Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


What Is a Moderate-Risk Vendor?

4 min read
Featured Image

An important beginning step when vetting vendors is to rate the risk associated with them. The standard rating system seen is low, moderate and high. You may already be familiar with how to identify high-risk and critical vendors. A simple set of questions can be used to help you determine whether the sudden loss of the vendor would cause a significant disruption to your business operations or customers, which would make it critical, or whether they have access to any sensitive data, which is just one criteria example that would make it high risk.

Low-risk vendors are probably a little easier for you to identify. These vendors have no access to sensitive data and are easily replaceable when needed. A landscape company or janitorial service company would generally fall into this category.

So, that leaves us with the more ambiguous category of moderate-risk vendors. How exactly can we identify these vendors and why is it important to do so? Let’s review some simple guidelines that will help you categorize this more indeterminate level of risk.

Is the Risk Lower Than High?

Since there isn’t a clear set of guidelines for what is considered moderate risk, it may help to start at the top and work your way down. This will ensure that you appropriately identify your high-risk vendors first. Use your basic risk-driving questions to determine if the vendor’s inherent risk is high:

  • Does this vendor have access to or store highly sensitive data?
  • Does the vendor directly interact with our customers?

If the answers to one or both questions are yes, you’ll proceed with the pre-determined due diligence for high-risk or critical vendors.

Is the Risk Higher Than Low?

If the answers to the above questions are no, the vendor will likely fall somewhere between low or moderate. The questions below will help you determine if there’s enough risk to categorize the vendor as moderate.

  • Does the product or service have any effect on our customer?
  • Does this vendor have physical access to our facilities?
  • Does this vendor provide a product or service that we use to maintain regulatory compliance?
  • Is the product or service a significant expense?
  • Does this vendor process any financial transactions for our organization?

Answering no to all these questions probably means that you’re dealing with a low-risk vendor. However, your vendor is most likely moderate-risk if one or more of these questions is applicable.

Three Additional Considerations for Moderate Risk Vendors

  1.  Follow the Data: Another indicator that a vendor is moderate risk could solely depend on the level of data they manage, store or have access to. A good example of this would be “company confidential,” business sensitive or trade secrets. While this is still information worth protecting, it doesn’t fall under the same level of regulatory scrutiny as an individual’s PII/NPI/PHI or PCI. Refer to your organization’s data classification policy. If the level of data accessible to a vendor falls somewhere in the middle, then that might just be the most appropriate inherent risk rating for that vendor.
  2. Risk Quantification: Another big factor to consider when determining moderate risk is how your methodology is designed, and any tools or quantification used to assist the process. If you’re assigning weights or scores to individual risk-driving questions, then you might find that the gray-area between low and high sorts itself out as you quantify each individual question. It’s important, though, to trust your gut. You should always circle back to your own logic and gut feeling on what a vendor’s risk should be. If your quantification is spitting out ratings that don’t make sense to what you feel the inherent risk should be, it’s time to go back to the drawing board and tweak your numbers. In my experience, knowing what you think or feel should be “moderate” risk is a good way to test the quality and practicality of your calculations.
  3. Due Diligence: This is probably what complicates vendor due diligence automation more than anything else. Unlike low and high risk, where you can probably set standards for due diligence that are applicable 90% of the time, moderate risk is a different story. This is mostly because you’re basing this rating on the fact that only a portion of your risk-driving questions apply. Which portion? To standardize what is necessary for a moderate risk vendor, you may often be missing the mark on what exactly the elevated risk is by looking at too much, too little or simply not the right thing. The point, here, is that the best due diligence for moderate risk is that which addresses the specific inherent risk.

What Does This Mean for Moderate Information Security?

This is a call only your organization can make. Perhaps you’re more okay with an attestation or whitepaper over an entire controls assessment. Maybe you’re willing to accept a SOC 1 or a simple review of their information security policies. Perhaps you’ll allow for some control weaknesses that you wouldn’t in cases that involve NPI or PII. The choice is yours, and it’s best to define a standard that can be spoken to and also justified by the resources available to you.

It’s ultimately the decision of your organization to determine what warrants a moderate-risk rating. You may decide that while there’s some level of risk associated with a vendor, it isn’t necessarily high and doesn’t need to be as heavily vetted and monitored as your high and critical vendors, but you know you need to do more that the bare minimum. That is your moderate-risk sweet-spot.

Remember: There’s no ONE right answer; don’t over complicate things and trust your gut.

Now that you understand what a moderate-risk vendor is, learn the other types of third-party vendor risk. Download the eBook.

types of third-party vendor risk

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo