Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


OCC Spring 2018 Semiannual Risk Report Affects Third Party Risk Management

4 min read
Featured Image

The OCC recently released its semi-annual risk report for the spring of 2018. You can read the full report here.

For anyone who has been following the Office of the Comptroller of the Currency for several years, you know that the OCC, as the prudential regulator for national banks, is known to have set the gold standard for third party risk management. While other agencies seem to be in flux, with the Bureau of Consumer Financial Protection (BCFP or CFPB) halting any new guidance and limiting enforcement actions for the time being and state regulatory agencies lining up to step in, the OCC continues its drum beat of caution as it pertains to third party risk management.

In fact, one needs to look no further than page 17 of the semiannual report to see the stark statement that “operation risk remains elevated partly because of increasing cyber threats and use of third-party service providers”. This statement certainly makes it seem like they’re not going to relax standards any time soon.

In the executive summary alone, third party concerns are mentioned five different times, largely in conjunction with concentration risk and a reliance on outsourced services to replace key bank functions.

Excerpt from the OCC Spring 2018 Semiannual Risk Report

Rather than parrot their words, I found the following section to be particularly important, excerpted verbatim from the report:

Use of Third-Party Service Providers Is Increasing, and Critical Operations Are Increasingly Concentrated in a Few Large Service Providers

Banks increasingly rely on third-party service providers. Reliance on third parties for payments, transaction processing, and other important functions creates a high level of risk for the banking industry. Banks’ implementation of effective risk management processes to manage third-party risk mitigates this exposure and results in a stable environment. Banks’ focus on third-party risk management has resulted in fewer open concerns and MRAs related to this area. Continued effective due diligence, change management, and ongoing monitoring are essential for banks to effectively manage risks associated with (1) the use of third-party service providers for critical services, (2) increasing interdependencies and interconnectivity, and (3) the implementation of new products and services offered through emerging financial technology firms that leverage innovative technologies and delivery channels.

Consolidation has increased among significant service providers. The consolidation has concentrated reliance on a smaller group of third parties providing critical services, resulting in large numbers of banks, especially community banks, relying on a few large service providers for core systems and operations support.”

If there’s any doubt that third parties will be a focus in the upcoming examination cycle and in daily management activities, that should remove the uncertainty. As published by J.D. Supra here, a recent analysis of the risk report by Ballard Spahr echoed many of these same concerns, notes in particular the concentration risk referenced above, as well as the increasing concerns over cybersecurity related to new innovative products and services.

5 Vendor Risk Management Things to Do Next

So, what should we all be doing? Let’s think about five important takeaways:

  1. Even if you’re not an OCC bank, it’s worth taking note of these observations in order to keep your third party practices up to best-in-class specifications.
  2. Brief your risk committee and board on the concerns raised in the report and invite discussion of what steps are prudent.
  3. Noting their specific mention of due diligence and ongoing monitoring in the report, it’s a great time to make sure that your practices are thorough, sound and can be evidenced through ample work product.
  4. Engage your information security group and discuss where your institution is in its use of the cybersecurity assessment tool (CAT), if applicable, and other steps you’re taking to address cyber concerns (pro tip: document the conversation – always good to be able to evidence it in writing).
  5. Take a back-to-basics approach and be sure that your program documents are up-to-date and that you feel comfortable with the timeliness of your due diligence, risk assessment, ongoing monitoring and board reporting. If you do not, now is definitely the time to play “catch up”.

The spring report reflects many of the same concerns as raised last fall – so perhaps that’s good, but I look at it a slightly different way - as a second warning. The OCC is known for its in-depth requirements from a lifecycle management perspective as it pertains to third party risk management; this report is no different. It’s both timely and gives terrific insight into their specific concerns. The report, at only 29 pages in length, can be easily read and viewed in line with your current program documentation. Take the time needed to see how your program stacks up and heed the concerns raised in the report.

Check out our toolkit for a way to make sure you're keeping up with the golden standard of vendor risk management.

TPRM lifecycle toolkit

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo