Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


5 Takeaways From Canada’s New Third-Party Risk Management OSFI Guidelines

4 min read
Featured Image

Throughout the years, U.S.-based agencies have typically led the way when it comes to third-party risk management (TPRM) regulations. By May 1, 2024, Canadian Federally Regulated Financial Institutions (FRFIs) are expected to comply with the TPRM guidelines published by the Office of the Superintendent of Financial Institutions (OSFI). The aptly-titled Third-Party Risk Management Guideline is well-organized and follows many of the same principles that have been previously established by U.S. agencies such as the FDIC and OCC.

Regardless of where your organization is based, it’s worth your time to understand some of the key takeaways.

5 Key Takeaways From the Third-Party Risk Management Guideline

Like most other TPRM guidance, the OSFI emphasizes that organizations are held accountable for the business activities that are outsourced to a third party. This means that organizations are also responsible for implementing an effective third-party risk management program. 

Here are some of the key takeaways from the guideline: 

  • Outcomes – FRFIs are expected to achieve six specific outcomes from their TPRM activities:
    1.  Governance and accountability structures are clear, with comprehensive risk management strategies and frameworks in place.
    2.  Risks posed by third parties are identified and assessed.
    3.  Risks posed by third parties are managed and mitigated within the FRFI’s risk appetite framework.
    4.  Third-party performance is monitored and assessed, and risks and incidents are proactively addressed.
    5.  The FRFI’s third-party risk management program allows the FRFI to identify and manage a range of third-party relationships on an ongoing basis.
    6.  Technology and cyber operations carried out by third parties are transparent, reliable, and secure.
  • Framework – The FRFI should create a third-party risk management framework that provides an organization-wide view of third-party risk. The framework should also span the lifecycle of third-party relationships, from the initial sourcing and due diligence to an exit strategy
  • Risk-based activities – The guideline includes a section on taking a “risk-based approach” to TPRM activities like risk assessments, monitoring, and reporting. In addition to the level of risk, the OSFI provides useful criteria for determining a third party’s criticality:
    •  the severity of loss or harm to the FRFI if the third party or subcontractor fails to meet expectations due to insolvency or operational disruption;
    •  substitutability of the third party, including the portability and timeliness of a transfer of services;
    •  the degree to which the third party or subcontractor supports a critical operation of a FRFI; and
    •  the impact on business operations if the FRFI needed to exit the third-party arrangement and transition to another service provider or bring the business activity in-house.
  • Subcontractors – Fourth and nth parties are often overlooked in TPRM, but the OSFI gives special attention to subcontracting risk. FRFIs should identify certain details about their third-party’s subcontractors, such as quantity and criticality, the effectiveness of their TPRM program, and concentration risk. 
  • Absence of contract – One notable highlight in the guideline is the mention of third-party relationships that don’t involve written contracts:
    • The absence of a written arrangement, formal contract, or agreement does not imply the absence of a third-party arrangement and third-party risk.

3 Tips to Comply With the Guideline

It can be challenging to know what to do next whenever new regulations are published, especially when the guidelines are lengthy and complex. Additionally, it's not uncommon for regulations to be updated later. 

Here are some tips that can help you stay in compliance:

  1. Follow the third-party risk management risk lifecycle – The six outcomes listed in the guideline are closely aligned with activities in the TPRM lifecycle. Identifying and assessing risk, monitoring third-party performance, and establishing proper governance and accountability are all part of a robust TPRM program.
  2. Compare your program – Do a side-by-side comparison of your current TPRM program with the OSFI guidelines. This can help identify any gaps in your program and gives you more information to align your processes to current regulations.
  3. Maintain good reporting and documentation – Make sure that any changes you make to your TPRM program are formally documented and reported to the appropriate risk committees and stakeholders. This ensures consistency throughout your program and will help keep you organized when and if any regulatory updates are released. 

Regulatory compliance may take some time and effort, but it’s a necessary task for many organizations. When followed correctly, TPRM guidelines will help protect your organization from third-party risk and can even support resilience throughout your operations.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo