Categorization of Suppliers / Third Parties
The organization's commitment and resources for managing a supplier will vary depending on the supplier’s level of criticality. Therefore, all suppliers will be classified according to a defined methodology. Here is an example:
Step 1: Determining impact of supplier’s services on the organization
The impact on the organization in the event of a disruption in the services provided by the supplier is assessed and classified.
|
Impact Level |
In case of disruption of the service(s) provided, one of the following consequences may occur. * |
|
High |
· Critical applications or infrastructure services that support those application are significantly impacted · Projects related to critical business processes or applications are significantly affected · Information security risks increase
|
|
Medium |
· Critical applications or infrastructure services that support those application are partially impacted · Projects related to critical business processes or applications are partially affected · Standard applications or infrastructure that support those application are significantly affected · Projects related to standard business processes or applications are significantly affected |
|
Low |
· Standard applications or infrastructure services that support those application are partially impacted · Projects related to standard business processes or applications are partially affected
|
Step 2: Determining value and importance
The services and products covered by the contract are classified based on how unique they are to the organization. The more unique and inimitable the service, the more valuable and important it becomes.
|
High |
The services/products offered by the supplier are specific and customized to the organization. For example software development |
|
Medium |
The services or products offered by the supplier require expertise, but similar purchases can be transferred to other suppliers with little effort. |
|
Low |
Services or products, such as consumables, are readily available from many suppliers |
Step 3: Determining the criticality level of the supplier
According to the results of Step 1 and Step 2 the criticality level of the supplier is determined.
If more than one contract associated with a supplier is available, the highest criticality level of the contracts becomes the criticality level of that supplier. So in such cases, the criticality levels of the contracts should be determined.
