After publication, Venminder created and released a new, simplified third-party risk management lifecycle that is more user-friendly. Learn why we made this big change here. And, learn the stages of the new risk lifecycle here.
Vendor risk management (also known as third-party risk management) is the set of activities used to identify and mitigate the risk posed when outsourcing a product or service.
Many organizations address vendor risk management in a document called a program. This program is essentially the organization’s plan for how it will manage the risk that it’s exposed to within its relationships to third parties.
To better understand what’s involved in vendor risk management, let’s explore some best practices that are often used to develop a vendor risk management program:

- Establish governance documents. We often see a policy, program and procedures. The policy should broadly outline the concepts and structure of vendor risk management, by focusing on regulatory guidance. The program document will be more in-depth and describes the concepts defined in the policy. Lastly, the procedures are step-by-step instructions that should be clear and easy to follow.
- Identify your vendors. Begin by reaching out to accounts payable for a vendor list. Not every vendor will be actively managed or in scope, so narrow down the list to those that need monitoring. You can reference our vendor exclusionary policy for some guidance.
- Confirm that your vendor list is accurate. Check the list against your prior list and your program scope as needed.
- Understand the vendor risk management lifecycle. Regulatory agencies look to one another for best practices and the vendor risk management lifecycle is a basic framework that can be used to meet their expectations. This lifecycle is divided into four stages, covering the essential components of inherent risk, due diligence, vendor selection and contract management and ongoing monitoring. Supporting elements include oversight and accountability, independent reviews and documentation and reporting. Keep in mind that a vendor will live within this lifecycle until the relationship is terminated.
- Establish a thorough risk assessment process. Review every active vendor on your inventory list. Each vendor will require some level of review, but you can prioritize by risk level and concentrate on your critical and/or high-risk vendor first.
- Have good contract management system and procedures in place. When entering a contractual relationship with a vendor, pay special attention to important compliance clauses. Also keep in mind contract terms and renewal notice periods. Monitoring these important dates will help prevent any missed deadlines.
- Keep the board and senior management informed. Reporting to your board and senior management helps set the tone-from-the-top so they can make strategic decisions on vendor activity. Vendor management reporting should be consistent and simple, with a clear goal of informing your stakeholders and driving action.
Vendor risk management requires the involvement of many different individuals, performing several interrelated processes. Though it’s a complex set of activities that demands regular oversight and monitoring, it’s an essential practice that every organization should perform to protect against vendor risk.