Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Does COVID-19 Spark Vendor Risk Assessment Updates?

3 min read
Featured Image

The short answer is, if you’re doing everything right, it shouldn’t. A good risk management program should already tell you what areas of your organization are most vulnerable to risk. However, the risk environment, and therefore the implemented controls, should be re-evaluated. Because of this unprecedented pandemic, we should all be paying more attention to the areas that have changed and will likely remain changed on the road ahead as we all navigate these unfamiliar times. To do this, we don’t necessarily need to change our risk assessments, but we should realize that our existing risk ratings may be moot, and as a result, may require making adjustments to our assessment calendar.

Inherent Risk vs. Residual Risk

Let me make some clarifications. There is a difference between an inherent risk assessment and a residual risk assessment. A vendor’s inherent risk on your organization should not change because of COVID-19. Inherent risk is an assessment of the most possible risk an engagement could pose if everything went wrong (such as a pandemic).

Also, remember this equation: Inherent Risk + Controls = Residual Risk

We don’t need to change the equation, but we do need to run it again. We need to go back out to our vendors and ask them what they are doing differently due to federal and state mandates to stay home or work under different circumstances. Policies you reviewed one, two or three years ago may have some unforeseen exceptions in place that were not accounted for in your last risk assessment.

So, What’s Changed?

Everyone is working from home. A vendor that once said they never allow employees to access their network remotely may have had to change that rule. A company that was in good financial standing a year ago may have encountered drastic, unexpected changes. A robust and well-staffed audit and security department may have been dialed back as companies struggle to stay afloat.

Once we know what our vendors are doing differently, we should assess whether controls are still in place and/or whether they are still effective. This might take some extra legwork on our end, as I would also expect vendors to respectfully request postponing client audits and questionnaire requests for as long as possible.

Taking all this into account, there will be inevitable adjustments to our risk assessment schedules. I realize it’s painful to reset the clock on current and validated risk ratings. But, start with critical and high-risk vendors. Schedule a call to level-set on key controls and contracted obligations. If you find a vendor whose circumstances warrant the need for a reassessment, try to come to an agreement on a practical timeline for when they can support it.

If you know a vendor has exposed you to risk, document and report it. If you’re not sure if an inherently high-risk vendor’s controls are still valid, document and report it. It’s better to have accounted for and accepted risk than to have low risk across the board that has been poorly validated. When you adjust your review schedules, document why those adjustments were made. And in case you missed the emphasis; don’t forget…document everything.

Learn more about how to create a vendor risk questionnaire.  Download this eBook. 

New Call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo