Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

How Much Vendor Oversight Is Enough?

4 min read
Featured Image

While vendor risk management and compliance in general could be perceived as being a cost center, we often hear from clients who ask this one question which causes a pause...how much is enough oversight? It’s a valid question and deserves a thoughtful response. There are a couple of approaches and scenarios we’ll explore.

Scenario 1

I’m a mortgage lender who was recently acquired by a bank. I’m regulated by the CFPB and my parent company follows the OCC guidance. How do I design my oversight program?

  • This is a great question and really hinges on the overall risk approach that both financial institutions are taking. Put simply, an approach that takes the best of both worlds offers the most balanced perspective. The examiner must consider best practices from both regulators. A word of caution though, they may be biased based on who they are representing.

Overlap

  • It’s worth noting that the CFPB guidance on third party service providers is based on the original guidance set out by the OCC. The OCC guidance is considered the gold standard when it comes to vendor oversight practices. A best practice as you tackle the requirements is to identify what the key components of each regulatory guideline are, then find the commonality and overlap and then use those as what we call your foundation.

Highlights

  • When a guideline from one agency seems more stringent than the other then consider those something of a hot topic. Consider how they can be incorporated into your policy and procedures. If another area is discussed and is omitted from the other then perhaps these should be considered as the cherry. From a high-level view, this would appear to be a thoughtful and considerate approach to the vendor oversight requirements which would satisfy both agencies.

Scenario 2

There’s always deregulation chatter. Can’t I just wait for the regulations to change and dodge the oversight bullet?

  • This may play out to become a reality. But here is the crux of the issue…if we have learned anything of the financial crisis of 2006-2008 is that consumers went through unprecedented levels of hardship, and in many cases, financial ruin. 

If your organization is truly focused on customer service excellence and creating a customer for life culture, then why as an organization would you cut corners on areas which are instrumental to your success?

Questions to Consider:
If regulations were to be rolled back pertaining to vendor oversight, would that mean:

  • Risks to NPPI would diminish?
  • Would service levels no longer matter?
  • Cybersecurity risks cease?
  • The financial viability of your vendor partners is no longer important?
  • Does reputational risk, operational risk, financial risk all decrease simply because there is no regulation mandate in place? 

So Where Does That Leave Vendor Oversight?

From this vantage point, vendor risk management has a legitimate role in adding value and minimizing risk for the organization. While regulations may come and go, the risks that we face today are unlikely to fade away. 

Put simply, if a vendor serves as a key component of your operation then they are by all accounts an extension of your operation, meaning that it would be prudent to ensure that they operate and serve your clients as you would wish them to serve and fulfill their obligations in the same manner that your internal operations would serve your customer.

If we return to the original premise, what is enough oversight? The clearest and concise approach is to take the basics of oversight – initial due diligence, ongoing monitoring and annual assessments and scope out what is really important to review for each vendor (SOC, business continuity plan, disaster recovery, financial, regulatory compliance).

In addition, vendor products and services vary. While one vendor may have access to NPPI but aren’t consumer facing, others such as a mortgage servicer not only has access to client information, but is also directly interacting with them. Therefore, oversight should be tailored to address the risks and concerns of each vendor to the organization. 

Adherence to oversight ultimately comes down to your organization’s compliance culture. Am I doing this because I am mandated to or am I implementing these best practices to protect my consumer and the future longevity of my brand?

Build a vendor risk questionnaire based on vendor risk data in 2019. Download the whitepaper.state-of-third-party-risk-management-2019

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo