Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Frequently Asked Bank & Credit Union Vendor Management Questions

3 min read
Featured Image

Vendor management can be an arduous, time consuming process. Most banks know their critical vendors. However, they are typically missing the proper tools and/or knowledge to accurately document their risk management review and to appropriately obtain the required due diligence information.

During the course of Porter Keadle Moore’s audits, we are typically asked the same questions from our clients regarding the vendor management process. We thought we’d share a few of these questions and our answers.

Questions & Answers

1. “Do I have to evaluate all of my vendors?” Unfortunately, the answer is yes. Until you have weighed each vendor against the various risk categories (more on that in a minute), it is difficult to say which vendors pose a risk to your bank or credit union. By including all of the vendors in this process, you may be able to identify risks and implement appropriate mitigating controls for risks not previously considered. For example, do you know what information your cleaning crew has access to and do you have a clean desk policy (that is enforced) to mitigate the risk?

2. “What should I consider when evaluating the risk of each vendor?” The answer is that each vendor should be evaluated against the various risk categories, which include, at a minimum, strategic, reputational, legal/compliance and operational/transactional risk.

Strategic risk is the risk that the vendor strategy does not align with the bank or credit union's or that the vendor is not capable of assisting the financial institution in achieving its strategic plan. Some questions to think about include:

  • Is the vendor quick to market with innovative products and services to provide the bank or credit union with a competitive advantage?
  • Does the vendor make it difficult to integrate best-of-breed products and services?
  • Will the Bank outgrow the vendor or will the vendor even be around in five years?

Reputational risk is the risk that the vendor does (or doesn’t do) something that harms your bank’s reputation. Some questions to think about include:

  • What if the vendor is breached?
  • What if the vendor suffers a disaster or is otherwise unavailable?
  • Does the vendor have controls in place to minimize the potential for errors that would be evident to your customers?

Legal/compliance risk can stem from a vendor that is not complying (either knowingly or unknowingly) with legal or regulatory requirements that put your bank at risk. Some questions to think about include:

  • Does the vendor possess or have access to Gramm-Leach-Bliley Act (GLBA) information?
  • Does the vendor maintain its patents?
  • Does the vendor provide and maintain forms that the financial analysis relies on for legal and/or compliance disclosures to customers?

Operational/transactional risk is the possibility that the vendor’s internal controls are not designed or working correctly, which may result in financial misstatements, incorrect reports, or errors. These risks to include:

  • Does the vendor have a Service Organization Control (SOC) report conducted annually? Does it cover the actual services provided?
  • If key applications are supported by the vendor, how are we getting comfortable that those program changes completed by the vendor are correct?
  • Does the vendor maintain proper staffing levels and provide cross training to ensure that ongoing operations can be achieved?

3. “How much information do I need to obtain to perform due diligence for my vendors?” The answer becomes easier once you understand what they do for you and what risks they pose. If your vendor risk assessment has concluded that your core processor has various degrees of high risk, then you should at least obtain a SOC 1 report, BCP testing results and financial statements.

For vendors that house or have access to non-public customer information, such as collocation facilities or online data backup providers, a SOC 2 report and financial statements might be sufficient.

For vendors such as your document destruction company, your due diligence may only need to include receiving signed confidentiality documents if you already have compensating controls in place, such as on-site destruction overseen by a member of your management team.

For some vendors, you might not need any formal documentation; rather, you implement (and periodically test) mitigating controls for vendors that have physical access to your facilities. For strategic risk, you may task your IT steering committee with periodically monitoring the vendor in light of the bank’s strategic plan.

In summary, if you know your vendors, understand the risks that they pose, and determine how to best evaluate them, you will be on your way to having a strong vendor management program.

10 Best Practices of Really Good Vendor Managers Infographic

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo