You have HOW MANY critical vendors?!?!?!?!? While building a vendor management program for a new client a couple of weeks ago, we worked with the various business units to identify the vendors that they do business with, reconcile against the AP system, categorize them, risk rate them, include/exclude from the vendor inventory based on inherent risk and define which ones were critical. Classic approach taken by Certified Regulatory Vendor Program Managers (CRVPM). I always find the perception of CRITICAL to be very interesting. We reviewed departmental Business Impact Analyses (BIA’s) to understand which functions were critical and then looked at which vendors the departments depended on and considered critical. Interestingly, Citrix and Cisco were noted as critical vendors. The institution’s IT department supported Citrix themselves.
Cisco was used for their firewall and routers which they maintained themselves. Their reasoning for defining them as critical was that the Citrix virtual environment was a part of their infrastructure backbone and Cisco firewalls and routers were critical components of infrastructure and also served as layers of perimeter defense. I asked what would happen if Citrix went out of business tomorrow. They said it wouldn’t affect them and that they could support the environment indefinitely until a suitable replacement was found. I asked what would happen if a firewall or router stopped functioning and they said that they had spares and could have more sent in overnight to replace them. Thus, the function of a virtual environment was critical but THE VENDOR WAS NOT. The functions of the firewall and router were critical but THE VENDOR WAS NOT. I find that most institutions have too many CRITICAL vendors on their list. So rethink your list and see if it reduces how many you have. And if you’re still pondering the list then use the criteria that regulators use:
- Can the vendor easily be replaced?
- If there is a disruption in service, would it cause significant operational or financial impact (as defined by your BIA) to the institution or its customers?
For more information on becoming a Certified Regulatory Vendor Program Manager, click here www.compliance-edu.com.
