<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Third-Party Risk Management 101: Is It Easier to Have Less or More Vendor Types?

3 min read
Jul 18, 2023

In an ideal world, every third-party vendor would always provide impeccable service, deliver on time, and never cause any operational hiccups. Unfortunately, that’s not reality.  

Financial institutions rely on many different third-party vendors, and not all present the same amount of risk. Some vendors can cause substantial operational, financial, or reputational damage to your institution if they fail. Others have a less significant impact. 

Third-party vendor risk comes in different shapes and sizes. Examples include: 

  • A marketing partner who forgets to include a required disclosure  
  • A service provider with poor cybersecurity that exposes your sensitive data  
  • A mobile banking provider that causes customers to be frustrated when its service goes down  

Understanding the risk and vulnerabilities of these vendors helps your institution mitigate the risks of working with third-party vendors effectively and efficiently. Those that present the most significant risk require greater due diligence and oversight with stricter contract provisions designed to protect your institution from vendor errors and misdeeds. This approach is the cornerstone of a risk-based approach. 

Related: 4 Features Every Vendor Management Solution Needs 

Classifying vendors: How many types should your financial institution have? 

Regulatory guidance requires financial institutions to classify vendors based on risk exposure. The guidance gives financial institutions leeway to create their own types of vendor classification. 

That leaves many banks and credit unions wondering: how many types is the right number?  

Some financial institutions choose three tiers of risk for 3rd party vendor management: 

  • Low Risk: These are the vendors whose potential to negatively impact your institution is relatively small, such as an office supply provider. A hiccup with this vendor may cause inconvenience, but it’s not likely to disrupt your business operations significantly. 
  • Medium Risk: These vendors have a moderate potential to impact your institution negatively. An example might be customer relationship management (CRM) software. If the software service has issues, it might delay some of your processes, but not completely halt your operations. 
  • High Risk: These vendors have a high potential to severely impact your financial institution. For instance, your core provider or vendors with access to sensitive data. Any significant issues with this vendor could lead to major business disruption or data breaches. 

Others choose five or even seven tiers.  

  • Low Risk 
  • Medium-Low Risk 
  • Medium Risk 
  • Medium-High Risk 
  • High Risk 

Related: Third-Party Vendors & Compliance Risk: 10 High-Risk Compliance Situations 

Others use a scale from 1 to 5, where Tier 1 vendors are the most critical and Tier 5 vendors pose the least amount of risk. 

Fewer vendor types may seem like the easiest choice. Fewer types = Less work. 

Except, that’s not necessarily true. 

Why do financial institutions create vendor types 

Financial institutions classify vendors based on the risk inherent in the relationship. This is commonly accomplished through completion of risk assessments, so that FIs can identify the riskiest vendors and mitigate that risk with increased monitoring and controls. Vendors labeled with the greatest amount of risk require significant oversight. 

When there are just three types of risk, it’s likely that many vendors of different risk types will be grouped together. This makes listing required documentation and information for third parties for that type unrealistic. Some of those third parties have access to data warranting collection of information to address that risk. Other third parties of the same type may not have access to data and be considered higher risk because of the reliance on the vendor’s service to operate in a business-as-usual environment, making the requirement to collect information regarding data security unwarranted. It creates busy work with no real value.   

Related: How to Assess Vendor’s Data Recovery Capabilities

When there are five or seven types of vendor classification, it adds room for nuance. More specific requirements can be assigned to the vendors based on the specific types of risk they pose to your organization. This means you are performing appropriate levels of due diligence in line with the inherent risk and not requiring levels of due diligence (including collecting information) that doesn't add value to your risk management efforts and is a waste of time and your already limited resources.   

The result is more efficient resource allocation.    

Takeaway: A little bit of nuance can actually increase efficiency 

Classifying third-party vendors based on risk exposure might seem like a daunting task at first, but it's an essential step in today's complex business world. Remember, the key is to understand your vendors well, classify them accurately, and adopt appropriate mitigation measures. In doing so, you'll not only manage your risks effectively but also build stronger, more resilient relationships with your vendors. 

Don’t be intimidated by a larger number for vendor types for risk assessments. A well-managed vendor risk assessment is a step towards a more secure and efficient organization.


Download Our Free Vendor Management Buyer's Guide

New call-to-action

Subscribe to the Nsight Blog