Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Why You May Need Additional Vendor Documents

5 min read
Featured Image

Anyone who has worked in third-party risk long enough knows that when it comes to due diligence, you only get what you ask for, and sometimes, it’s like pulling teeth just to get the basics. We all know we need to collect documents, but it can be downright confusing. Often, we’re left with questions such as:

  • When do I need a SOC report?
  • What are the financials I should be looking for? 
  • What policies do I need?
  • What do I need to do as a baseline?

Beyond the Due Diligence Baseline

Most already have a good handle on the preliminary due diligence needs, but there are a few other document requests that should be used, not only in the vendor vetting period, but throughout the ongoing oversight and monitoring stages.

Let’s take a look at additional vendor documents you’ll need:

1. Financials. In addition to the annual report, if publicly traded, you’ll want to request a 10-K.  If they’re not public, you’ll need to request at least three years’ worth of audited financials along with an accountant’s statement, which can often be tricky! Make sure to stay vigilant.

Why request financials? Many organizations are still recovering from the instability incurred over the last year. In truth, many won’t recover or will continue to try to operate at a deficit, which makes it critical to check that your vendor’s financial documentation shows that they’re a healthy company with proven ability to support your needs.

2. Insurance. General liability insurance is not enough. You’ll also want to request:

  • Cyber insurance
  • Required insurance standards

Why request insurance documents? In many cases, this is required in order to remain compliant. In fact, the OCC 2013-29 states: “Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts and hazard insurance covering fire, loss of data and protection of documents.”

3. Service Level Agreements. Typically, when it comes to contractual standards, the norm is to simply make sure they exist. But, if you really want to cover your bases, you should also ask the vendor to provide record of outages and SLA violations (which is usually a contractual obligation).

Why request service level records? Every contract worth its salt will have SLA inclusions. But, do they outline a set of penalty clauses specifying what would happen should they fail to deliver? Mistakes happen, but an organization who takes their work seriously should keep detailed records around failure and remediation.

4. Policies and Plans. To protect your organization from all angles, it’s imperative you have a full picture of how your vendors operate. You can get a pretty accurate feel for this by requesting and reviewing:

Why request policies and plans? In order to truly understand your vendor’s operating model, and to make sure it’s in alignment with your own, you must have a comprehensive understanding of all the policies, procedures, processes and people involved that may apply to the services they provide your organization. You may look at the list above and think, “Do I really need to request my vendor’s social media policy?” However, think about it this way, what if they don’t have policies in place and one of their employees happens to share private information around a merger or new product before it was made public knowledge… This could have massive implications.

5. Examinations and Reports. In addition to the questionnaires you send out, you should also request:

  • Regulatory regional office record of audit reports
  • Penetration testing results
  • Business continuity testing results
  • Disaster recovery testing results
  • SSAE 18, SOC 1, 2 or 3 and bridge letter

It’s important to note that what you request will depend on the nature of services your vendor provides (For example, you don’t need penetration testing for a vendor that doesn’t host your data on their network and you don’t need disaster recovery testing, really, if your vendor doesn’t pose any business impact).

Why request examinations and reports? Especially after the many disastrous cyber vulnerabilities 2020 exposed, it’s more important than ever to determine if your vendor is secure. You’ll need as much information as possible about their risk management program, including areas of third-party risk management and responses to risky areas, such as cybersecurity.

6. Licenses or Certifications.  Depending on industry, in addition to any and all required licenses (e.g., state money transmitter license), you’ll also want to make sure you ask for:

  • HITRUST certification
  • HIPAA certification
  • PCI Attestation of Compliance (AoC)
  • ISO certification
  • NIST certification 

Why requests licenses or certifications? Some certifications, such as the NIST certification, are relatively expensive. However, with NIST in particular, you can be assured that any products you receive have specifically tested to ensure accuracy and the highest possible levels of measurement, quality and productivity. Meanwhile, the International Organization for Standardization (ISO) is the world’s largest, non-governmental developer of standards and works to maintain more reliable trade and levels of quality. While these are voluntary, holding some of these kinds of certifications help paint a picture of the type of organizations you decide to work with. The more assurances you have, the better.

Typically, risk management failures happen for one of three reasons:

  • Failure to set clear expectations
  • Vendors are improperly monitored
  • Vendors are taken at face value

You not only need to make sure you’re asking your vendors the right questions, but you also need to make sure you’re requesting the right documentation. Remember, you won’t get what you don’t ask for; and in this ball game, it’s better to have more than you need than not enough. 

Figuring out what vendor management documents you need is only the first step in the process, next you have to collect them. Download the infographic.

10-tips-to-collecting-vendor-due-diligence-documents

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo