Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Critical Vendors - What to Review

CPE Credit Eligible

What to review on critical vendors. 

Learn three questions to ask yourself to determine if your vendors are critical. Then, we'll dive deeper and talk about what you should review on your critical risk vendors.

You may also be interested in:

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Dana Bowers and I’m the CEO/Founder and Board Member here at Venminder.

In this video, we’re going to cover the key questions you need to ask yourself about your vendors to determine if they are critical.

First, it's important to separate this from your assessment of the regulatory areas of risk – what we're talking about today are critical vendors, from a business impact standpoint - these are the ones that would stop your business in its tracks if they were suddenly to disappear.

It's important that you define these very early on because you're going to want to handle them a bit differently than other vendors.

So, to determine if a vendor is critical, ask yourself these 3 questions:

  1. Would a sudden loss of this third party cause a material disruption to my institution?
  2. Would that sudden loss impact my customers?
  3. Would the time to recover be greater than one business day or 24 hours?

If the answer to any of these is "yes", then it's a critical vendor.

Let's talk about why critical vendors are so vital. Critical vendors involve significant financial institution activities, which means activities that they:

  • Could cause a financial institution to face significant risk if they fail to meet expectations
  • Could cause significant issues if errors were made
  • Could have significant adverse customer impacts
  • They require significant investment in resources to implement the vendor relationship and manage the risk.

Here is a pretty thorough list of the items you should be reviewing on your critical risk vendors:
  1. Financial Reports: you need to review and evaluate the financial health of the company as an ongoing concern.
  2. SOCs: you need to analyze the operating controls of a company and determine any gaps between the financial institution and the company.
  3. Audit Reports: you should ensure the appropriate management of all operating controls and regulatory guidance.
  4. Policies and Procedures / Scripting: you need to be certain the company has governing controls to comply with regulations.
  5. Any required licensing and insurance, such as PCI compliance or general liability insurance
  6. Review Background check and hiring procedures: Ensure the company does background checks on their employees.
  7. Information Security Policy: Ensure the company has one.
  8. Business Continuity Plan: Ensure the company has a fully tested plan.
  9. Network diagram: Ensure the company has thorough documentation.
  10. Penetration testing results and what they have done to mitigate any potential weaknesses.
  11. Disclosure of any material litigation: Ensure you know legal background.

Finally, and perhaps most important of all – you need a well thought out and thoroughly tested exit strategy to be sure you have a plan should something unexpected happen. You should even try to include this exit strategy in the contract between your institution and your critical vendors.

To recap…

The business impact of a critical vendor is something you need to carefully evaluate and plan accordingly. It's important to your institution and to your customers.

Again, my name is Dana Bowers and thank you for watching! If you haven’t already, subscribe to the Third Party Thursday series.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo