Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Inherent Risk Types Involved in a Vendor Risk Assessment

5 min read
Featured Image

Every vendor relationship comes with some risk. Sometimes, it can feel overwhelming to identify and assess those vendor risks correctly. However, it doesn't have to be. Learning and understanding the primary types of vendor risk is an excellent way to begin. Let's get started with the basics.

2 Fundamental Vendor Risk Criteria to Know

An initial vendor risk assessment will help you identify and quantify the two essential elements of vendor risk – inherent risk and criticality:

  1. Inherent Risk - Inherent risk is the risk associated with a specific product or service. It doesn't consider any existing or future controls (processes or tools) that could lessen the risk. Inherent risk considers the different types and amounts of risk present in an activity (product or service).
  2. Criticality - In third-party risk management, criticality refers to processes, products and services that are vital to your operations, revenue stream and customers. In other words, your business would be materially impacted if these activities weren’t performed as expected. By default, any third-party vendor performing a critical activity is, in fact, a critical vendor. To determine if a vendor is critical or not, you can ask these three questions:

    • Would a sudden and unexpected loss of this vendor cause a material disruption to your organization?
    • Would that loss impact your organization's customers?
    • Would the recovery time be longer than one business day or 24 hours (timing could vary based on service provided)?

If you answered yes to these three questions, the vendor is critical. Remember, every vendor should have an inherent risk rating and be considered critical or non-critical.

people standing around talking about risk types

Tailor Risk to the Vendor

Inherent risk considers the different risk types and amounts associated with the product or service. Vendors have their own unique risk profiles. For example, an outsourced call center would raise different concerns than your organization’s shredding company. It’s essential to understand each of the different types of risks. Let's look at the risk most identified during the inherent risk assessment.

  • Strategic Risk: Occurs when a prospective or current third-party vendor's decisions and actions are incompatible with your organization's strategic objectives.

    Ask the question:
    • Is this vendor going to operate in a manner consistent with our organization's practices and strategic objectives?
  • Operational Risk: Broadly defined as the risk of loss resulting from a third-party vendor's ineffective or failed internal processes, people, controls or systems. Internal operational risk is directly influenced by people (e.g., mistakes or failures due to the management and employees' direct actions or decisions).

    Ask these questions:
    • Does the vendor have suitable policies and processes?
    • Do they properly train their employees?
  • Business Continuity Risk: Occurs when an adverse event affects your third-party vendor's ability to conduct business and impacts your organization as a result. These events could include natural disasters, severe weather events, fires, utility outages, civil unrest, cyberattacks, pandemics, military actions or acts of terrorism. These events are usually beyond the third-party vendor's control; however, the third-party vendor should anticipate and document a plan for if and when these events occur.

    Ask the question:
  • Compliance and Regulatory Risk: Arises from a third-party vendor's failure to comply with laws and regulations governing the products or services provided to your organization or its customers. Compliance can also occur when your third-party vendor doesn't follow your internal policies, procedures, business standards, or codes of conduct.

    Ask these questions:
    • Does the vendor have a sound set of policies and procedures?
    • How has the vendor performed in recent exams or audits?
  • Information Security and Privacy Risk: Information security risk stems from third-party vendor information security vulnerabilities and can happen when your vendor has access to your organization's or its customer data, networks or even physical facilities. Cyberattacks and data breaches are two of the most common information security risks resulting from missing or ineffective controls. Your vendors must be able to safeguard the data entrusted to them. Privacy risk is closely related to information security risk but can also occur when a vendor uses or accesses sensitive or confidential data in a way not consistent with the intended and permissible use.

    Ask these questions:
    • Does the vendor have an independent third-party audit report or certificate (SOC, ISO or other)?
    • Has the vendor experienced any breaches or other information security or privacy events in the last three years?
    • Does the vendor have an aggressive and proactive process to detect or prevent information security issues?
    • Does the vendor have a documented privacy policy?

  • Reputation Risk: Reputation risk incorporates the various ways your third-party vendor could directly or indirectly damage your reputation, brand, or company name. This harm could result from their actions, poor service, lawsuits, outages, fraud or data breaches. Your reputation could also be damaged if a third-party vendor misrepresents their relationship with you directly or by using your logo or organization name.

    Ask these questions:
    • Does this vendor have a history of unresolved customer complaints?
    • Has this vendor had negative news and media attention?
    • Are there any ethical concerns regarding this organization or its owners or parent company?
  • Financial and Credit Risk: Financial and credit risk are directly related to the vendor's financial condition. Suppose the vendor has insufficient investor funding, cash or credit available to meet their contractual obligations. In that case, there’s a risk they won't be able to provide products and services to your organization.

    Ask these questions:
    • Does the vendor have a robust financial outlook?
    • Does the vendor have enough operating funds to service your organization for the contract duration?

woman reading data about risk

3 Other Risk Types

The risks listed above are the most common risk types. However, other risks may need consideration depending on your vendor and the products or service they provide. Here are some examples of other vendor risks.

  1. Concentration Risk: This usually occurs when your organization has too many high-risk or critical services provided by a single vendor. This is also known as a single point of failure risk. Another definition of concentration risk is when a significant portion of your vendors are in the same geographic area. The proximity of vendors could cause additional business continuity risk if there were a natural disaster or another external event.
  2. Geo-Political Risk: Your vendor is in a country or location vulnerable to political unrest, corruption, violation of human rights, lax privacy and information security laws or other situations that could be harmful to your organization or its customers.
  3. Transaction Risk: Refers to the adverse effect of exchange rate fluctuations on a transaction before settlement. Your organization may be especially vulnerable to transaction risk when using nearshore or offshore vendors and are utilizing foreign currency.

Using a standardized and objective inherent risk assessment is best to identify which vendor risks are present in your vendor relationship. Once the risks are identified and assessed, you can assign an inherent risk rating or score to each vendor relationship. That rating should inform your vendor risk management activities and help you prioritize the relationships that present the highest risk to the organization.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo