Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Which Vendors Should Be Out of Scope in Third-Party Risk Management?

5 min read
Featured Image

It's no secret that for many organizations, the time and resources for vendor relationship management are stretched thin. This is especially true when vendor inventory numbers are in the hundreds or even thousands, so it’s best to determine which of your vendors (or other third parties) can be safely excluded from third-party risk management (TPRM) activities. However, it may not always be obvious which of these relationships should be in or out of scope. The good news is that organizations can use some tried and true guidelines to determine who should be in scope for vendor risk management. Read on to learn more and help ease the burden of your TPRM responsibilities.

Regulatory Considerations for Vendor Exemptions

Those in regulated industries know they must meet the requirements of established TPRM guidance. However, this can be a bit tricky when regulations are potentially changing. As this is being written, the financial industry in particular is still waiting for updates to the July 2021 Proposed Interagency Guidance on Third-Party Relationships. The proposed guidance dramatically expands the definition of "third-party relationship" as "any business arrangement between a banking organization and another entity, by contract or otherwise." And while this proposed guidance is specific to the financial industry, those regulations greatly influence and shape all vendor risk management best practices. Don't worry; even with the uncertainty and potential regulatory changes, you can still develop a sound (and defensible) methodology to define which third-party relationships are in scope for your vendor risk management program.

exempt vendors

How to Determine Exempt Vendors

To determine exempt, or out of scope vendors, the first step is to prepare a complete list of all individuals or organizations that are paid by or have a written agreement with your organization. Your accounts payable department should be able to furnish much of this information. It’s essential to include the product/service provided or the other nature of the relationship as part of the list. Truthfully, this can be a time-consuming, but necessary process.

Once your list is complete, you can use the following questions as a starting point to help determine whether a vendor should be in scope or out of scope for your organization:

  • Is this a government entity? You can eliminate any state, provincial or similar government and any body, board, department, commission, court, tribunal, authority, agency or other organization exercising any executive, legislative, judicial, administrative or regulatory functions. This also includes any organization providing safety or emergency services, such as police and fire departments.
  • Is this a public utility? Public utilities such as your local power, water, trash collection services and the like are out of scope. Keep in mind that the key word here is public, as in it’s available to everyone. Don't assume that because it’s water or power it's automatically out of scope. Services meant to serve your specific organization, such as confidential document destruction, bottled or filtered water services, internet or backup power generation, are decidedly in scope for vendor risk management.
  • Is this a sponsorship or donation? Sponsorships and donations are out of scope for third-party or vendor risk management. For example, sponsoring the company team for a charity walk, helping a non-profit with an event or placing an ad for the program for a high school musical don't count as third-party or vendor relationships. And, other types of donations, such as political donations, should be managed through other internal governance mechanisms and policies.
  • Is this a covered travel or entertainment expense? You can exclude hotels, airlines, restaurants, transportation, etc. However, you should pay attention when a payment to an organization is classified as travel and entertainment (T&E) to ensure the type of product, service or relationship falls within T&E norms. In organizations with less stringent or mature T&E expense policies and programs, vendors are sometimes engaged under the guise of T&E to avoid time-consuming or rigorous vendor risk management processes. It happens! Be on the lookout for this scenario.
  • Is this a subscription? Many types of subscriptions will be out of scope for your vendor risk management program, including one-off subscriptions for magazines, books, newspapers, digital content (stock photography, music, etc.), industry news or social media websites. Keep in mind that some subscriptions should be included in your program, especially those that provide non-public data or for risk alert and monitoring services that help you make sound business decisions.
  • Is this a payee? Payees usually represent payments for non-product or service expenses. Examples include payments for a legal settlement or payments to board members or investors. These types of third parties are out of scope.
  • Is this a professional association or conference? Annual dues for professional memberships and conferences should be excluded from your vendor risk management program.
  • Is this a product or service offered as an employee perk? It’s becoming commonplace for organizations to offer employee discounts on various products and services—everything from tickets to the amusement park, gym memberships and even automobile purchases. Relationships where the employee directly initiates the purchase or transaction are out of scope. Keep in mind that if your organization collects payment from employees for the products or services or distributes the vendor's products or services to employees, that vendor should be in scope. Your health insurance providers, for example, should be in scope for vendor management.
  • Is this a low-value vendor? Many organizations also choose to include vendors whose annual spend is less than a predetermined threshold, for example $5,000. The rationale is that many single-use vendors would fall into this category: florists, caterers, food or beverage services or even office supplies.

If you choose to exclude these vendors from your third-party risk management program, and deem them out of scope, proceed with caution for the following reason:

There is at least some risk with any vendor relationship and not every organization is as it appears. For example: small, cash-based businesses may be vulnerable to certain risks, including money laundering, health and safety violations and even human trafficking. And what if you’re purchasing a piece of open-source code where there can be a substantial risk? Not to say you should spend valuable time and resources reviewing your local bakery's financials because you shouldn't. Your vendor risk management efforts and activities should always be in proportion to the risk. However, suppose you aren't evaluating the risk because a low-value vendor is automatically out of scope. In that case, you may be missing something important.

The key here is to clearly define the products and services eligible for this type of exemption and identify how you will keep track of the spending thresholds. Consider asking questions such as:

  • How will we know if spending exceeds the $5,000 limit?
  • What if there is a lot of repeat business with the vendor?
  • How and when would they be re-evaluated for inclusion in the program?

Other Vendor Categories Unique to Your Organization

Your organization may determine that other third-party or vendor types should be out of scope, and that’s okay. But always make sure that you can articulate and document your rationale for any out of scope decision.

Determining vendor scope is crucial for optimizing your vendor risk management program. It will allow you to direct your efforts toward third-party relationships that deserve your focus and resources.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo