Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Why You Need Vendor Management (VM) Not Just Enterprise Risk Management (ERM)

5 min read
Featured Image

I was talking to my friend Jeff the other day. Jeff works for a rather large organization. I asked him how he was handling third party risk management. He informed me that his organization has an enterprise risk management system, so they didn’t need a separate third party risk management system.

I hear this opinion from time to time. I hear people say they have a vendor management solution within their Enterprise Risk Management (ERM) suite. When I ask them how it’s going, there are always suggestions for improving the ERM vendor they chose. The certainty of complaints has become a given and the list of flaws in “the system” is usually long. Though there does seem to be five common complaints that will come up early in the conversation; it often goes something like this…

The system won’t let me do the following:

  1. Enter multiple products for one vendor without entering all the vendors’ information over again
  2. Easily add/change/delete risk assessment questions
  3. Set automatic alerts by product and by product owner
  4. Generate the reporting our regulators want to see
  5. Enter multiple risk assessments for one vendor

It’s at this point that I usually stop and explain ERM.

What Is Enterprise Risk Management (ERM)?

ERM is part of Governance, Risk and Compliance (GRC) and its focus isn’t on vendor management. An ERM platform is, and should always be, focused on the 26 most widely accepted risk categories and on helping you track and roll up the risk for each into an overall risk score for your organization. An ERM system will concentrate on the SCORE risk categories: Strategic, Compliance, Operational, Reputational and Expense (Finance). ERMs aren’t designed to do vendor management. 

At the ERM level, you’re working to do the following:

  • Create policies
  • Determine the organization’s risk appetite
  • Evaluate all areas of risk for your organization

You'll find some ERM vendors who claim their platform is capable of handling vendor management. However, it has been my experience that these vendors are interested in making a sale and may fail to disclose how much work it will take to implement all the workarounds necessary for vendor management to operate in a functional manner.

Today, you need a strong vendor management platform. You may also require a strong ERM platform.  What you don’t need is an ERM platform masquerading as a vendor management platform. That is, an ERM platform that may be able to be used as a vendor management platform, if you work very, very hard.

What Is Vendor Management (VM)?

Vendor management (VM) rests on six pillars which are selecting a vendor, risk assessment (by product or service), due diligence, contractual standards, reporting and ongoing monitoring. Though there's a risk assessment component to vendor management, third party risk management is rolled up into the overall enterprise risk.

Third party risk is just one element within ERM, hence the need for vendor management. Vendor management focuses on the following:

  • Controlling costs
  • Driving service excellence
  • Mitigating vendor risk

Vendor management contributes to the organization’s risk profile but stands alone as a discipline.

A Quick Look at Vendor Management Systems

Implementing a dedicated vendor management system is a must. A vendor management system should do these six things and it should do them well:

  1. Help you select a vendor
  2. Create and perform individualized risk assessments on multiple products and services from the same vendor
  3. Give you the ability to track the due diligence for every vendor
  4. Establish reminders for all your contract dates as well as other significant dates
  5. Generate reports that your regulators want to see and allow you to modify them meet your needs
  6. Provide support for all the ongoing vendor monitoring that your organization requires

Why You Need Vendor Management Separate From ERM

Trying to use one system to do both vendor management and ERM is like using the trunk of a Cadillac sedan to haul a washing machine. You tie the trunk down and it works but it’s the wrong tool for the job. Always use a truck. If you’re behind that sedan you hope the twine they used to tie the trunk down holds and the washing machine doesn’t fall out. You know that at any minute the car will hit a bump and the washing machine will fly out and an accident will happen.

Vendor risk is one component of enterprise risk. Each discipline, vendor management and enterprise risk management are unique in its requirements and in its purpose. ERM is designed to be the enterprise risk management vehicle and the vendor management system is designed to handle enterprise vendor management. Two separate enterprise functions. 

The ERM and vendor management system should be interfaced. That is, they should be able to seamlessly share data. That makes sense.

Let’s look at a few reasons why having a separate enterprise class vendor management system makes good dollars and sense:

  1. It’s a regulatory expectation. Vendor management, or also referred to as third party risk management, is a regulatory hot button. As it should be! There are too many details in a vendor management system that must be well-managed in order to protect your organization from vendor risk.

  2. It’s complex. Overseeing hundreds upon hundreds - sometimes thousands upon thousands - of vendors is a Herculean task! It can’t be taken lightly and certainly can’t be ignored. There needs to be a team, and system, fully dedicated to vendor management before you can achieve effective oversight.

  3. Examinations are chaos. When you get the notice of examination, it can be quite a frantic time. But, it doesn’t necessarily need to be if you’re utilizing the right vendor management system and you’re giving vendor management the attention it deserves.

  4. Examiners expect it. Examiners expect every organization to have a well-developed vendor management program in place, separate from ERM.

  5. It’s expensive. We’ve seen large organizations spend millions of dollars trying to save hundreds by kludging together a vendor management program and forcing the program to utilize an ERM. The time and energy it takes to support the “frankenbuild” is astonishing. 

  6. Eventually you will fail. Using an ERM for vendor management fails 99% of the time. It fails hard and that’s never pretty.

Vendor management isn’t something to take lightly. It’s a mission critical function in every organization and it needs to have a strong focus and an established vendor management program with appropriate policies and procedures. It needs well-defined processes and a dedicated vendor management system.

Trust me, it’ll make your life easier. If you want to be a winner, streamline your internal processes, save your organization money and satisfy examiners, get a reliable vendor management platform, not just an ERM. You won’t regret it. 

Investing resources in vendor management will save your company time and money. Download the eBook.

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo