Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Vendor Management: A Successful Recipe for a Critical Vendor Review

6 min read
Featured Image

As the year begins to wind down, our thoughts turn to the holidays, the time-honored traditions, and delicious recipes used in our celebrations. But, when it comes to third-party risk management, we should also be thinking about our annual critical vendor risk reviews.

As with holiday preparations, critical vendor risk reviews require proper planning, preparation, and tools. After all, without these reviews, your organization increases its vulnerability to financial, operational, and reputational damage.

So, what is the secret to effective annual vendor reviews, especially for annual critical vendors? What ingredients and tools should you use? How do you get the best results? If you’re asking any of these questions, we've prepared a foolproof recipe for your annual critical vendor risk reviews.

Recipe: Critical Vendor Annual Risk Review

Yield: Effective vendor risk assessment

Prep time: 1–2 weeks

Review time: Varies depending on the vendor and subject matter expert availability; plan for at least 1-2 hours at a minimum per risk domain.

Estimated Total Time: 1–4 weeks

Necessary Tools and Supplies

  • Experienced subject matter experts (SMEs) for each identified risk domain
  • Comprehensive vendor risk questionnaire
  • Centralized document repository (TPRM system) for vendors and subject matter experts
  • Current vendor contract
  • Vendor performance against SLAs
  • Documented vendor services issues or downtime and impacts (if any)
  • Open vendor issues and required remediations
  • Your notes documenting vendor conversations regarding performance, issues updates, etc., for the past year.
  • Information on any new products, services, or updates that the vendor has rolled out over the last 12 months
  • Stakeholder feedback regarding the vendor


1 updated vendor risk assessment questionnaire

1 set of vendor business continuity and disaster recovery plans and test results

1 set of audited vendor financials or their most recent financial reports

1 set of third-party audit reports, such as a SOC 2 Type II

1 large bunch of assorted information security protection information and documents such as penetration tests, network diagrams, patching schedules, access management, etc. (specific documents are determined based on the type of sensitive data and how it is accessed, processed, transmitted, or stored by the vendor)

1 list of vendor's critical third parties

1 collection of vendor policies and procedures covering compliance, information security, privacy, human resources, third-party risk management, etc.

Ingredient Notes: When it comes to these ingredients, freshness matters! Ensure you have the most current version of all your vendor's documents and information. Be wary of vendor documents that haven’t been updated (or at least reviewed) in the last year. If your vendor's SOC reports are expired, you should request a bridge letter stating they’re in the process of updating the SOC, the date a new version is expected, and attestation that the controls are still valid.

Using old and stale ingredients can cause your review to collapse in the middle, requiring you to start over.

Mise en place (French pronunciation: [mi zɑ̃ ˈplas]) is a French culinary phrase which means "putting in place" or "gather,” and is often used in professional kitchens to refer to the organizing and arranging of tools and ingredients that must take place before cooking.

This concept is wholly appropriate for your annual vendor risk review. Ensuring that you have everything you need before you start your review is a best practice that reduces the time it takes for the review. In the case of an annual vendor risk review, applying “mise en place” shows respect for your subject matter expert’s time and makes the most of your other resources.

vendor management recipe


  1. Begin by notifying the vendor of the annual review.
  2. Instruct the vendor to review or update the vendor risk questionnaire and submit it to you through your TPRM system or another specific data repository.
  3. Provide the vendor with the complete list of due diligence documents or other information your SMEs will need to validate the sufficiency of the vendor's controls. Request they gather and return this information by a specific date. Set your timer! (Usually 5-10 business days)
  4. While you’re waiting for your vendor to respond, review the contract and the vendor's performance against service level agreements. Did they meet all necessary SLAs? If not, why? Document any findings.
  5. Review your vendor's performance overall. Were there any missed key performance indicators (KPIs)? How well and how often does the vendor communicate? If there were any issues, how did the vendor resolve them? Was remediation timely and thorough?
  6. Examine any changes to the vendor's product or services, management structure, or industry over the last year. Check thoroughly for new and emerging issues.
  7. Remember to summarize your findings and document them. Risk reviews aren't just for validating controls. They’re also for identifying any risk or performance issues that might be present in the relationship.
  8. Once your vendor has responded to your request, you should have all your ingredients prepped and organized. If the vendor can’t provide all the ingredients, consult your SME about acceptable substitutions.
  9. Confirm the receipt of materials to the vendor and alert the SME that the documents are ready for review.
  10. It’s time to let your SMEs work their magic. At this point, they’ll take the vendor risk questionnaire and due diligence documents for review.

    Although enjoying a well-deserved coffee at this point is fun, it’s important to remain aware and be available if SMEs need additional information from the vendor or have questions.
  11.  Keep your eye on the time, and check in with the SME if the review is taking longer than anticipated to "bake." Cooking times will vary depending on the number and complexity of risks and controls to be reviewed.
  12. At the conclusion of the SME review, you should have a report detailing the risks and controls reviewed, the sufficiency of the controls, and any issues or findings that were discovered in the process. Combine that report with your summary information to determine the safety and soundness of your critical vendor. If all is well, you can package your finished masterpiece to present in your next risk committee meeting and include it in board reporting.

Troubleshooting: If material issues were discovered during the risk review process, there are some important steps for you to complete.

  • Inform senior leadership and the board; they need to know if it is a critical vendor
  • Determine if issue remediation is possible. If so, document the plan and timing for completing the remediation
  • Review your critical vendor's exit strategy and plan to ensure it’s current and actionable in case a vendor termination becomes necessary
  • Amend the contract by adding language (if possible) stating the required remediation actions and date
  • Monitor progress

Conducting an effective annual risk review for your critical vendor is like making your favorite holiday treats. It takes preparation, the right tools, ingredients, hard work, and patience. Still, your efforts pay off when you and your organization can confirm your critical vendors are still safe and sound partners.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo