Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Russia-Ukraine War and Its Impact to Vendors: TPRM Considerations

4 min read
Featured Image

The current war in Ukraine should be considered a trigger to proactively reach out via questionnaire to your vendors as part of ongoing monitoring, a third-party risk management best practice. The objective is to identify vendors currently impacted or with pending/potential impact, in order to support organizational risk decision-making.

Considerations for Third-Party Risk Professionals

Recommended vendor scope: Critical vendors and/or high-risk rated vendors

Suggested vendor operating locations: Ukraine, Russia and Poland should be the primary focus as there are confirmed impacts via the war, sanctions and cyber events. While the physical and direct operational impacts are localized, there could be expanding supply chain impacts based on fuel implications, and most notably the unknown cyber threats as the conflict continues and sanctions are implemented. Consider additional locations as impact expands or cyber-attacks are confirmed. If you are unsure of vendor locations, in particular what locations support the contracted products/services you utilize, then it's best to take the approach of sending it to all your vendors you identify in your scope.

Best practices to consider:

  1. Customer contracts typically provide a “custom right to audit”, but smaller organizations may need to review their terms before this formal approach is pursued. Utilize lines of communication established by your vendor owners if there are any unknowns.
  2. This is not a business-as-usual due-diligence effort. Avoid sending your large questionnaire or out-of-the-box question set. Questions should be purpose-built.
  3. Consider simple yes/no responses for the primary questions to ensure you have an accurate picture and can quickly review the responses (especially if you plan to send to many vendors). Additional follow-up should be done to closely monitor for changes.
  4. Internal customer controls such as cyber/infosec (patching, data restoration testing and penetration testing) and business continuity plans (alternate vendors, or internal vendor absorption) should be tested or implemented either as a preventative or a reactive action based on responses received.

Sample Vendor Questionnaire for Event-Based Monitoring

03.10.2022-ukraine-based-vendors-third-party-risk-management-considerations-GRAPHIC

Below is a question set designed to use for direct outreach to vendors to understand where products and services might be impacted. It has been made available to current Venminder customers as a pre-built external questionnaire ready to be utilized or further customized.

  1. Is your organization wholly or partially operating from Russia, Ukraine or surrounding regions? 
  2. Is there currently an impact to any of your organization’s locations?
    • Describe which recovery strategies your organization has activated.
    • Does the location currently impacted directly support our contracted products/services? 
  3. Has your organization conducted a risk assessment to determine the potential impact the geopolitical conflict may have on your organization?
    • What is the risk level as it sits today with your organization?
  4. Does your organization have financial or credit exposure related to the Russia / Ukraine region that may impact operations?
    • Do you have any customers concentrated in the affected regions?
    • Do you have any cash / revenue tied up in the affected regions?
  5. Does your organization have a business continuity / resiliency planning in place to respond to and recover from current country conflict events 
    • Has it been tested in the past 90 days? 
    • Have you tested:
      • Business Continuity 
      • Disaster Recovery 
      • Crisis Management / Incident / Emergency Response 
  6. Do you have cyber and information security controls in place? 
    • Has your organization conducted a review of its cybersecurity insurance policies and how these events may impact the liabilities that may arise?
    • Have critical-risk patches and updates have been applied to systems and software to ensure known vulnerabilities are mitigated?
    • Have you performed a data restoration test from backups within the past 30 days? 
  7. Have steps been taken to address any potential impacts associated to third parties that support your operations (our fourth parties)? 
    • What is being done to ensure our fourth parties can continue to support the contractual obligations to you as a customer?
  8. Do any of your vendors wholly or partially operate from Russia, Ukraine or surrounding ranges? 
    • Please describe your efforts to determine whether your vendors operate from, or rely on resources within Russia or the Ukraine.
    • Have they tested incident response plans within the past 90 days with scenarios relevant to the Russia / Ukraine conflict to ensure a timely and appropriate response? (i.e. ransomware, DDoS, data destruction) 
    • Do you have a list of potential replacement vendors that could augment or step in to replace these affected vendors in the regions impacted by the geopolitical events?
    • Have your vendors conducted a review of their cybersecurity insurance policies and how these events may impact the liabilities that may arise?

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo