Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Third-Party Risk Management Reporting: What You Need to Know

4 min read
Featured Image

When you consider the number of risks to identify, assess and manage throughout the third-party risk lifecycle, it's easy to understand why reporting is an essential part of any third-party risk management (TPRM) program. Knowing what, when and whom to report to can be challenging with so many vendors, stakeholders and data points.


All reporting serves two purposes: To inform the stakeholder and to drive action. What information do your stakeholders need to know? How should they act on that information? Good reporting answers those questions every time.

TPRM Program Reporting Metrics to Consider

For many industries, reporting is a regulatory requirement because the board and senior leadership are ultimately accountable for the organization's TPRM program. Even in a non-regulated organization, senior leadership will still need the information to determine the relative health and stability of the program and understand the amount and severity of risk in the vendor portfolio. Reporting data can also be used to confirm an organization’s compliance and make decisions regarding the TPRM program.

The below is not an all-inclusive list, but these are some reporting metrics to include:
  • Vendor inventory: This should reflect the number of vendors by risk level or rating, clearly identifying critical vendors. Has the vendor population changed dramatically, grown or contracted? How many critical vendors do you have vs. the same period last year? Do you have a good full-time employee to vendor ratio?
  • Risk assessments: This includes data collected from due diligence and periodic risk assessments. This metric should show how many vendors require these assessments and the number that are complete, on schedule or past due during a specific period. Document how many vendors weren’t approved during due diligence.
  • Program compliance: Are your business lines following the required processes and procedures for TPRM? Are there late or missing deliverables? How many exceptions have there been and why? Are the vendor risk assessments and performance monitoring taking place on time and meeting the requirements?
  • Vendor issues: Of your highest risk vendors, how many have open issues requiring remediation? Are any of those remediation activities delinquent? Have any of your high-risk or critical vendors had a breach or other major event? What about negative news? Material issues should be reported and monitored.
  • New or emerging risks: Are there new risks that were not identified during the risk assessment stage? Are there emerging risks within an industry, your organization or the vendor? Are there any trends in vendor performance that merit action?
  • Regulatory considerations: Have there been proposed regulatory updates or changes to current guidance? How will those changes affect your program, process and governance documents?

Reporting to Stakeholders

When you have identified the right reporting metrics for your program, you’ll need to consider what metrics to share in your reporting based on the stakeholder's level of interest, influence and impact.

Let's look at three common stakeholder groups and what they expect regarding reporting:
  • Risk committees: Most organizations will have some type of risk committee, which has the collective role of identifying and mitigating risks before they become material issues. As such, TPRM reporting should provide a regular view of program compliance and focus on new and emerging risks, vendor issues and items requiring action. Once an issue is identified, a treatment plan should be established. It’s a best practice to always present issues needing action to the committee first. That way, the right people to solve the problem are engaged before the issue shows up on a senior leadership or board report.
  • Senior leadership: Your organization's senior leadership (including executive leadership) is ultimately accountable for the health, stability and effectiveness of the TPRM program and will need to make decisions accordingly. Reporting to senior leadership should highlight items that need their approval or influence and should include a standard set of metrics (including targets and trends) to validate the program's health. These metrics include vendor portfolio size by risk rating, program compliance, significant vendor issues and new or emerging risks. Open issues appearing on this report should have an associated action plan.
  • Board of directors: The board of directors is accountable for TPRM program oversight. Data provided to the board should enable them to assess if the program is effective and working as intended. Reporting to this group of stakeholders should include a high-level view of the program size, risk exposure, compliance and material risk issues.

Reporting Frequencies

Consistent and simple reporting is a best practice that will earn you the support and trust of the organization's business leaders. Ensure you include a concise executive summary with your regular reporting to highlight key data points found in the report and provide conclusions or recommendations for the rest of the data.

Here's a guideline of other regular reporting:
  • Monthly: It's a good idea to report on any new or emerging risks monthly. You may also want to review challenges with your TPRM program, but keep in mind that you should be prepared to provide solutions to those problems.
  • Quarterly: A quarterly report can provide insight on vendor performance levels and the status of your annual risk reviews. This may also be an appropriate time to review critical third parties and determine any next steps for terminating or exiting those contracts, if needed.
  • Annually: The information provided in a yearly report should be more comprehensive to highlight the challenges and successes of your TPRM program. Use this information to evaluate trends in your vendor profile, such as the overall volume and different risk levels. It's also recommended to provide a roadmap of program goals to implement for the upcoming year.

Keep in mind that the reportable data from your TPRM program is most valuable when it drives action. Reporting for the sake of reporting without any context or solutions serves little purpose. Ensure that your organization's business leaders are equipped to make informed decisions and necessary improvements to your TPRM program.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo