You have HOW MANY critical vendors?!?!?!?!? I always find the perception of CRITICAL VENDOR to be very interesting. As Certified Regulatory Vendor Program Managers (CRVPM) know, when reviewing vendor management programs we typically see way too many vendors listed as critical, usually for a couple of reasons; 1) either the business unit thinks that their vendors are critical when they’re not (please, please show me your Business Impact Analysis (BIA), or 2) the function itself is critical but the vendor can easily be replaced. Here’s an example: we recently conducted an assessment at a bank and reviewed departmental BIA’s to understand which functions were critical and then looked at which vendors the departments depended on and considered critical. Interestingly, Citrix and Cisco were noted as critical vendors. However, the institution’s IT department supported Citrix themselves. Cisco was used for their firewall and routers which they maintained themselves. Their reasoning for defining them as critical was that the Citrix virtual environment was a part of their infrastructure backbone and Cisco firewalls and routers were critical components of infrastructure and also served as layers of defense. I asked what would happen if Citrix went out of business tomorrow. They said it wouldn’t affect them and that they could support the environment indefinitely until a suitable replacement was found. I asked what would happen if a firewall or router stopped functioning and they said that they had spares and could have more sent in overnight to replace them. Thus, the function of a virtual environment was critical but THE VENDOR WAS NOT. The functions of the firewall and router were critical but THE VENDOR WAS NOT. I find that most institutions have too many CRITICAL vendors on their list. So rethink your list and start by asking yourself:

  1. Is the vendor Mission Critical or just important to a department? Show me the BIA!
  2. Can the vendor easily be replaced?
  3. Would a disruption in the vendor’s service cause “significant” (as defined by your BCP & supported by BIA) operational or financial impact to your institution or customers?

It will be interesting to see how many critical vendors you really have.