Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Top Vendor Contract Terms to Know

6 min read
Featured Image

Your vendor contract is an invaluable tool for protecting your organization against the various risks that your third parties pose. However, for many, the terminology, language, and nuance within a contract can be confusing, which makes the review and approval process difficult to navigate.

In this blog, we’ll look at several of the most important vendor contract terms that you should know, so that you can more effectively review and understand vendor contract terminology.  

22 Top Terms to Know for Your Vendor Contracts

The language in your vendor contracts should be clear and accessible so that the involved stakeholders can grasp the meanings, expectations, and requirements within the contract. However, not everyone is a legal or third-party risk management expert.  

To help, here are several of the top terms that you should know and how they apply within a vendor contract: 

  1. Amendment vs addendum – An amendment is a modification or change to the original vendor contract, whereas an addendum clarifies or adds a provision to the contract without changing the language. 
  2. Business continuity plan – Your vendor’s business continuity plan outlines how your vendor will continue to provide a product/service at an acceptable level during a business-disrupting event. Your contract outlines your expectations of your vendor in the event of an incident or requires that your vendor has a business continuity plan that meets your requirements. 
  3. Compliance – When your vendor needs to adhere to regulations, industry-specific standards, laws, or your organization’s internal policies and procedures, compliance is a must. You should outline in the vendor contract how compliance will be achieved. 
  4. Confidentiality agreement – In a confidentiality agreement, your organization and your vendor agree to keep certain information private and explain how each party will do that.
  5. Contract duration – This refers to the time frame for your contract’s duration and includes renewal terms, non-renewal terms, and termination notice periods. 
  6. Critical vendor – A vendor is critical when they provide a product or service that your organization needs to function. If the loss of the vendor would have a negative impact on your operations or customers, they are likely a critical vendor.  Critical vendor contracts require more provisions for security, business continuity, service levels, etc. 
  7. Dispute resolution – In case of future disputes, your vendor contract should outline how and where disputes will be heard and settled. 
  8. Due diligence – Due diligence is the process of collecting and reviewing documentation to validate whether your vendor has sufficient controls in place to mitigate the risks associated with their product or service. Due diligence should be conducted during both the onboarding (and while you’re preparing the vendor contract) and ongoing stages of your relationship. 
  9. Fourth party – Your fourth parties are your vendor’s vendors. They are also called subcontractors and nth parties. Your contract may contain clauses such as standards for how your vendor needs to manage their vendor risks and an identification process for critical subcontractors, a right to audit clause, ongoing monitoring procedures, and indemnity and insurance requirements. Be sure to specify that the vendor is responsible for performance regardless of whether it was performed by a fourth party or not.  
  10. Inherent risk – This is the natural or raw risk that exists in your vendor relationship, product, and service. The measure of inherent risk doesn’t account for any mitigation controls. Your contract must contain details on the controls that the vendor will provide to manage the inherent risk.
  11. Insurance standards – Within your vendor contract, insurance standards require that your vendor is held liable for incidents that negatively impact your organization’s operations and finances. 
    vendor contract terms
  12. Service level agreements (SLAs) – Your SLAs are a key component of your vendor contract which describe the products/services that your vendor will provide, your expectations for your vendor, and terms describing what will happen if the vendor fails to meet those expectations. 
  13. Key performance indicators (KPIs) KPIs are a key vendor contract term to know. They’re metrics used to create a full picture of your vendor’s performance and determine whether the vendor meets organizational goals or objectives. Be sure to only use KPIs that are relevant to your business objectives. Include KPIs in your SLAs to hold your vendor accountable for their performance and to set metrics for measuring your vendor’s performance throughout the relationship. 
  14. Key risk indicators (KRIs) KRIs measure how risky a vendor relationship, product, or service is, and the impact that the risk could have on your organization. These are used to determine whether the risk exceeds your organization’s risk appetite. Make sure you review the vendor as a whole so that you can be aware of any potential risks. Then work with your vendor to build additional provisions into your contract to help mitigate those risks.
  15. Residual risk – Your residual risk is the risk that remains after your vendor’s controls have been considered. The measure of residual risk helps verify whether the vendor’s controls effectively manage the inherent risk. Look out for a clause in your contract for liability against certain residual risks. 
  16. Right to audit clause – Another important vendor contract term is the right to audit clause. It obligates your vendor to provide your organization with data and reporting documents at any time during the relationship. These documents can include SOC reports, compliance reporting, insurance certificates, billing audits, information security policies, and business continuity/disaster recovery plans. 
  17. Termination clause – Your vendor contract must contain the terms for contract termination, including the steps to be taken when terminating a contract, as well as reasons for early termination if a vendor fails to meet your standards or performance expectations. 
  18. Third-party incident response plan – Your vendor should have a formal document that outlines exactly how it will respond if an incident occurs. This plan should meet your organization’s standards and include provisions such as notification timelines, a point of contact, and steps for investigation and remediation. Include your requirements for your vendor’s incident response plan in your contract to ensure that their policy meets your standards and meets your organization's requirements. 
  19. Vendor – Your vendor (also known as a “third party”) is a business entity or individual that provides a product or service to your organization or to your customers on your behalf.  The vendor’s responsibilities, as well as your organization’s, should be outlined in the vendor contract, along with the product or service you’re purchasing and pricing and payment details. 
  20. Vendor internal controls - Your vendor’s internal controls are the processes that ensure various policies and procedures are running correctly. These controls include background checks, physical security, and building sign-in sheets. Outline your requirements for your vendor’s internal controls in your contract to ensure  the controls align with your organization’s requirements.                           
  21. Vendor owner A vendor owner oversees the day-to-day vendor relationship and is responsible for performing third-party risk management tasks outlined in your organization’s policy. These tasks include managing vendor performance, addressing issues, and monitoring the vendor for any new or emerging risks. Your contract must outline key responsibilities for risk management tasks and either designate an individual or require that an individual is assigned the role. 
  22. Zero trust model – A zero trust model is a security control used to ensure that your vendor’s access to privileged networks and sensitive information is limited to the minimum requirements needed to perform normal operations. A contract may not mention a zero trust model by name, however it must have information regarding the vendor’s security controls and how they effectively protect your information.

Overall, your vendor contract must contain clear language which sets the foundation for your relationship. Because vendor contracts are so detailed and contain many important provisions needed to manage risk, it can be difficult to understand all the nuances and meanings contained within. However, by learning these top vendor contract terms, you’ll be able to craft a more effective contract and set your relationship up for success. 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo