Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Creating an Effective Vendor Contract Management System

4 min read
Featured Image

Of all of the areas of third party risk management, perhaps the most difficult is handling contracts effectively. Whether it’s negotiating, tracking or simply finding all of them, contracts can be a real challenge.

Let’s talk about what an effective contract management system looks like.

First, what is vendor contract management?

Standards on what should be included Vendor contract management is a well-managed process for handling all agreements with the financial institution’s third parties from start to finish. This includes all aspects of the contracts, such as:

  • Who is authorized to sign
  • How they are centrally stored
  • How they are tracked
  • Key provisions that must be included
  • How your customer’s information is protected

Best practices in contract management

Ideally, your institution will have one designated area for all contracts – stored in one repository with tracking to make sure key terms, like expiration dates and renewal notice periods, are always observed.

If the contract process was already decentralized, it is extraordinarily difficult to get it all into one location, physical or electronic. It’s not unusual to have people rifling through filing cabinets to find old forgotten contracts. Putting the time and the effort into it are well worth it – after all, there is a great deal of responsibility written into each party’s side of the contract. Ideally, the contract negotiation and writing is done by an experienced staff, including your legal counsel.

Common issues and problems in managing contracts

Setting aside the decentralized, often fragmented location of contracts, there are many other things that can go horribly wrong in contract management. In a haphazard approach to handling the agreements, you may have multiple contracts with the same company from your different lines of business – this can result in inconsistent provisions, poor tracking and even missing pricing opportunities.

Additionally, if the authority to develop and negotiate a contract is delegated out to various business areas, you can easily inadvertently omit key parts of the contract simply because the business manager wasn’t aware what needed to be included. 

Consequences of not managing contracts well

There are too many bad things that can happen to possibly list them all, but some of the big ones bear mentioning. The real dangers are missing key dates, such as allowing a contract to auto-renew because you missed the date to notify this under-performing vendor that your financial institution “wants out”. 

Additionally, if the contract doesn’t have strong mutual performance expectations, you may have little or no leverage to ensure that the vendor behaves the way that you’d expect. Perhaps the contract doesn’t contain the rights to audit or obtain appropriate due diligence, doesn’t have agreements to safeguard your members’ confidential information or strong requirements around regular reporting, or notification provisions in the event of a data breach – all of these can put your institution (and your customers) at real risk.

What do the examiners expect in the managing of contracts?

Let’s turn to the regulatory guidance, specifically to OCC Bulletin 29-2013, which has very prescriptive instructions in the category of contract negotiation. I won’t repeat the entire section, but it’s worth a detailed read (click here).

To summarize some of the key expectations, the guidance lays out the following:

  • Nature and scope of the agreement – laying out key terms for the contract, particularly around the safeguarding of information, the frequency of review and a well-documented process for entering into a new relationship
  • Performance measures or benchmarks – identifying expectations and responsibilities on both sides of the relationship and the regular reporting required to support it
  • Responsibilities for providing, receiving and retaining information – strict standards on frequency and scope of reporting, addressing other regulations and even providing an exit should one party fail to meet its obligations
  • The right to audit and require remediation – again, this one of the items we frequently see missed, the ability to obtain adequate due diligence and review reports of controls and other examinations
  • Insurance – the requirement to provide adequate insurance specific to the nature of the relationship
  • Dispute resolution – determine ahead of time how key differences will be settled
  • Limits of liability – determine who is responsible for loss or damage
  • Default and termination – set standards on what events may lead to termination of the agreement and spell them out in clear and definitive terms
  • Customer complaints – require notification and prompt resolution of any level of complaints
  • Subcontracting – establish standards and approval requirements for engaging additional downstream providers, particularly if they have access to your customer’s information
  • Foreign-based third parties – establish expectations on selection, hiring and training of third parties and focus on their standards for protecting your customers’ information
  • OCC supervision – the OCC, or your prudential regulator, will expect the rights to review all work products associated with the service provider
  • Responsibility for compliance with all applicable laws and regulations – self explanatory, but the service provider must follow the rules of law
  • Cost and compensation – this is often the part that gets the most attention and cause other areas to be overlooked
  • Ownership and license – who can use the bank’s brand, image and, most importantly, impact the reputation
  • Confidentiality and integrity – clear guidelines on expected behavior and proper maintenance of records
  • Business resumption and contingency plans – identify what the protocols are to maintain normal operations, as best possible, when disaster strikes
  • Indemnification – which party is liable in the event of something bad happening

And, finally….

Contract management isn’t easy – it requires a commitment, not only by the parties involved, but by your entire institution to make sure that agreements are entered into only in a very prescribed, controlled, centrally managed and uniformly enforced manner.

Your board and your senior management team must rigidly adhere to these standards, in the best interests of your institution, your examiners and your customers.
Before you sign your vendor contracts, make to negotiate these items. Download the infographic.

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo