Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Your Vendor List - The Creation, Managing and Ongoing Maintenance

6 min read
Featured Image

Anywhere your company is spending money for a product or service, well, that’s a vendor of some sort. As part of your vendor management, you need to start by knowing who exactly your vendors are

A best demonstrated practice is to periodically have your accounts payable area produce a list of all payments made… which means you’ll have thousands of records...!

Fortunately, only a small number from the list will require full oversight and due diligence once you weed out the single use and/or no-risk suppliers.

Let's walk you through some helpful steps that can help guide you as you continue to create and manage your list... 

And side note, the information below is intended to supplement a fully documented vendor management policy and program.

Creating Your Vendor List

  1. Establish a threshold for vendors to be reviewed. This can be determined by setting a targeted expenditure amount (e.g., all payments made to a service provider over $50,000 on a quarterly basis)
  2. Request from Accounts Payable a report detailing all expenditures over the threshold amount to include the name of the service provider, the frequency of spend and the amount of spend
  3. Review the list, often received in Excel or a custom query format, for accuracy
  4. Determine which items should be removed; typically, there are certain expenses that may not actually be forward-looking recurring expenses but anomalies or discontinued service providers which can be removed from the list
  5. Determine any vendors  that should be removed if they are mandates by the board or audit committee (e.g., a consultant hired to do a board level recommendation)
  6. Communicate to the senior management team the need for a detailed review of the list to determine which ones are going to continue to be used
  7. Once finalized, this will often pare the Accounts Payable list by 2/3 or more into a list of vendors who need to be actively managed from a risk standpoint
  8. Once finalized, present to senior management or risk committee for approval
  9. Compare the list to the documented scope in the policy statement and adjust the scope if needed and get approved by the board

Now, repeat the entire process at least twice a year!

Download Free Venminder Due Diligence Document Samples

Managing Your Vendor List

13 points to help guide you as you manage your vendor list...

1. Once the final list is determined and approved, the basic list itself should be stored electronically for easy review and examination purposes

2. Ideally, as new vendors are planned to be added, the business unit follows a formal process to have them added based on a process described in the vendor management program document

3. The vendors that are to be actively managed need to risk rated.  Consider first if they are a “critical vendor” by asking if a sudden loss of the vendor would cause a material disruption to the business, if the disruption would impact the institution’s customers, or if the return to normal operations would take greater than a business day.  If the answer to any of these is “yes”, then they are a critical vendor.

4. Next, consider any possible categories of risk (e.g., but not limited to, Operational Risk, Transaction Risk, Financial Risk, Compliance Risk, Strategic Risk, Reputational Risk, Expense Risk)

5. Ideally, an objective questionnaire should be applied for each category of risk to arrive at an inherent risk rating for each category and aggregated to a total risk score.  These objective questionnaires are typically available through such sources as Shared Assessments SIG or SIG lite or in a scorecard prepared by subject matter experts in the institution, yielding a rating such as high, medium or low for each category

6. Once this inherent risk assessment has been created, carefully consider what steps can be taken to reduce any areas of high or medium risk; for example, if they are a high transaction risk, perhaps set up on going transaction monitoring to quickly catch any anomalies; or if they are a high compliance risk, consider gathering a copy of their regulatory compliance policies as part of due diligence

7. Once these controls are in place, review and determine if they more satisfactorily answer the questions; if so, their residual risk may be lower that their inherent risk

8. The result of these risk assessments and accompanying narrative should be stored

9. Typically, Excel spreadsheets or Word documents are not sufficient since they lack the ability for mass updates or for easy tracking.  More sophisticated programs require a software platform specifically designed for vendor management purposes

10. The results of the risk assessment, in aggregate, should be included in reports to senior management and the board.

11. The information learned in the risk assessments should be refreshed on a regular basis, a best practice would be to do Critical or High risk vendors annually, Medium risk every other year and Low risk in advance of a contract renewal

12. The results of the risk assessment inform the depth of due diligence review or frequency and type of ongoing monitoring.

Ongoing Maintenance of your Vendor List

How do you keep the list and your process current?

1. Establish, with the assistance of the institution’s compliance or legal function, a requirement that all new potential vendors follow the documented process

2. Be prepared to report any deviations from the process to the appropriate senior management team

3. Not all vendors must go through the full risk assessment and due diligence process, as some will be determined to be one time use or materially insignificant (e.g., office supply provider, a one time use consultant). These that are readily apparent should not be added to the actively managed vendor list

4. At least twice a year, review the entire list as described above through accounts payable and involve senior management in the determination

5. At least annually, present the vendor management policy and program to the board for renewal and, if new regulatory guidance is issued, update and present for approval.

6. In advance of a vendor coming up for renewal, follow the same process as a new vendor, except bring in any sort of experience-based information that may result in either a non-renewal or a need to change relevant terms, such as required reporting or contractual provisions.  Ideally this is done at least a full quarter prior to the timeframe required for notification of non-renewal.

Make sure you have the resources to accomplish all of this

This is no small workload!

Make sure your staffing and resources (internal or external) are adequate to address the number of vendors you have. And if not, it may be time to consider outsourcing the work.

Download Free Venminder Due Diligence Document Samples

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo