Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Third Party Risk Q&A: Critical Vendors and More

11 min read
Featured Image

During our recent three day Vendor Management Bootcamp (click here to watch on-demand), we had a lot of GREAT questions come in. It was simply impossible to get to them all during the live sessions, so we took your questions and worked with the various speakers to compile the answers and make them available for all here.

Below you will find the questions and the speaker responses from Day 2, Session 1.

Answers kindly provided by:

Dana_Bowers-_Venminder.jpg Branan_Cooper_Chief_Risk_Officer.jpg Aaron_Kirkpatrick_Profile_Square.jpg

Dana Bowers
CEO/Founder
Venminder, Inc.

Branan Cooper
Chief Risk Officer
Venminder, Inc.

Aaron Kirkpatrick
Information Security Officer
Venminder, Inc.

Critical Vendors

Q1: Should a vendor that receive PII OR a customer-facing vendor be considered Critical no matter other characteristics?

Answer: "No – those would typically indicate a higher regulatory risk level but not necessarily business impact."

Q2: What type of ranking system would you use for critical?

Answer: "High, med, low or 1 thru 5. Simply Critical or NonCritical." 
Download this infographic for the 3 questions to ask to determine criticality. 

Q3: If a vendor has a High Financial Impact, why would reviewing their financials shed light on anything beside their Max Allowable Downtime? If they impact your financials heavily, what information would their financial documents be able to clarify?

Answer: "To determine their overall financial health and whether they are going to be in existence a year or even a few months from now, particularly if you are reliant on them for a core function. Perhaps their management team may start leaving, they may also cut their level of support and service. Any of these could be problematic."

Q4: If a vendor isn't critical, meaning we can function without them, but their financials aren't very strong, would they be considered critical? Or is criticality solely based on our business need and not their financials?

Answer: "Only if their sudden loss would cause a material disruption to your institution or your customers. Criticality is related to business need."
Download this infographic for the 3 questions to ask to determine criticality. 

Q5: We've been told internally and by external attorneys their professional standards meet or exceed anything we would be requiring and they push back any requests for information or rights to audit their processes. Do you experience that?

Answer: "I have certainly heard that and they'd been correct on their licensing and bar admission, but as we have seen there have been cases where certain attorneys have been less than reputable. Branan would always recommend a check of their credentials and a reputation risk check. Additionally as mentioned in the session, you definitely need to look at their information security practices."

Q6: Do you maintain due diligence on the alternate vendor list if they are not currently active, but you need them in an immediate pinch to assume an active role?

Answer: "If they are an alternate to a Critical vendor and we may need them quickly, yes; otherwise, since low likelihood of needing quickly, no."

Q7: How would I find out if a vendor is having hiring/employee retention issues?

Answer: "Best way is to ask them (or if they are a larger company, can check Glassdoor or Salary.com)."

Q8: We have some vendors that could be easily replaced but may handle or see NPPI. Why would the sole fact that the vendor subject to NPPI not make it a critical vendor?

Answer: "That would make them higher regulatory risk rather than critical."

Q9: How would one go about implementing an exit strategy?

Answer: "Usually, sit with the business relationship owner and IT/IS manager and discuss what steps would need to happen to replace the vendor; then meet with the vendor and do the same thing, then commit to writing, contemplating a gradual and immediate unwind."Please contact our information security team if you need additional assistance.

Q10: We have Title and Appraisal providers as Critical. Is this typical?

Answer: "Not in my experience. They would typically be non-critical. Criticality is from a business impact perspective."
Download this infographic for the 3 questions to ask to determine criticality. 

Q11: What happens when you have a provider that does business with hundreds of lenders on testing? We all cannot ask them to take a day out of their schedule to test.

Answer: "Discuss with the vendor how best to handle. Perhaps they can set aside a specific time period for everyone to conduct their testing. Or conduct an internal test and ask for evidence of their own testing."

Q12: How do you recommend testing an exit strategy or contingency plan with a critical vendor? We have evidence that our vendors test, but are struggling with how we would test when an alternate vendor is not always approved/in production.

Answer: "You could look at how long the onboarding process was for the current vendor, determine how you could have shortened that process in the case of a rush and used the remaining time in your calculation of a Maximum Allowable Downtime for the institution. But, you also would need to take into account the influx of other institutions to that new vendor in the case of another vendor failing. So that would increase time required.

How do you test contingency plans with a critical vendor? Most larger vendors that acknowledge they’re offering a critical service allow their customers to participate in at least disaster recovery testing each year. From what we see, only a very small percentage of institutions take advantage of this opportunity, but with the OIG’s statement on FDIC regulated institution's regarding continuity, that should greatly increase.

It can also depend on the vendor and how they’re integrated into your operations. If it’s a critical vendor, do you have a copy of your data in a format which isn’t proprietary to the vendor so that in the case of a failure, another vendor could import that data, even if it takes a little data mapping? That would really help with mitigating overall risk and the downtime while switching vendors during a business impacting event."

Q13: So Criticality lends to ease of replacement and Risk lends toward access to PPI?

Answer: "Generally, yes – though there is more than ease of replacement, it truly is disruption – before you even consider replacing them, please think more from a continuation of services standpoint and what could be done to bridge any interruptions."
Please contact our information security team if you need additional assistance.

Q14: Risk rating for large suppliers/vendors delivering multiple services/products across multiple contracts and contract owners: What is a good strategy to arrive at an overall risk rating for one such supplier?

Answer: "Opt for the most conservative rating – if any product or service for a supplier is High Risk or Critical, be conservative, it's always easier to determine that you can back down later than to get burned potentially by underestimating risk."

Q15: Is it a standard procedure to perform due diligence and risk assessment for a vendor's products?

Answer: "Yes, when needed or when they have different risk profiles (think of FIS having Regulatory University education website which would be Non-Critical and low risk; think of their multiple processing platforms, which would be Critical and high risk, each of which may have different SSAE 18 reports, for example)."
For a reminder of what SSAE 18 is, download our infographic.

 Learn how we can help you lower your vendor managment workload - download our samples.

Download Free Venminder Due Diligence Document Samples

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo