Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

video

Vendor Management Risk Assessments

CPE Credit Eligible
HubSpot Video

What you need to know about vendor risk assessments. 

Throughout this video we are going to talk through what you need to know about vendor management risk assessments for your third-party risk management program. 

You may also be interested in:


Video Transcript

Welcome to this week’s Third Party Thursday! My name is Stephanie DellaCamera and I’m the Client Support Operations Manager here at Venminder.

Let’s talk about one of my absolute favorite topics – risk assessments. It's one of the significant pillars of third party risk management and is tied closely to every other activity you are going to perform.

In this video, we’ll talk in detail about some best practices on doing a risk assessment, including the two pronged approach, determining criticality risk and documenting analysis. 

The best practice I hear discussed a lot, is a two pronged approach. You want to slice a risk assessment into two fundamental branches. One of these is Business Impact risk and the other is the various regulatory risk categories such as strategic, operational, credit, reputation and transaction risk, and those are just to name a few. 

I should also mention country risk since the protection of your customers’ data is especially a concern when one of your third parties uses an offshore service provider. Just Remember, that once you’ve assigned your Business Impact risk, for those you have deemed critical third parties, you will need an exit strategy

The regulatory risk drives more due diligence and also how much or how frequent your monitoring should be. Business impact is rated as Critical or Non-Critical, while each of the regulatory risk categories are rated as High, Moderate or Low… and you should use some objective questions to determine and assign that risk rating.

There are some pretty good tools out there, like Shared Assessment’s SIG and SIG Lite questionnaires that incorporate hundreds of questions.

Now, Back to Business Impact risk. You know, it’s interesting when you compile your list of vendors and your lines of business are quick to claim that nearly all of their vendors are critical, so you need to help them with the definition.

Ask yourself these 3 questions:

1. Would a sudden loss of the vendor cause a material disruption to your business?

2. Would it cause an impact to your customers?

3. Would the time to recover be greater than a business day?

If you answered “yes,” to any of these, you should call them a critical vendor and consider any additional steps you want to take. For example: contractual commitments, notification timeframes or developing exit strategies.

It’s also a best practice to make sure to keep senior management and your board informed when there are significant change in criticality rating or major events with one of your critical third parties… things like a data breach are obvious, but a sudden downturn in earnings or departures of key executives should be items reported to your board as well.

You can have a Critical vendor from a business impact perspective who is Low risk from a regulatory perspective – for example, think of the phone company. They’re vital to your business but probably not much of a regulatory risk.

On the other hand, you can have Non Critical High risk vendors – think of the shred company – they’re easy to replace but have all sorts of access to your customer information.  So, again, we have Business Impact risk on one side and all the categories of regulatory risk on the other.

Finally, make sure the actual risk assessment is documented, not just the scores you arrived at but the questions, analysis, and thought process that went into it. That way, you have something to look back on as your assessment of their risk may change in the future or even to just compare and contrast when looking for issues among similar providers.

More mature programs may also look at both the initial or inherent rating. For example, the rating of a category, as you first analyze it and then apply mitigating controls to lower or at least control the risk more carefully resulting in a residual risk. 

All these practices are certainly in place for the larger institutions and more mature programs, but the baseline of making sure you are doing some level of risk assessment and thoroughly documenting your analysis are really the key points. 

One of the real challenges we all face is that there is no universal template, no form 1040 like you use in taxes, it’s all up to the institution to define what they want it to look like. We’ve seen reports from highly analytical grids that look like a kids report cards to a lengthy narrative that looks like a memo with numerous sections. 

Finally, one huge cautionary statement, as I know it sometimes causes front line managers to freak out – a High risk rating is not a bad thing – some people feel like if a company is deemed to be a high risk overall, perhaps we shouldn’t be doing business with them. And that’s not the case at all! In fact, you would reasonably expect a company that has extensive access to your customers’ data to be a high risk – think of your core processor or your outsourced call center… I’ve literally had hundreds of discussions with managers on why High risk ratings does not, at all, mean it’s a bad thing. 

It probably does mean you want to check on them more frequently or will require additional documentation, but it doesn’t mean you need to walk away from the relationship. Just document why it’s a high risk, identify what steps you can take to mitigate those risks, and who is responsible for ensuring it’s done.  

Individual accountability is always a good idea, particularly if that follow up activity sits outside of your team.

So there you have it, those are some best practices on doing a risk assessment.

  • Use that two pronged approach
  • Ask yourself the 3 questions to determine criticality of that vendor
  • Document properly by including the questions, analysis and the thought process that went into it
  • And, remember, high risk does not mean that vendor is bad

As always, thank you for watching! If you haven’t already, please subscribe to the Venminder Third Party Thursday series.

38116-newsletter

Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources and more to your inbox.

 

New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo