Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


A Walk Through the OCC Vendor Lifecycle

3 min read
Featured Image

After publication, Venminder created and released a new, simplified third-party risk management lifecycle that is more user-friendly. Learn why we made this big change here. And, learn the stages of the new risk lifecycle here.


The OCC’s guidance published in Bulletin 2013-29 set the gold standard for third party relationships. It takes a logical risk-based approach with the goal of protecting your institution from unmitigated risk.

The OCC recognized that institutions had not adopted the same level of vendor risk oversight to these third parties as they would have done for their own internal processes. The idea that the ultimate responsibility of outsourcing risk remained with the institution was somewhat of a learning process. The OCC approach is heavily focused on risk management disciplines and many, if not all regulators, recognize that there is now a heavy reliance on third party service providers who play critical functions to an organization. Third party risk management is a key guidance issue that the regulators, both from a federal and state examination level, are keenly aware of.

The OCC updated the bulletin with 2017-07 which went into more detail and expanded examiner requirements. While the 2013 guidance is now five years old, it seems to be standing up well to the current third party risk management landscape. While a new update may have taken some time to get published as an OCC bulletin, considering that the original third party relationship guidance from the OCC dates all the way back to the year 2000 and 2001, this tells us that third party risk management is not a new discipline but instead had not been given the true attention that it deserved. Given the almost daily news reports of data privacy breaches, managing a robust vendor lifecycle will put you at the top of the class come examination time.

Review the lifecycle of third party risk management below and some consideration points. It’s recommended to audit against this lifecycle and compare to your existing program as you can quickly identify program gaps to focus on.

The OCC Risk Management Lifecycle

  1. Planning – It’s important to have your policy, program and procedures defined and in place. Outlining the vendor oversight process is imperative to a successful program.
  2. Due Diligence and Third Party Selection – You should be vetting a vendor prior to entering the contractual relationship. This helps identify any risk posed, before the contract is executed.
  3. Contract Negotiation – Discuss expectations with the vendor and clearly define them in the contract. Per the guidance, the ensures contract enforceability, limit the bank’s liability and mitigates disputes about performance.
  4. Ongoing Monitoring – Continued due diligence must be performed to prevent exposure to unwanted risk. This can help remediate undisclosed risk such as a change in executive leadership, pending litigation or a data breach. It is a very important part of the lifecycle.
  5. Termination – With a lifecycle, you potentially will have an end to the relationship for various reasons. Transition and exit strategies should be determined as it’s important to understand the notice periods and process for return of assets.

In addition to the five phases of the lifecycle, the guidance recommends you keep the following three items in mind:

  • Oversight and Accountability – Understand who is performing the relevant oversight of the third parties. Assign roles and responsibilities as deemed appropriate.
  • Documentation and Reporting – Have a good method in place for maintaining documentation and reporting. It’s a best practice, and recommendation form the OCC, to provide this information to senior management and the board to keep them involved.
  • Independent Reviews – Conduct independent reviews of your risk management program. You can involve your audit teams for this as well. This will help identify any gaps or any changes that need to be made.

It’s clear that examiners compare notes. Whether or not your examiner is the OCC, this is generally considered the most requiring guidance so if you follow these vendor risk management steps, you are setting your organization up for success.


Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo