Pub. 10 2021-Issue 2

The Commun i tyBanker 12 F E A T U R E I t can be tricky to separate the concepts of risk and significance when it comes to vendor management. Are they just two paths saying the same thing? Does one depend on the other? How does due diligence play into those ratings? If you have asked those questions before, or if this is your first time to see them, you have come to the right place. Let us explore this idea. First, define vendor significance. Significance is about how much you rely on the vendor. How significant are they to your operations? A vendor could be insignificant, influential, or even critical. For example, a vendor would be vital if you needed their services for your business to survive, like your core provider. A vendor would be insignificant if their failure would have minimal effect on your business, such as your office supplies vendor. You could get by with help from Amazon or Walmart until you have a new vendor in place. Next, define vendor risk. When talking about risk rating relationships with vendors, we often hear the question, is it inherent risk or residual risk? I believe it is neither. When it comes to your vendors, what you are looking at is transferred risk. Transferred risk is not the level of risk the vendor has before they apply controls, and it is not even the level of risk the vendor has after implementing them. Some people may describe the due diligence process as applying controls, and so feel like the risk level selected is residual after getting and reviewing those documents. Not at all. Instead, combined with vendor significance, due diligence is what provides you an accurate representation of transferred risk. It is the risk your bank is taking on by being in a relationship with the vendor, as-is. However, if needed, there are other measures you could pursue to reduce the transferred risk, such as specific insurance or requesting the vendor gain necessary certifications. One thing to note is that significance and risk are not necessa rily correlated. Imagine an insignificant vendor, perhaps an office cleaning service. Insignificant because (1) there are many companies from which to choose, and (2) if you had to go without the service for a few days, it would not be particularly harmful to the bank. At the same time, from a security standpoint, this vendor could be considered The Difference Between Vendor Significance and Vendor Risk By Leticia Saiid

RkJQdWJsaXNoZXIy MTIyNDg2OA==