experts, and flexible delivery models, MorganFranklin can help you implement a mature third-party risk lifecycle, GRC system/tool (automate your program and start a process at the push of a button), as well as supplemental process (e.g., key risk indicators, exit strategy considerations, maturity model analysis). 

Talk to one of our cybersecurity experts