Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


5 Essential Components of a Vendor Risk Assessment

4 min read
Featured Image

If you’ve worked in third-party risk management for any period of time, you’ve certainly been asked, “Have you done a risk assessment?” It’s a question asked so many times that it has probably lost its impact, but a well-written risk assessment is essential to fulfilling one of your obligations in the regulatory guidance on effective risk management.

It can be an overwhelming task – where do you start? We’ll go through the components of risk assessments to walk you through what you need to do.

Component 1: Determining Business Impact and Regulatory Risk

First, you should determine the vendor’s business impact risk and the vendor’s regulatory risk impact on the organization.

Determining business impact risk helps you better understand if the vendor is critical or non-critical. There’s really a quite simple methodology to determining the business impact risk. All you need to do is ask yourself the following three questions. If you answer “yes” to any of the following, then the vendor is critical:

  1. Would the sudden loss this third-party vendor cause a disruption to our organization?
  2. Would such a loss have an impact on our organization’s customers?
  3. Would the time to recover normal operations exceed one business day or be greater than 24 hours?

Quick Tip: As a general rule of thumb, only 10-12% of an organization’s third parties are critical from a business impact standpoint, but if they’re critical, then they require special consideration. Often, that means developing a set of contingency plans and more rigorous monitoring.

Determining regulatory risk takes into consideration the primary categories of risk, plus others. These are strategic risk, reputation risk, operational risk, transaction risk, financial risk, regulatory risk and other risks like interest rate, country, price and more. Answering questions to determine if these types of risks exist will lead you to your second vendor risk rating which often consists of a low, medium or high-risk rating scale.

Now, you’ve completed the first step in the process. You’ve determined two risk ratings, which is a critical component of risk assessments. To reiterate, as it’s extremely important, the first is if the vendor is deemed critical or non-critical and the second rating is the regulatory risk rating – often low, medium or high risk.

Component 2: Inherent Risk – What Is It?

You’ve probably heard the phrase “never judge a book by it’s cover” upon first meeting someone new. This basically means that your first impression of someone may not always be accurate or could change. Well, funny enough, in vendor risk management there’s a first impression risk score known as inherent risk.

Inherent risk is the risk that immediately strikes you when you first see the third party. It’s truly kind of like your first impression that immediately strikes you when you meet someone new. So, for example, if you’re performing your vendor due diligence and immediately notice that their financials are declining year-over-year, or they’re involved in pending litigation, then there’s likely a high financial risk posed to your organization.

Component 3: Mitigating the Inherent Risk

There’s some good news regarding the first impression risk aka inherent vendor risk. Many times, you can mitigate the inherent risk which means you can take steps to reduce the risk present by implementing stronger controls and processes. Mitigating controls helps you gain comfort around the vendor and determine what steps you can take to lessen the risk to your organization.

Here are 2 tips to mitigate controls:

  1. Review the vendor more frequently. For example, if it’s a high financial risk vendor, then you may increase the frequency of reviews to more than annually, such as quarterly.
  2. Write specific requests into the contract. If possible, you can contractually obligate the vendor to commit to sending specific due diligence requests or add additional requirements into the contract.

Component 4: The Residual Risk

Now, you’ve mitigated the inherent risk by strengthening controls and requests and are comfortable with the level of risk posed to your organization by using the outsourced vendor’s product or service. You may even be able to drop their risk rating a level so, for example, from high-risk to a medium-risk vendor. This is known as your residual risk. It’s the risk that you’re left with after mitigating the risk and it should be one that makes you feel good about moving forward with the vendor.

Quick Tip:  The residual risk should never be more than the inherent risk. It should always be equal to or less than the inherent risk.

Component 5: Aggregate Results and Document Everything

In the final phase of the vendor risk assessment process, be sure to document the inherent risk, mitigating controls and the residual risk for each category of risk. Then aggregate them to an overall set of scores. And, create a reader friendly risk assessment report for every third-party vendor you’re actively managing.

By including these components in your risk assessment process, you’ll build the fundamental foundation of a well-managed third-party risk program.

Use this mini guidebook to dive deeper into vendor risk assessments. Download the eBook.

vendor risk assessment

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo