Article written by:
Brooke Hauser
Senior, Information Technology Services
In our companion piece to this article entitled, “How to Identify Your Critical Vendors,” we discuss the many reasons it is so important to do so. We feel it is important to expand on that piece here, discussing the other end of the spectrum: non-critical vendors.
Referring to this level of vendors as “non-critical” does not suggest that they are not important to the supply chain process. It simply means that these suppliers do not pose the same degree of risks and rewards that critical vendors do.
Why is it important to distinguish a non-critical vendor from a critical vendor?
As important as it is to identify critical vendors, it is also important to identify non-critical suppliers to ensure smooth operations and any due diligence that may be necessary. You probably don’t plan to do business with any vendors that you simply hold unaccountable to your business.
It is simply a matter of sound and reasonable vendor control management to classify all vendors and treat each one accordingly. To some degree, you count on each supplier as a link to your overall success, so each must undergo its own type and level of scrutiny.
Ultimately, critical and non-critical vendors do require their own types of treatment, in terms of the types of assessments and regulatory reviews, as well as the frequency with which each type of vendor undergoes these reviews and assessments.
What is a non-critical vendor?
A non-critical vendor is one that does not undergo the same level of examination as critical vendors. Non-critical vendors generally do not have access to non-sensitive information within the business facilities. Therefore, they often do not do any work on the client’s business premises, nor do they have access to the client’s sensitive data or internal systems.
A non-critical vendor’s offering does not have the potential to affect the daily core competencies of business or put the company at risk for regulatory non-compliance. These vendors are the most benign, offering the vital goods and services without much, if any risk.
Here are just a few types of businesses that may be widely considered non-critical vendors:
- Office supply sellers
- Parts supply vendors
- Heating and cooling repair services
- Custodial services
These non-essential vendors provide goods or services on an as-needed and on-command basis, and they only enter the premises for brief and accompanied deliveries. Further, they have no access to electronic or physical files under the company’s care.
Finally, non-critical vendors simply offer support to the business for operations that allow employees to do their jobs efficiently, effectively and in comfort. They do not, however, have any impact on the final product or service. These vendors may affect productivity—in terms of employees having the work supplies they need and when they need them—but they do not affect the product or service provided itself.
How to treat non-critical vendors?
Considering the fact that non-critical vendors pose far fewer threats than critical vendors, it stands to reason that a non-critical vendor would not need to undergo on-site vendor assessments as critical vendors must. It is also far less likely that these vendors would be held accountable for regulatory compliance.
While non-critical vendors do not need to perform regular assessments or comply with government or private regulations and standards, they may need to conduct an examination if an incident occurs to better understand the event, its cause and if such an incident could ever expose the client business to risk in the future.
The main difference in treatment between a critical and non-critical vendor lies in the frequency between reviews and assessments.
Critical vendors generally undergo reviews once a year while non-critical vendors only face reviews once every two-to-three years.
Additionally, the goals for each type of vendor are different. For example, in a non-critical vendor assessment, you may simply send the vendor a questionnaire or request financial statements, if applicable. In the case of a critical vendor, you would need to send a questionnaire, visit the on-site facilities, obtain a SOC report and more.
Do you need more assistance in managing your non-critical vendors?
The great news about non-critical vendors is that they require less maintenance and scrutiny. Sometimes, however, it is challenging to distinguish which businesses are critical and which are non-critical, or how to treat them on a case-by-case basis.
We understand your confusion since there are so many vendors out there, and there is so much on the line. We can help you develop methods of classifying each type of vendor and developing a strategy to treat each one appropriately to ensure security, compliance and maximum efficiency.
Contact us so we can discuss this important topic in more detail.
