Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Third-Party Risk Examples

4 min read
Featured Image

Most organizations will need to rely on third parties at some point. Those relationships expose your organization to various types of third-party risk. Even if you understand the basic concepts behind these third-party risk types, it may be difficult to know how they could affect your organization. To improve understanding of third-party risk, we’ll cover examples of typical third-party risk types to illustrate how these risks manifest.

6 Third-Party Risks and Examples

02.01.2022-third-party-risk-examples-GRAPHIC-1

  1. Compliance: This risk appears when a third party fails to comply with laws and regulations that govern the products and services your organization provides to customers.

    Example:
    Your organization has a third party that provides loan services. The third party created a marketing campaign that advertised lower interest rates on future loans for consumers who repaid on time. However, thousands of customers filed a complaint, stating they weren't eligible for lower interest rates despite a history of on-time payments. The CFPB filed an action against the third party for violating the Equal Credit Opportunity Act, leaving your organization exposed to compliance risk.
  2. Strategic: The third party presents a strategic risk when its actions or decisions don't align with your own organization's objectives.

    Example:
    After creating a new product, your organization requires a third party specializing in its delivery or distribution. As you perform your due diligence on a selection of vendors, you discover that they all use the same type of technology to automate a particular function. However, two of the vendors you're vetting use outdated technology with a history of issues. Selecting a third party that uses aging technology would present strategic risk to your organization.
  3. Operational: A third party can present internal and/or external operational risks. Internal risk can relate to the third party's own ineffective or failed processes, people, controls or systems. External risk can be caused by outside events like natural disasters, cyberattacks or acts of terrorism, which are beyond the control of the third party.

    Example:
    Your organization relies on a third party to provide virtual customer service. Their customer service center is in an area known to have recurring natural disasters like hurricanes, flooding or wildfires. Even though they have business continuity (BC) and disaster recovery (DR) plans, the third party hasn't tested them in over a year. They may be unaware of new risks or issues that could make their plans ineffective. As hurricane season approaches, your organization will be facing operational risk because of your third party's untested BC/DR plans.
  4. Information Security: Cyber and physical security risks are under the umbrella of information security risk. Cyber risk is present when a third party has vulnerabilities that can expose your organization's data through events like cyberattacks and breaches. These vulnerabilities can be anything from an unsecured server configuration or weak policies regarding on-site visitors.

    Example:
    A third-party vendor is used to manage your customers' passwords. During the pandemic, they shifted to a hybrid work model. However, they neglected to update their information security policy with requirements specific to remote working. Your organization is exposed to information security risks and potential data breaches that can affect your customers.
  5. Financial and Credit Risk: A third party's financial health can significantly affect its ability to consistently provide quality products and services to your organization. Insufficient investor funding, cash or credit can expose your organization to financial and credit risk.

    Example:
    When performing due diligence on a potential new third party, your organization reviews its financial records and discovers that they have no available credit and less than six months' worth of operating cash. An unstable or unhealthy financial profile may indicate that the third party cannot provide products and services to your organization's expectations and may go out of business during the contract term.
  6. Reputation Risk: Third parties can impact your organization's reputation in many ways through poor service, lawsuits, data breaches or even misrepresenting its relationship with you. Your customers won't differentiate between your organization and a third party, so managing this risk is essential to protect your valuable reputation.

    Example:
    Your organization's third party suffered a data breach and began the process of notifying your customers who were affected. However, the third party mistakenly sent notification letters to your customers' next-of-kin. These letters revealed confidential health information such as illnesses, medications, and medical procedures. Understandably, your customers are upset and have filed a lawsuit against your organization for violating HIPAA laws which prohibit revealing patients' health records without consent. As a result, your reputation is severely damaged because of your third party's actions.

02.01.2022-third-party-risk-examples-GRAPHIC-2

3 Best Practices to Manage Third-Party Risk

Now that you have a better understanding of how third-party risk can affect your organization, let's review some best vendor risk management practices:
  1. Perform risk-based due diligence: After determining the vendor's inherent risk and criticality, you can proceed with collecting and reviewing due diligence. For critical or high-risk vendors, you'll want to review additional documentation such as BC/DR plans.
  2. Schedule ongoing monitoring: Vendors need to be monitored for risk throughout the relationship, not just at the beginning. Regular performance reviews, risk assessments, document collection, and monitoring will help your organization stay on top of existing risks and identify new or emerging risks.
  3. Report to the board of directors and senior management: Regulatory guidance requires that the board and senior management be involved in vendor risk management. By keeping them informed of vendor risk management activities, they'll be better prepared to set the "tone-from-the-top" and establish clear goals for your organization.

Third parties often provide significant value by delivering additional products and services or supplementing the capabilities of an organization. They can also present many risks that need to be appropriately managed. Identifying and managing existing, new and emerging risks will help your organization get more benefits from your third-party relationships.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo