Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023 

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Understanding and Achieving Vendor Compliance

4 min read
Featured Image

Vendor compliance plays a huge role in the success or failure of your third-party risk management process. In essence, if your vendor has compliance problems, so too does your organization, especially in the eyes of an auditor or regulatory examiner. However, the term "compliance" is used broadly to cover different concepts. Let's take a closer look at the different types of vendor compliance and the risks associated with each.

Overview of Vendor Compliance Risk 

Vendor compliance risk comes in three flavors – external, internal, and contractual. Each type has its specific risks:

  • External compliance requires that vendors observe and comply with all laws and regulations that apply to the products and services they provide to your organization. Vendors may also need specific licenses to perform activities within a defined jurisdiction. Vendors who don’t comply with laws and regulations can negatively impact your operations, reputation, and bottom line, and regulators can hold your organization accountable for the compliance failures of your vendors.
  • Internal compliance requires that vendors abide by your organization's internal rules, requirements, and processes as a condition of being your vendor. This includes following all third-party risk management requirements, such as completing vendor risk questionnaires and submitting due diligence documents on time. It can also apply to invoicing, change management, issue remediation, or any of your organization's internal requirements and processes. Non-compliant vendors create audit and exam issues, needlessly lengthen process cycle times, and cause friction and rework for your employees.
  • Contractual compliance means the vendor must meet specific terms, conditions, and requirements documented in the contract. All contractual obligations require your vendor's compliance, such as meeting specific service level agreements (SLAs) or notifying your organization of a data breach within a specific timeframe. Contractual requirements usually document external and internal compliance expectations for the vendor. Moreover, they can be sued, fined, or lose their contract if they fail to comply. Nevertheless, if your vendor fails to comply with its contractual obligations, your organization will also suffer negative consequences. 

4 Ways to Verify Vendor Compliance 

When asked, every vendor will claim compliance. However, third-party risk management practices dictate that your organization must verify vendor's compliance practices and controls.

To verify vendor compliance, do the following: 

    1. Before engaging a vendor, review their reputation. Do they have any regulatory actions, excessive customer or consumer complaints, or negative vendor news? A pattern of compliance violations is a red flag and can’t be ignored.
    2. During the due diligence process, it’s important to request and review the following:
      • The vendor's compliance policy
      • Proof that employees have regulatory and compliance training 
      • The vendor's third-party risk management practices, including how they manage their vendors' compliance and proof of risk assessment and monitoring.
      • Current inventory of all required licenses (for products and services requiring them)
      • Any regulatory enforcement actions
      • The vendor's customer/consumer complaints and resolutions log
    3. During risk reassessment, review and validate the vendor's risk assessment questionnaire to ensure that it’s current. Also gather updated due diligence documentation for formal review.
    4. During ongoing monitoring, stay aware of compliance issues and trends within your vendor's industry and your own. Be sure to keep your eyes open for any negative vendor news. Risk monitoring and alert services can be instrumental in helping your organization determine if there have been external vendor compliance failures.

achieve vendor compliance

The Path to Vendor Compliance

Identifying and understanding the risks of vendor non-compliance is essential, but how do you and your organization compel compliance? Here are the best ways to ensure vendor compliance:

  • Clearly state your expectations, both verbally and in writing. Summarize verbal conversations in an email and send it to the vendor, asking them to confirm their understanding.
  • Provide written documentation detailing specific internal requirements or processes to be met.
  • Include all compliance requirements in the contract.
  • Require your vendor to disclose any of their third parties (your fourth parties) critical to delivering your products and services. 
  • Practice risk monitoring and management. Look for any changing, new, or emerging compliance risks and address them immediately.
  • Vendor performance management matters and you should identify and address any possible compliance failures early before an incident occurs.
  • Document any law or regulation changes and send them to the vendor in writing. Request that they acknowledge the changes and provide a documented response stating whether they’ll be able to comply or if changes are necessary for them to meet compliance.
  • Pay attention to your vendor's industry, looking for any trends or changes that might affect your vendor's compliance (external, internal, or contractual).
  • Take firm and immediate action when your vendor has a compliance failure. At a minimum, you must document the issue and require a remediation plan and timeline from the vendor. In severe cases, contract termination may be the best plan.

The responsibility of maintaining vendor compliance lies with your organization, whether it's internal, external, or contract-related. You must do your homework before entering a relationship with a vendor to ensure that the tools, practices, and controls are in place to comply with laws and regulations.

Furthermore, documenting your compliance expectations and requirements for the vendor, in the contract and otherwise, is always recommended. Monitoring your vendor's risk profile and performance are good ways to spot potential compliance issues before they become major problems.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo