Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023. 

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

How to Conduct Effective Third-Party Due Diligence

4 min read
Featured Image

Performing due diligence on your third parties is an essential part of managing third-party risk. Your organization must be confident that they’re entering a relationship with a legitimate company with a good reputation. Moreover, when the risks are escalated, you must be sure that your third party has the necessary controls to mitigate the inherent risks of providing the product or service. Failure to validate both the company and the controls can lead to all sorts of problems, including financial loss, regulatory fines, harm to your reputation and brand and negative impacts on your operations or your customers.

6 Tips for Conducting Effective Third-Party Due Diligence

When performed well, due diligence will ensure that your organization’s third-party relationships are protected from risk. Keep these six tips in mind to maintain consistency and effectiveness:

  1. Modify to the risk level: All third-party relationships are not the same; therefore, the due diligence required will vary, but should always be scaled in proportion to the risk. To state this a different way, you’ll need to make sure that all third parties undergo some level of due diligence and that as the risks increase, the more robust the due diligence must be. Your critical and high-risk third parties should be subject to the highest level of due diligence.
  2. Always document processes: Your due diligence process should be formalized and documented, including the specific types of evidence (documents and information) you’ll be requesting from prospective third parties.
  3. Utilize subject matter experts: Determining if a third party’s controls are sufficient requires expertise. Ensure that subject matter experts (SMEs) review the controls and provide a documented qualified opinion. Suppose you don’t have this capability in-house. In that case, you can outsource this process to professional third-party risk experts.
  4. Remediate issues as they’re found: If the SME finds the controls to be insufficient, or they discover any gaps or other issues, a formal remediation plan should be put in place. If the remediation is allowed to continue post-contract execution, make sure the remediation requirements are timebound and included in the contract.
  5. Finalize due diligence before signing the contract: Don’t sign your contracts until third-party due diligence is complete. Should issues be discovered, and you have already signed a contract, you’ll have little power to obligate the third party to fix the problem.
  6. Repeat the due diligence process as needed: Remember, third-party due diligence is periodically repeated throughout the relationship; it’s never done. If you have legacy third parties who never underwent due diligence, make sure they undergo the process ASAP. The risk profile for any third party can change for better or worse, and your organization must have a good handle on what risks are present in the relationship.

3 Common Obstacles to Overcome

While most third parties fully cooperate with due diligence requests, you may find that obtaining the correct information to assess the third party’s controls can be challenging for some of the following reasons:

  • The third party is a relatively new organization and doesn’t have the required documents. For example, an independent third-party audit of their controls (SOC document) or audited financials. In this case, work with your SMEs to determine what other methods may be used to validate the controls. In some cases, your SME may determine sufficiency through a phone interview with the third party or you may request a signed attestation. Whatever method is used, make sure it’s documented and that the appropriate level in your organization approves the process exception.
  • The third party is very large and doesn’t fill out questionnaires or provide documents for due diligence. In this situation, you may be able to find their key documentation within the organization’s webpage. Many large firms will either post a public version of a SOC (standard operating controls) on their website or provide a list of certifications stating that they must meet specific standards.
  • The third party is hesitant or unwilling to share documentation with you. When this happens, don’t hesitate to ask “why” directly. Most third parties understand that due diligence is a normal business protocol, so refusing to participate can be interpreted as potentially hiding issues. In some cases, the organization requires a non-disclosure agreement (NDA) before sharing the information, which is a simple fix. However, if there is no compelling reason for them not to share, it could very well be a red flag, and your organization should proceed with extreme caution.

3 Mistakes to Avoid

Effective third-party due diligence can be a challenging process with many different components. It’s important to take a proactive approach in identifying and preventing common mistakes that can diminish the effectiveness of your due diligence, such as:

  • Performing the same level of third-party due diligence on all vendors, regardless of the risk level. The higher the risk, the more due diligence is necessary.
  • Failing to periodically review third-party risk after the initial round of due diligence is complete. This may lead to new and emerging risks remaining undetected until there is a major problem.
  • Using residual risk ratings in place of inherent risk ratings. Some organizations will calculate a residual risk score after due diligence is complete. The residual risk score essentially indicates if the controls are believed to be effective or if more needs to be done to mitigate risk. The residual risk score should never be used to determine the required contract language, timing of periodic risk reviews or the frequency or level of performance monitoring as those must be aligned to the inherent risk rating only.

Third-party due diligence is a good business practice and a foundational part of third-party risk management. While it may be time and effort-intensive, the payoff is that your organization can move forward into a third-party relationship with confidence. Knowing your vendor starts with initial due diligence and should continue through periodic risk reviews until the relationship ends.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo