Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


SEC 2024 Examination Priorities: Third-Party Concentration Risk and Essential Business Operations

4 min read
Featured Image

For anyone that stays up to date on the SEC’s annual priorities report, you may have noticed that the 2024 Examination Priorities was released a few months earlier than usual, to align with the start of the federal government’s fiscal year. The early release of this publication and the omission of environmental, social, and governance (ESG) issues are just a couple of the main differences you’ll discover in the 2024 report.

However, the relationship between third-party risk management (TPRM) and operational resiliency continues to be a focus area of the SEC and it’s worth reviewing two notable additions that will help you prepare for the year ahead.

Note: Text taken directly from the report is noted in italics.

What Are Essential Business Operations and Critical Third Parties?

The report states that examiners will evaluate how organizations identify and address risks to essential business operations. So, what’s considered an “essential” business operation or vendor? It may help to think in terms of the third-party vendor’s criticality or the impact a vendor might have on your operations. Here’s a quick exercise you can use to determine whether a vendor’s product or service is critical.

Ask yourself the following three questions about one of your third-party vendors:

  1. Would our organization be significantly disrupted if we suddenly lost this vendor?
  2. Would our customers be significantly impacted if we suddenly lost this vendor?
  3. Would our organization or customers be significantly impacted if we experienced a service disruption that lasted longer than 24 hours?

If you answer “yes” to any of these questions, that’s a good indication that the vendor is critical. Furthermore, you’ll notice that two of these questions address the impact on your customers, which is sometimes overlooked in the discussion of criticality or essential operations.

Once you’ve identified vendors that are critical to your organization, it’s important to perform the highest level of due diligence and ongoing monitoring. Periodic risk re-assessments and due diligence should occur at least once a year. Remember to keep a record of all due diligence documents as examiners may look for these.

2024 SEC Examination priorities third-party concentration risk essential business operations

How to Manage Third-Party Concentration Risk  

In addition to essential business operations, the SEC also plans to focus on concentration risk associated with the use of third-party providers. Third-party concentration risk can refer to two different situations:

  • The first is when your organization relies on a single third-party vendor to provide multiple high-risk or critical products and services. You can probably imagine the negative impact your organization would face if this vendor were to suddenly fail or go out of business.
  • The second situation would be one in which a significant number of your organization’s vendors are concentrated in the same geographic location. In this case, a natural disaster or another external event could potentially impact most of your vendors and create operational disruptions for your organization.

Depending on your organization’s needs, it may not be possible to completely eliminate third-party concentration risk. Therefore, you must address this risk within your third-party risk management program. 

Here are some tips to keep in mind:

  • Consider backup vendors – During the vendor selection process, you may want to consider whether there are any reliable backup options that you can turn to if necessary. If you’ve identified an acceptable backup or alternate vendor, this should be included within your exit strategy.  
  • Review your vendor’s business continuity (BC) and disaster recovery (DR) plans – A vendor’s BC/DR plans are important documents that should be reviewed during the initial and ongoing due diligence processes. These plans will give insight into how your vendor will respond to a business-disrupting event and how quickly they expect to return to normal operations. BC/DR plans should also be tested regularly to ensure they’re effective.
  • Monitor closely and utilize risk intelligence – Vendor concentration risk means monitoring those vendors more closely to look for any signs of new or evolving risks, but news alerts can only take you so far when it comes to monitoring your vendors. To ensure that you have real-time third-party risk information, consider utilizing professional risk intelligence firms which can alert you to a vendor’s poor cyber risk practices, declining financial health, negative news, known threats, and vulnerabilities that can spell trouble for your vendor – and ultimately your organization.

The SEC is just one of several regulators who have increased their focus on third-party risk management in recent years. Along with the recent Interagency Guidance on Third-Party Relationships: Risk Management, these priorities reveal the strong connection between an organization’s operational resilience and the effectiveness of their third-party risk management program. By identifying your critical vendors and understanding concentration risk, your organization will be better equipped to operate safely and soundly with your third-party vendors.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo