Which statement best describes a critical vendor in third-party risk management?

A critical vendor is defined by the potential impact of their failure on your organization’s ability to operate, meet regulatory requirements, or maintain customer trust. This means the vendor provides services or access to systems that are essential to keeping the business running, compliance posture intact, and the organization’s reputation safe. Because the stakes are high, such vendors typically require deeper due diligence, ongoing monitoring, stronger contractual protections, and robust contingency and incident response plans to ensure continuity even if something goes wrong. The other scenarios don’t describe criticality as it’s used in third-party risk management. A vendor that simply supplies office items is usually not tied to core operations or regulatory requirements. Relying on the smallest annual spend to define risk misses the reality that a seemingly low-spend vendor could be the sole provider of a critical service. Similarly, a vendor with no history of data breaches isn’t automatically low risk—risk is about potential impact and likelihood going forward, not just past incidents.