Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Vendor Risk Management and FFIEC Appendix J

CPE Credit Eligible

Incorporating Appendix J into your vendor risk management program. 

Learn how FFIEC’s Appendix J relates to your vendor risk management program, four key elements of business continuity planning that you should address when contracting with a third party service provider and our recommendations to best incorporate Appendix J into your vendor risk management program.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg


Podcast Transcript

lisa-mae-hill-headshot-circle-2018Hello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Lisa-Mae Hill, an Information Security Specialist here at Venminder.

Today’s topic is a quick dive into FFIEC’s Appendix J and how it relates to your vendor risk management program.

First, let's understand what Appendix J is. Appendix J was released by the FFIEC in 2015 as a revision to the Business Continuity Planning Booklet which is part of the FFIEC Information Technology Examination Handbook. The overall purpose of Appendix J is to strengthen the resilience of outsourced technology services.

So how does this all relate to your vendor risk management program? Well, the Appendix J guidance states:

“as part of its due diligence, a financial institution should assess the effectiveness of a third party service provider’s business continuity program, with particular emphasis on recovery capabilities and capacity. Furthermore, the financial institution should review the third party service provider’s BCP program and its alignment with the financial institution’s own program, including an evaluation of the third party service provider’s BPC testing strategy and results to ensure they meet the financial institution’s requirements and promote resilience.”

So, in other words, it's your job to make sure your vendors have a strong resiliency plan that works for you and your vendors.

Appendix J provides insight around four key elements of business continuity planning that you should address when contracting with a third party service provider. This is to ensure the relationship is strengthening the resilience of technology services. These include:

  1. Subcontractors: Your responsibility to control the business continuity risks associated with the third party and any subcontractors (aka your fourth parties).
  2. Disruptions: Address potential significant disruptions and the impact on a third party’s ability to restore services to multiple clients.
  3. Testing: Testing with the third party addresses the importance of validating business continuity plans with them and considerations for a robust third-party testing program.
  4. Cyber resilience: That it covers aspects disruptions caused by cyber events.

Here are our recommendations to best incorporate Appendix J into your vendor management program:

I hope you found this podcast helpful. Again, I’m Lisa-Mae Hill at Venminder. If you haven’t already done so, please subscribe to our Third Party Thursday series.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo