Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

How Many People Do You Need for Third-Party Risk Management?

5 min read
Featured Image

The effective identification, assessment and management of third-party risks are necessary for a healthy business operation and are a regulatory requirement for many industries. Still, the lack of skilled employees is a severe issue for many third-party risk management (TPRM) programs. As new regulations develop, there’s an emphasis on ensuring that organizations have sufficient staffing to manage their third-party risks effectively. Sufficiency isn’t just about the number of employees; it’s also about the level of those employees’ TPRM skills and expertise.

Issues with Understaffing

There are issues that arise with understaffing. Here are two big ones to be aware of:

  1. Underperformance: An understaffed TPRM program is likely to underperform against many of its objectives. The truth is that on any given day, there’s a lot to be done, reviewed, managed, escalated or documented by a third-party risk manager. Time is not an infinite resource, and priorities must shift, which inevitably means some part of the process isn’t getting the appropriate attention. The work piles up and less urgent tasks get pushed to the bottom of the list. Delayed tasks eventually become past due, and the program isn’t working well or even working at all.
    • Example: Suppose a critical vendor has declining performance that the first line vendor owner hasn't managed. Furthermore, the TPRM manager still hasn’t had time to review the vendor performance report because he or she is working with several stakeholders to ensure the onboarding of a critical vendor which has multiple fourth parties that are also considered critical. With time and attention needed in many other areas, a vendor with poor performance may slip under the radar and cause significant issues down the road.
  2. Delayed risk reviews: Due to insufficient subject matter expert (SME) bandwidth, annual risks reviews may be delayed because of making room for new vendor due diligence. The longer annual risk reviews are delayed, the higher the risk that new and emerging risks go undetected until there is a severe issue such as an information security breach, insufficient or expired vendor insurance coverage, untested business continuity or regulatory violation.
    • Example: Consider the situation where a risk review for a critical vendor is delayed because the TPRM staff is overwhelmed with other tasks. Because of this delay, the staff fails to notice that this vendor’s business continuity plan wasn’t tested which can cause major problems if there’s a business disrupting event.

No matter what the situation or reason, when there aren’t enough resources to ensure third-party risk management is working effectively, there are real impacts on the organization.

Considerations for Staffing a TPRM Team

There is no suggested ideal size or structure for a TPRM team. However, to determine the correct number of resources to support third-party risk management, one should consider the complexity of the organizational structure, the number of vendors under the management and how the work is performed.

It may also be helpful to ask the following questions:

  • What is the number of high-risk and critical vendors? These types of vendors may require more attention with frequent reviews and assessments.
  • Are there a lot of time-consuming, manual processes? It may take the same person more time and effort to complete a process that otherwise might be automated. Also, consider if these processes are prone to errors.
  • Are tasks and responsibilities aligned to those with the appropriate skill level, expertise and authority to handle them? For example, suppose the most senior third-party risk manager spends all their time with data entry and other administrative tasks. There will likely be less time to devote to more strategic and value-added activities such as collaborating with a first-line vendor owner to develop vendor service level agreements or ensuring the proper remediation of material issues.
  • Are stakeholders held accountable for their TPRM responsibilities? If the first-line vendor owners don’t provide adequate oversight over their vendors, then consider whether this responsibility falls to someone from the TPRM team. If so, then TPRM will need many more people to perform work not intended for them.
  • Is the business growing and adding more vendors or is the TPRM workload stable and predictable? Many of us know that there's no such thing as a slow season in TPRM and that workloads vary. Suppose the business is expanding and the subsequent outsourcing to vendors is also growing. In that case, it makes sense that you will need more resources to manage it all.

Even when processes are automated, tasks are undertaken by individuals with the appropriate skill level and the first line is held accountable, the workload still may be more than your current team can effectively manage.

How Many People Are Enough?

There’s no magic number, however we recommend the following as a guideline to calculate full-time employees (FTEs). As a general rule of thumb, this will be appropriate if you’re using an automated platform, with about 10-15% of your total vendor portfolio consisting of critical or high-risk vendors that require annual risk assessments and a great deal of ongoing due diligence. This formula will vary based on the type of organization you have and should consider the factors mentioned above:

  • 1-3 FTEs for up to 300 vendors
  • 3-5 FTEs for up to 500 vendors
  • 1 additional FTE for every 200 vendors beyond that

Keep in mind that there must be at least one senior member on this team that has the experience and skill (5+ years) to set the standards for TPRM, prioritize work, work across stakeholder groups to solve issues and train more junior team members.

Benefits of Outsourcing TPRM

If your organization isn't ready or resourced to add additional FTEs, there are other options. Outsourcing portions of the TPRM process isn’t only possible, but is an excellent way to add capacity without adding FTEs. Many companies offer third-party risk management services. In many cases, outsourcing processes like due diligence may make more financial sense than adding staff. By purchasing these services on a per case basis, you’re only paying for the time and services you need when you need them while receiving high-quality services from certified experts. This strategy removes the need for recruiting and training FTEs.

From a budgetary perspective, it’s often easier to secure funds for services vs. FTEs. If this is true in your organization, it might be time to look into outsourcing. One caveat, though, your organization is always responsible for the risk, so it makes sense to research your options thoroughly and ensure credentialed or certified experts provide the TPRM services.

Every organization has different resource needs when it comes to third-party risk management. However, when the work required to protect your organization and its customers from third-party risk while staying within regulatory guidelines isn’t achievable, it’s a problem that needs attention and action. Whether you decide to staff a TPRM team fully or outsource portions, or even the entire TPRM process, a healthy and fully functioning TPRM process is necessary.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo