Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Effective Vendor Management Policy & Program Q&A

3 min read
Featured Image

During our recent three day Third Party Risk Management Bootcamp, we had a lot of GREAT questions come in. It was quite impossible to get to them all during the live sessions, so we have worked with our speakers to compile the answers. Below you will find answers to questions posed during Day 3 - Session 1: Writing Effective Third Party Risk Management Policy and Program Documents. 

Day 3 - Session 1 
Writing Effective Third Party Risk Management Policy and Program Documents

branan cooper
Branan Cooper
Chief Risk Officer

This session was led by Branan Cooper at Venminder where he went through the key items you need to know in creating policy and program documents. He has kindly provided answers to the following questions.

Q1: Is the third party risk policy required to be board approved?

Answer: “Yes, it is.”

Q2: Approximately how many pages should a Program doc be?

Answer: “Varies by institution and complexity but as a general average, probably 25-30.”

Q3: As part of ongoing monitoring, should we be expected to review relevant Policy & Procedures of the vendor, similar to the initial due diligence?

Answer: “Yes, particularly if they’re a critical vendor or one relying heavily on the use of subservice providers.”

Q4: In your experience, is it right for the Program, which is written by the Legal or Compliance teams, to make it mandatory that "business units create their procedures" for vendor management? Vendor Management is a multi-department approach in our case.

Answer: “No – I strongly prefer there is a centralized approach, as discussed in the session.”

Q5: Is the procedures guide referenced in the policy doc?

Answer: “Yes, absolutely.”

Q6: What are reasonable/generally accepted reasons for excluding vendors like utility companies?  Stating in the Program that they're excluded because they’re uncooperative with the due diligence process would probably not be viewed favorable by an examiner?

Answer: “I understand your concern but pose the obvious question – if you can’t get the information required for due diligence, or do adequate monitoring and won’t get them to budge on contract provisions you’d like, are you really doing your third party procedures anyhow? I’ve seen both models, but it then sticks out like a sore thumb when you’re constantly having to get an exception for them and also explain to the auditors why you “failed” to get it… I recommend crafting strong wording in the exclusion – I’ve had questions but never had it become an issue.  They absolutely should still be addressed by having appropriate business continuity planning, perhaps even an immediate failover provider.”


Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo