Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


The Board's Involvement in Vendor Management Is Necessary and Required

4 min read
Featured Image

Vendor management is a complex set of processes that requires the involvement of many people within an organization, including its board of directors and senior management. Not only is it a sound business practice, but it’s also a regulatory requirement. The OCC’s Bulletin 29-2013 is just one of the guidelines that emphasizes the need for senior management and board involvement within vendor management. However, it should be noted that this guidance could be replaced with the Proposed Interagency Guidance on Third-Party Relationships: Risk Management, which was jointly proposed by the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).

The regulatory requirements aren’t limited to those. Two other regulatory guidelines that cover this requirement of board involvement can be found in the Comptroller’s Handbook’s series on Corporate and Risk Governance and the FDIC’s Guidance for Managing Third-Party Risk, which we’ll cover briefly in this blog.

Importance of Board and Management Involvement

The board of directors and senior management play important roles in an organization’s vendor management program. In a broad sense, both groups are expected to set the “tone-from-the-top” to ensure that the vendor management program performs effectively. Without the most senior levels of the organization establishing clear goals and strategies, there will likely be many issues down the line.

Here’s a brief description that outlines both parties’ responsibilities:

What the Regulatory Guidance Says

Now that you have a better idea of how the board and senior management are involved in vendor management, let’s turn our attention to the guidance. After all, failure to remain in compliance with regulatory guidelines can lead to serious consequences.

The OCC Bulletin 29-2013 has this to say about oversight and accountability within risk management processes:

The bank’s board of directors (or a board committee) and senior management are responsible for overseeing the bank’s overall risk management processes. The board, senior management and employees within the lines of businesses who manage the third-party relationships have distinct but interrelated responsibilities to ensure that the relationships and activities are managed effectively and commensurate with their level of risk and complexity, particularly for relationships that involve critical activities.

The board of directors should specifically be responsible for the following tasks:

  • Approving critical third-party contracts
  • Identifying and reviewing ongoing monitoring results of critical activities
  • Reviewing the results of periodic independent reviews of the organization’s vendor management process
  • Approving risk-based polices that oversee the vendor management process

Additionally, senior management should perform these tasks:

  • Establish the organization’s risk-based policies
  • Develop the strategies for engaging third parties and identifying those involved in critical activities
  • Review and approve third-party contracts; keep in mind that the board needs to approve contracts for critical third parties
  • Terminate third-party relationships that don’t align with organization’s goals and objectives

Oversight is also a theme in the OCC’s Corporate and Risk Governance publication, which specifies that the board is responsible for overseeing senior management and provides leadership for the organization. Other duties include:

  • Overseeing a compliance management system to ensure its effectiveness
  • Establishing performance standards for senior management
  • Ensuring that a system of internal controls is in place
  • Understanding the framework of legal and regulatory requirements that are applicable to the organization’s activities

The FDIC gives guidance on the board of directors and senior management involvement in their publication on Guidance for Managing Third-Party Risk:

An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.

The guidance further states that the board should approve, oversee and review significant third-party relationships, while management should periodically review the third party’s operations to confirm consistency with the organization’s written agreement.

So, there’s no doubt about it – the responsibility of vendor management goes all the way up to senior management and the board.

A good starting point to ensure involvement is to make sure your organization has well-written governance documentation such as a vendor management policy, program and procedures.


Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo