Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

When to Review Vendor Information

4 min read
Featured Image

Due diligence is essential when onboarding a new vendor. After all, due diligence is the process that initially enables an organization to determine if a vendor has the necessary controls to mitigate identified risks. But, what happens after initial due diligence? How does an organization confirm that a vendor's risk controls and performance remain satisfactory throughout the vendor relationship?



Vendor reviews are the key. The vendor review process is at the heart of ongoing monitoring. What should your organization review and how often? Read on to find out.

What Vendor Information to Review

02.16.2022-when-to-review-vendor-information-GRAPHIC-1

Even after you’ve performed initial due diligence and the vendor is onboarded, there’s plenty of items that still need to be re-reviewed on a regular basis. Reviewing the following items will ensure that your organization remains aware of any issues so they can be addressed quickly:

  • Inherent risks: When preparing for vendor reviews, the best place to start is to confirm that the risks initially identified as part of the inherent risk process are the same. If the vendor products or services, or volumes, have either changed, expanded or scaled back, you’ll need to consider that as part of your vendor review. New or emerging risks may need additional controls that weren’t necessary before.
  • Vendor provided documentation: Documentation and other information provided by the vendor should be reviewed to ensure that it is current and complete. Items like SOC reports and insurance certificates expire, and internal vendor policies have been reviewed or updated within the last two years.
  • Sufficiency of controls: Like due diligence, subject matters experts (SMEs) should review vendor controls and assess if they’re satisfactory, providing written reports detailing their evaluation. SMEs should also review any mitigation evidence and confirm that the issue is closed.
  • Vendor performance: Confirm compliance with contractual service level agreements (SLAs) and key performance indicators (KPIs). Consider any proactive vendor improvements or innovations as part of the review.
  • Vendor issues or incidents: If the vendor has had any incidents (breach, outage, business interruption, negative news story, etc.), details of the incident, response, and outcome should be reviewed. Open vendor issues along with their associated remediation plan, progress towards closure and timing should be incorporated into the review.

When to Review Vendor Information

02.16.2022-when-to-review-vendor-information-GRAPHIC-3

 

Risk and criticality are the primary factors when determining how often to formally review your vendors. Remember, you must review both the vendor's risk and performance periodically.

Let's take a look at recommended review routines:
  • Formal risk reviews: Many regulations, as well as best practices, dictate that critical and high-risk vendors must undergo a formal risk review at least annually. Moderate vendor risk reviews can be spaced as much as two years apart. When it comes to low-risk vendors, every three years is sufficient, or there may not be enough risk to justify a formal review.
  • Performance-based reviews: Frequent, proactive performance reviews enable your organization to recognize emerging issues and remediate them before they become serious problems. As such, it’s recommended that critical and high-risk vendors should have performance reviews quarterly. Moderate-risk vendors should have performance reviews twice a year or, depending on the product or service, annually. And, since most low-risk vendors are transactional, performance reviews aren’t always necessary and are at your organization's discretion.
  • Event or issue-driven reviews: Certain vendor events may warrant a more frequent review of the vendor's risk or performance. For example, a vendor who has experienced a data breach should be subject to expanded and more frequent risk reviews until your SME can confirm their controls appropriately mitigate the risk. Likewise, a vendor with declining performance should have more frequent reviews until the issues are resolved and expected service levels resume.
  • Regulatory-focused reviews: Regulatory requirements can change or expand. When this happens, it’s essential to identify which of your vendors are subject to the requirement and organize a review to verify their compliance at the first possible opportunity.

What if a Vendor Problem Surfaces?

02.16.2022-when-to-review-vendor-information-GRAPHIC-2
Vendor reviews can confirm that all is well and that there are no urgent risks or performance issues to resolve. In that case, you can continue to follow your regular risk and performance processes and review schedules. But, what happens if problems have been surfaced through the vendor review process?

Here are some suggested actions to take when facing these situations:
  • Collaborate with your subject matter expert to determine the severity of the issue and its potential impacts: If you notice insufficient or missing controls, this is the first step. Suppose the issue is severe and the vendor is classified as critical or is high-risk. In that case, you should inform senior management (and possibly the board), apprising them with the details of the issue, any remediation plans and a timeline for correction. In some cases, there may be a need to solicit a formal risk acceptance from senior leadership until the problem is fixed. No matter the vendor's risk level or criticality, issues should be documented and tracked until they're resolved.
  • Review the vendor contract: When you discover a performance decline or failure, it's recommended to review your contract. Your contract may have specific remedies in place to help address the situation. In addition, make sure the vendor understands the issue and can respond with a root cause analysis (what went wrong and why) and a timebound performance improvement plan. Track the vendor's progress until the expected performance returns.

Timely, well-planned, and documented vendor reviews ensure that your ongoing monitoring processes are substantive. Not only are they a regulatory requirement for many industries and a best practice, but are a valuable risk management tool as well.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo