Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Does Your Critical Vendor Have an Effective BCP Plan?

3 min read
Featured Image

Business continuity planning allows for businesses to ensure that their key operations, products and services continue to be delivered either in full or at a predetermined level of availability. This is often outlined in a Service Level Agreement (SLA) as a part of your vendor contract.

There’s no doubt you have your own Business Continuity Plan (BCP). However, since you are likely joined at the hip with more than a few vendors, their preparedness should meet or exceed your own plan. In order to understand your critical vendor's BCP, you have to know what to look for and what key points should always be included. This information can help provide assurance that your vendor is prepared for a disruption.

13 Items to Look for In Your Critical Vendor's BCP

When assessing your critical vendor's business continuity plan, you want to make sure it includes the following items and administrative controls:

  1. Personnel loss and planning
  2. Relocation plans
  3. Remote access availability
  4. Facility loss contingencies
  5. Pandemic contingencies
  6. Breach/Disruption notification procedures
  7. Testing procedures 
    • Testing should be done at least annually
    • Testing results showing room for growth should be reviewed and addressed during plan updates
  8. Copies of the plan are held offsite in secure locations and are readily available
  9. The plan is reviewed, tested and updated regularly (at least annually and after changes to plan impacting systems and personnel event)
  10. The plan has senior management or board approval and involvement
  11. Sub-service vendor communication plans if critical functions are outsourced
  12. SLAs and contractual obligations for outsourced systems
  13. Geographically diverse failover or backup locations that are:
    • Within reasonable distance to enable timely data replication
    • Far enough to prevent disasters common to the area (natural) effecting both locations
    • Far enough to prevent man-made disasters from effecting both locations.

Business continuity plans should include information on your vendors Business Impact Analysis (BIA). Ask yourself:

  1. Is a BIA performed?
  2. How often is it reviewed and updated?

The Business Impact Analysis Should Include These 3 Items

  1. Recovery Time Objectives (RTO) – This is the targeted duration of time which a business process must be restored after a disruption in order to avoid unacceptable consequences associated with a break in business continuity.
  2. Recovery Point Objectives (RPO) – This is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system or network goes down as a result of a disruption. Or how much data you expect to lose in a worst-case scenario.
  3. Maximum Tolerable Downtime (MTD)  Specifies the maximum period of time that a given business process can be inoperative before the organization's survival is at risk.

You should ensure that your vendor’s BIA information meets or exceeds your needs for RTO, RPO and MTD.

Regular reviews, along with plan exercises, assure that the vendor is prepared and able to respond to whatever situations arise and allow the corresponding plans to be improved to minimize the impact of the event.

Once you’ve reviewed the plan, it’s important to have a qualified expert write up an analysis documenting any gaps and the overall findings. A qualified expert will usually have certified credential levels such as a Certified Information System Security Professional (CISSP). Once the analysis is written up and signed off on, reach out to the vendor to discuss the findings and next steps to mitigate any risk.

There are a few other key vendor risk management concepts that must be understood, documented and, most importantly, put into practice to have an effective third party risk management program. We call these the pillars of third party risk management. Download the infographic here.

6 Pillars of Effective Vendor Management

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo