Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Gobble Til You Wobble. What Is an Acceptable Vendor Risk Appetite?

4 min read
Featured Image

You may or may not realize this yet, but every organization does have a risk appetite. The ISO 31000 defines risk appetite as the amount and type of risk that an organization is prepared to pursue, retain or take on. It’s determining if a risk posed by using a vendor’s product or service is acceptable or not. You must determine how much the product or service will benefit the organization and outweigh the risk.

Who’s Responsible for Vendor Risk?

The board of directors are typically responsible for setting the organization’s risk appetite. One of the ways they do this is by setting a dollar amount that the organization wouldn’t be willing to take on, but this will vary organization to organization.

For example, a small organization may deem a material loss to be any loss greater than $25,000, whereas a mid-sized organization may deem a material loss to be any loss greater than $4 million. As the organization grows and matures, the risk appetite may expand.

The Vendor Risk Appetite Statement

While every organization does have a vendor risk appetite, not all organizations have a risk appetite statement. A risk appetite statement is one of the first steps an organization takes to ensure they understand the threshold the organization is unwilling to cross – so, you should have one. It’s stating the acceptable risk based on quantitative and qualitative measures. It establishes set guidelines that are regularly examined and modified, as needed. The following people are usually involved in developing a risk appetite statement:

  • The board
  • Senior management
  • Business unit leaders
  • The finance department
  • Anyone involved in strategic planning

6 Tips to Help You Develop a Successful Risk Appetite Statement

Here are six best practices that we recommend you implement as you develop a risk appetite statement:  

  • Set the tone from the top. Having board support will be critical to your successful implementation. You’ll want to ensure the risk appetite statement is shared throughout the organization and that every line of business understands what it is and why it’s important.
  • Get it approved by the board. This is a must.
  • Make it enterprise wide – it’s really the only way to go. Your effort to maintain a risk appetite will fall apart if every line of business isn’t onboard.
  • Ensure it fits within your organization’s overall philosophy. It’s very important that the risk appetite statement fit the overall strategic plan and strategic vision of the organization.
  • Match your risk appetite statement with your organization’s mission, goals and objectives.
  • Create qualitative and quantitative statements for the relevant risk types. You’re going to have to work your way through the various types of risk your organization decides to address. We always counsel clients to make sure they cover the SCORE risks which are strategic, compliance, operational, reputation and expense risk.

Acceptable Vendor Risk Appetite

Now you must be wondering, “What’s an acceptable vendor risk appetite?” Well, that will depend upon your organization and your industry. As mentioned earlier, every organization has a different definition of material loss. Just like material loss, risk appetite is unique to each organization.

Different Variables: Again, it’s important to make crystal clear that there isn’t a one-size-fits-all approach to creating your vendor risk appetite. What may need to be considered in a vendor risk appetite at one organization may not need to be factored in at another organization. Let’s look at an example of how a risk appetite can vary even in the same industry:

  • If you’re in the finance industry, there’s a chance you’re employed at an insurance company, or you could be employed at a financial institution, such as a bank or credit union. That said, an insurance company will have a very different risk appetite than a financial institution. The insurance company will have defined its risk appetite in terms that fit the insurance vertical, the underwriting they have in place and the underwriting they plan on engaging. The financial institution will have to take factors like the loan portfolio and the credit risk they’re willing to accept into consideration. Managing a loan portfolio and its attendant credit risk is unique to banks and credit unions. In this example, you can see how even though both organizations are in the financial services industry, they will focus on slightly different factors when creating a vendor risk appetite.

Different Sizes: Size of the organization is also a factor. Typically, larger organizations tend to have a wider or larger tolerance for risk than smaller ones. If we look at a small $25 million organization, they’ll have a vastly different view of the dollar amount and types of risk they’re willing to take on in comparison to a $50 billion organization. The dollar amounts and the type of risk will vary greatly.

It’s recommended you start small and work your way into the development process. As the saying goes, don’t bite off more than you can chew.  Start with the SCORE acronym and work your way through each element beginning with strategic risk and working your way through the five components. As you complete this exercise, you’ll learn a lot about your organization and the organization’s risk appetite. Once that’s completed, you’ll have a foundation to tackle any other type of risk your organization feels it would like to develop a risk appetite statement to cover.

We understand this can be a new concept for you and your organization. Risk appetite can take some time to fully grasp. As always, be diligent in your efforts. Focus on developing your organization’s risk appetite a little at a time until you end up with the risk appetite statement that is comprehensive, fits your organization’s objectives and is fully acceptable.

Ensure you are doing the appropriate due diligence for all risk levels. Download the checklist. 

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo