Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



The Basics of a Vendor Business Continuity Plan (BCP) Report

CPE Credit Eligible

Let's discuss the basics of vendor business continuity.

Listen as we discuss basic key facts to know about a vendor's business continuity plan report. We'll cover what a BCP report is, 7 things to review in the report, the BIA and what it should include and why understanding your vendor's BCP is important.


Podcast Transcript

lisa mae hillWelcome to this week’s Third Party Thursday! My name is Lisa-Mae Hill and I’m an Information Security Specialist here at Venminder.

In today’s podcast we’re going to discuss the basics of a BCP report.

BCP stands for business continuity planning. Business continuity is what you do to ensure that key operations, products and services continue to be delivered either in full OR at a predetermined, and accepted, level of availability. Today, most people would have this outlined as part of a service level agreement (or SLA). When you think of business continuity and your vendor, it covers things like what would they do in the event of a loss of personnel, if their facilities or services were down; what their planning with public entities such as emergency services is like, and communications with their own identified key vendors, their clients like you, employees and the media.

Disaster recovery and business continuity usually go hand in hand as disaster recovery is a subset of business continuity.

The first thing you need to do is determine if your vendor’s BCP aligns with your needs and that it covers the key components needed to ensure continuity of operations. You want to review your vendor’s business continuity plan to verify adequate controls are in place covering the following 7 areas:

  1. Personnel loss and planning
  2. Relocation plans
  3. Remote access availability
  4. Facility loss contingencies
  5. Pandemic contingencies
  6. Breach/disruption notification procedures
  7. Testing procedures which should include:
    • Annual testing and
    • Testing results showing room for growth should be reviewed and addressed during plan updates

Business continuity plans should also include information on your vendor’s Business Impact Analysis (BIA). You want to make sure a BIA is performed annually or when any major changes or incidents occur. 

Your vendor’s BIA should include the following:

  • Recovery Time Objectives (RTO) – This is the targeted duration of time which a business process must be restored after a disruption in order to avoid unacceptable consequences associated with a break in business continuity.
  • Recovery Point Objectives (RPO) – This is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system or network goes down as a result of a disruption. Or how much data you expect to lose in a worst-case scenario.
  • Maximum Tolerable Downtime (MTD) – This specifies the maximum period of time that a given business process can be inoperative before the organization's survival is at risk.

You should ensure that your Vendor’s BIA information meets or exceeds your needs for RTO, RPO and MTD.

So, what can you expect as far as ongoing monitoring of BCP goes? Perform regular reviews, along with plan exercises, to assure that the vendor is prepared and able to respond to whatever situations arise and allow the corresponding plans to be improved to minimize the impact of the event.

Ultimately, understanding your vendor’s BCP is a critical component of your third party risk management process. Here are a few reasons why: 

  1. First, if a part of your services were unavailable for an undetermined amount of time because of your vendor, that could significantly affect your operations and reputation.
  2. Secondly, a commonly overlooked aspect of risk is the reputational impact that can occur to a business from failure to respond to the situation, or failure to continue operations. Reputation is difficult to cultivate, easy to lose and very hard, if not impossible to re-gain once lost.
  3. Third, you should know how quickly your vendors plan to recover and if they will be able to quickly and effectively respond to the business impacting event so that you can plan accordingly with your own BCP plans.

Once you’ve reviewed the plan, it’s important to have a qualified expert write up an analysis documenting any gaps and the overall findings. A qualified expert will usually have certified credential levels such as a CISSP. Once the analysis is written up and signed off on, reach out to the vendor to discuss the findings and next steps to mitigate any risk. Additionally, you’ll want to mitigate any risk that is found.

Again, I’m Lisa-Mae and thanks for tuning in to this week’s third party Thursday; if you haven’t already done so, please subscribe to our series.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo