Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


12 Common Red Flags Caught in Vendor Reviews

2 min read
Featured Image

Third party risk management is a constant cycle. With oversight guidelines from regulators, there’s plenty of material about what vendor managers should be doing to effectively manage their vendors. 

To review, here are 5 critical elements:

  1. Pre-contract due diligence
  2. Risk assessments
  3. Ongoing monitoring
  4. Annual assessments
  5. Board oversight responsibility

Review Vendor Documentation

First, let’s review the annual assessment function. Much attention has already been made regarding the importance of organizing and completing annual assessments, but as with any discipline, the mindset of “you don’t know what you don’t know” is one to keep at the forefront. Experience has shown that by the time you do need to know what you don’t know it may be too late.

Here at Venminder, we specialize in reviewing all types of documentation for our clients. These include reviews of financials, contracts, SOC reports, policy and program documentation and business continuity and disaster recovery plans. Each review is performed by a subject matter expert in each category. Your organization should be reviewing these same documents or outsourcing the help to experts, if needed.

Based on the many reviews we’ve conducted, we have created a list of common red flags as items to be aware of when performing your own assessments.

12 Red Flags in Vendor Reviews

Here are several red flags to watch out for: 

  1. SOC report is “qualified” – Meaning a control objective wasn’t implemented or being followed by the organization

  2. SOC report exceptions without a response by management; or it could be that the response doesn’t address remediation

  3. SOC report is for a vendor who would store, process or transmit data and there are no/or very few data center controls or mention of a subcontractor

  4. Business Continuity Planning (BCP)/Disaster Recovery Planning (DRP)/Business Impact Analysis (BIA) is missing

  5. BCP/DRP were never tested
  6. The recovery time objective (RTO) and response period objective (RPO) was tested, but not met or mitigated

  7. A vendor who stores personally identifiable information (PII) and doesn’t have an executive overview of a penetration test available

  8. Oversharing - Sharing an organization’s confidential data that shares insight regarding intellectual property, which vulnerabilities to exploit and what information you’ll get.

Specifically related to regulatory compliance, here are more red flags to watch out for:

  1. No training of staff

  2. No mention of complaint management, complaint tracking or remediating complaints

  3. No fourth party oversight
  4. No evidence of board approval of existing vendor management activities

Remember, at the end of the day, it’s your responsibility to protect your organization and its customers.

Have you made any of these common errors before? Download this infographic to see.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo