Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


What Makes a Vendor High Risk?

4 min read
Featured Image

One of the most important concepts to understand about third-party risk management is that all vendors aren't created equally. Criticality and level of risk play a big part in how your vendors will be managed throughout the lifecycle. As a reminder, critical and high-risk vendors are not the same.

Criticality speaks to the operational impact you would experience if your vendor were to fail. In other words, only the most essential vendors should be designated as critical. But, what exactly is a high-risk vendor and how should they be treated differently from vendors that have moderate or low risk? This blog will cover the basics so you'll have a better understanding of how to identify and manage high-risk vendors.

vendor risk

How to Identify a High-Risk Vendor

For the purpose of this blog, we'll be focusing on vendors with a high level of inherent risk, rather than a high level of residual risk. This essentially means that we're looking at the level of risk before any controls are put in place.

A high-risk vendor can generally be identified by considering the nature of its products or services. Here are a few questions to ask about the vendor:
  • Does this vendor process financial transactions on behalf of your organization, customers or employees?
  • Does this vendor require access to sensitive data, such as nonpublic information (NPI) or personally identifiable information (PII)?
  • Does the vendor interact with your customers in any way?
  • Are the vendor's products or services used by your organization to maintain regulatory compliance?
  • Are the vendor’s products or services unique in the marketplace and without any available and reasonable substitutions?

4 Common Misconceptions About High-Risk Vendors

common misconceptions about high-risk vendors

Now that you can identify your high-risk vendors, let's take a look at some common misconceptions. By gaining some more insight into high-risk vendors, you’ll be better prepared to handle them within your vendor management program.

Consider the following assumptions, which aren’t always true:

  1. High risk is always critical. These two terms may sound similar, but they have very different meanings. The difference is that critical is a category of vendors, not a risk level. Remember, critical is the term that identifies which vendors are most essential to maintain your business operations. And, as it happens, most critical vendors are also high risk, but not all high-risk vendors are critical. For example, a vendor that provides shredding services would be considered high risk because of its access to sensitive information. However, this wouldn't be a critical vendor because the sudden loss of its services wouldn't cause a major disruption to your operations or customers.
  2. Non-critical, high-risk vendors don’t require business continuity planning and testing. Just because your high-risk vendor isn’t considered critical, it doesn't mean there won't be severe impacts if they fail. Your vendor is considered high risk because of the product or service they provide. Your vendor's business interruption, data breach or another incident could really throw a wrench in the works. Business continuity planning is absolutely essential for high-risk vendors.
  3. High-risk vendors are irreplaceable. While high-risk vendors may have access to sensitive data, this doesn't always mean that they're irreplaceable. For example, a customer call center is high risk. They must comply with regulations, interact with your customers and access sensitive information. However, your organization could replace that call center with another provider if necessary.
  4. High inherent risk can’t be mitigated. Inherent risk refers to the state of risk before any controls are considered. In most cases, your vendor will have controls to address the inherent risk identified for their product or service. These controls might include information security practices, offsite data centers, employee training or business continuity planning. When you confirm your vendor has the proper controls to address the inherent risk, those risks are considered to be "mitigated."

Due Diligence for High-Risk Vendors

Certain due diligence should be collected on all vendors, regardless of the risk level. This includes items such as full legal name, address, state of incorporation, business license, and secretary of state check. While not a full list, for high-risk vendors, you'll also want to collect and review items such as the following:

  • Policies and procedures
  • Penetration and vulnerability testing results
  • Network diagram
  • Business continuity and disaster recovery plans
  • Data flow diagram, including third parties and fourth parties
  • A record of any outages and SLA violations

Identifying a vendor as "high risk" can cause some third-party risk professionals a lot of apprehensions. However, high risk doesn't necessarily mean that a vendor is dangerous to your organization. High-risk vendors are just a normal and necessary part of business operations, so it's essential to identify and properly manage them.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo