Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

What Are Vendor Due Diligence Reviews?

3 min read
Featured Image

A common question people often struggle with is, “What constitutes appropriate vendor due diligence?” Or, “What are vendor due diligence reviews”? As with any question, the official answer can be found in regulatory guidance – in this case, let’s turn to FDIC Financial Institution Letter 44-2008 for this excerpt:

Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.

What Does That Even Mean?

Translating that back into layman’s terms, basically that means learning as much as you can about a vendor prior to engaging in a business relationship. 

Due diligence is both a science and an art – there are times where you can follow a standard checklist and gather everything, but there are times where a vendor can’t or won’t share information with you – that’s when you need to explore options and get creative. 

Perhaps you can come up with an alternative or perhaps you can contractually commit them to provide it to you later. For example, a company isn’t willing to provide a very confidential document – it happens – but you may be able to request they allow you to view it on-site or even by screensharing. 

4 Tips for Vendor Due Diligence Reviews

Here are four tips for your reviews:

  • Due diligence should be risk based – that basically means tailor the extent of what you’re asking for to the level of risk associated with the product or service – in other words, don’t expect your vending machine provider to furnish you with the same information as your core processor. They likely won’t have a SOC report and may be confused if you request one.

  • Due diligence is always ongoing and must be timely – let’s face it, there’s no way to rush everything just to hit a contract date, so start ahead of time. Documents, like the following, expire or grow stale:
    • SOC reports
    • Financials
    • Business continuity/disaster recovery plans
    • Policies and procedures

 So be sure to refresh them as needed.

  • Do not follow a checklist mentality – certainly, you can use a checklist, but as you gather documents, make sure to subject them to the appropriate analysis (and document the results of that analysis).

Believe me, I’ve had the unfortunate experience (more than once) of gathering and filing only to realize later that I just gathered and filed without reading the details and later found very unfortunate surprises.

  • Subject matter experts (SMEs) should    perform due diligence analyses – You really should consider who is performing the reviews. It should be a SME – internal or external. For example, a certified public accountant (CPA) is qualified to perform a financial analysis whereas you’ll likely want a Certified Information Security Systems Professional (CISSP), or someone with extensive IT experience, performing your SOC analysis.

The Impact of Vendor Due Diligence Reviews

What you determine in the course of due diligence may cause you to re-think doing business with a vendor – that may sound like a negative, and perhaps it is – but you’d be surprised how much that short term pain may turn into avoiding long term damage. It’s far easier to end a relationship before it starts than it is when unexpected surprises happen down the road.

Vendor Due Diligence Review Logistics

I've seen all sorts of models of due diligence – from a standardized questionnaire sent to all vendors to a highly customized series of questionnaires that may require multiple rounds of answering – either one is fine, but you need to establish a process that is appropriate for your organization and follow it carefully. 

You also need a path for approving due diligence when you can’t gather everything – there are certainly going to be times where “no” is the final answer. In those cases, involve your senior management team and the board to determine the appropriate next steps and make sure it's firmly documented in meeting minutes to show proof of the discussion.

Due diligence is a fundamental pillar of vendor management in every piece of the regulatory guidance. It can be difficult at times, but done well, due diligence is an exercise that can protect your organization, customers, data and shareholders.

Include vendor site visits in your due diligence process. View this on-demand webinar to learn how.

vendor-due-diligence-site-visits

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo