Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Criticality and Vendor Oversight Podcast

CPE Credit Eligible

Is your vendor critical to your operations?

When determining your level of oversight on a vendor, you’ll clearly want to determine the criticality first - whether the vendor is critical or non critical. This is an essential and ongoing process for mitigating vendor risk. Listen to this podcast to help guide you through the process.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg


Podcast Transcript

steve greenfield chief risk officerHello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Steve Greenfield, Director of Third Party Risk here at Venminder.

Today’s topic is based on a question which was submitted during our most recent webinar we held with National Mortgage News on the Importance of Third Party Risk Management in Consumer Finance

The question submitted was: Other than criticality, what drivers do you believe drive the level of oversight you exercise over a third party? This is a great question, and I was thankful that I had the opportunity to answer it for the listener. Often times in vendor risk management, I think we fall foul on 2 behaviors:

  1. We tend to over simplify our approach or throw common sense completely out of the window and come down with a bad case of paralysis by analysis. I’d encourage a common sense that takes into consideration the vendor type or service and really think about how the use of the particular vendor may have an impact on your organization or your consumer.

    When determining your level of oversight on a vendor, you’ll clearly want to determine the criticality of the vendor. And there is a simple litmus test. If the vendor suffers a system outage for 1, 2, 3 days, could your organization actually function? Examples may include your core processing system or loan origination system. In these instances, it’s highly unlikely that you will have a back up system simply because of the cost of licensing a product you aren’t using on a full-time basis or the cost of managing a secondary system which requires systems updates with regards to regulatory compliance updates. Frankly, keeping your primary core or LOS system is a full-time task.

  2. The other drivers which complement the initial criticality rating can be linked to the 'What If Scenario' approach. The 'what if' approach is simply looking at what could go wrong with the use of a vendor and how it may impact areas such as reputational, litigation, financial, regulatory compliance, operational and strategic risks.

    The key is that many of these risks may apply regardless of if the vendor has been classified as a critical or high risk vendor, so in some respects the oversight practices may be very similar. The difference might be that should a high risk vendor fail because of XYZ, they should be easier to replace to minimize disruption. The difference here is that with the critical vendor, not only would you perform the appropriate due diligence, but you have to really focus on the fundamentals such as BCP, DR etc. There is a fine line between critical and high risk vendors.

    A stand out risk is clearly potential harm to your consumer. Negative consumer impact is one of the primary goals of every regulatory agency and has been well demonstrated by the enforcement actions listed under UDAAP by the Consumer Finance Protection Bureau and others such as the OCC, FDIC and FTC. These risk factors of failing to serve or mislead a consumer are good pointers in driving your level of oversight and this leads into regulatory compliance.

In many cases, your vendor will fall under the same regulatory requirements as the financial institution so it’s important to recognize that each vendor have a robust compliance management framework. The rule of thumb for your internal vendor risk management team is that they understand regulatory compliance and how each regulation applies to the different vendor types. Examples may include Sub-servicing and ECOA, an AMC and Appraisal Independence Requirements or a Credit Reporting Agency and the Fair Credit Reporting Act.

Outside of criticality and regulatory compliance - data security of your consumers NPPI data will really force your organization to drill down on not only your internal controls but that of your third and fourth party vendors. With data breaches being traced back to a third party 63% of the time, this highlights that data privacy risk is everywhere. In some regards, I think this levels the playing field in terms of risk among many vendor types. Even a non critical vendor may be accessing NPPI and should the vendor suffer a data breach, you will be left with managing through a very messy process of root cause analysis and answering to your board and the examiners.

As a final thought on an additional driver, I would highlight the fact that assessment findings can help in determining the actual frequency of the oversight practice. Critical and high risk rated vendors should have a minimum annual assessment which covers financial BCP, DR, information security and based on the findings and remediation required, the frequency could actually increase. Use SLA performance data and first line of business feedback to help determine where your focus needs to be. By doing so, you’ll have developed an oversight program based on fundamental best practices and common sense. Do not overthink it.

I hope you found this podcast helpful. If you haven’t already done so, please subscribe to our Third Party Thursday series. I am Steve Greenfield, Director of Third Party Risk at Venminder. Until next time, trust but verify.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo