At the urging of examiners, many banks developed criticality rankings as a part of their early vendor management programs. These criticality ratings were confusing because, in part, they attempted to assess the degree of mission criticality of a vendor (which is really more of a business continuity planning issue) and also because they attempted to evaluate risk. Compounding the problem, many of the methods developed use scoring that is combined across the various questions, with the cumulative score, or sum, generating the criticality rating. From there, many banks then treated their “high critical” vendors as their highest risk vendors, performed the highest levels of due diligence on them and performed it at the greatest frequency, often annually. As many banks are now finding, this method is flawed in two ways. First, it blends risk and business continuity which can be dangerous, misleading, and confusing for users. This leads to inconsistency. Second, and more importantly, it never links what due diligence requirements need to be completed based on the actual risks that could exist. A vendor might score low because it is high in only one area but rated low in the other eight, thus it is a low criticality vendor. But that single risk should suggest a certain type of due diligence to mitigate it, not reduce the importance of the vendor such that it becomes viewed as low criticality – which is often interpreted as low risk. The opposite can happen too, leading to excessive due diligence for vendors that may only need a financial review or insurance review, rather than a full complement of SSAE16, information security, BCP/DR and other reviews. Finally, none of the criticality models we have ever seen have been validated. Often they were simply adopted from a template or example a peer bank provided and so the flaws and misunderstandings about criticality have been propagated across the industry. That is changing, and the change is being led by us and a limited few consultants that really understand how to make a vendor management process effective and efficient at the same time.
VendorINSIGHT® simplifies and automates the process considerably. A vendor has access to certain things like data, facilities, equipment, systems, customers, etc. that creates a propensity for risk to exist. There is also a duration and a value associated with the vendor relationship that create a propensity for risk to exist. If the vendor has great controls and those controls are validated, then those risks might be mitigated. That is why we do due diligence; to asses those controls and evaluate the residual risk that exists and put in place a monitoring plan for the vendor to ensure risk does not escalate beyond what we initially accepted. The key to classifying vendors is to first assess what relationship factors exist. Once the relationship factors have been identified, then it is easy to know exactly what due diligence is needed. VendorINSIGHT® does this through its VRP, or Vendor Relationship Profile.
For example, a technology vendor who is working on a one-time development or customization project is receiving progress payments over the 12-15 months it takes to complete the customization. One risk that exists because of the duration of the relationship is that the vendor might become insolvent or go bankrupt before the work is completed. Doing a financial review of this vendor would be a prudent due diligence step.
In VendorINSIGHT®, pre-existing rules exist to govern due diligence and automatically link vendor relationship profiles to due diligence and policy requirements. In this manner, everything is automated and users know exactly what to do and when to do it. The vendor management or risk management office also knows and can govern these activities a lot more effectively than by the traditional audits.
So, in the end, a vendor risk assessment (VRA) may or may not be completed for any given vendor depending on what the outcome of the vendor relationship profile is. A VRA is simply one element, or type, of due diligence that can be completed. Many banks – because of their paradigm about criticality ratings – improperly assume the VRA is the starting point for the vendor evaluation and needs to be completed in every case when a vendor relationship profile (VRP) should always be the first thing that is established. In a sense, the VRP is a proxy for “criticality” but in a more reliable format. It is a more logical assessment because – contrary to the flawed criticality calculators of the past – it assesses the propensity for individual types of risks to exist and it can be linked logically to individual due diligence requirements and policy requirements.