Vendor-Provided Resources

Your critical vendors provide products or services which your organization is highly dependent on. One of the most challenging exercises in third-party risk management is how to establish standards for identifying who those critical vendors are. Learn the questions you can ask to determine if a vendor is critical or non-critical. 

Download the infographic to learn: 

• How to determine the criticality of your vendors

• Examples of critical third parties at your organization

• The distinction between a critical and high-risk vendor

In June, the Federal Reserve Board (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released official interagency guidance on managing third-party relationships and banks of all sizes are expected to comply now. What does this mean for your third-party risk management program? This eBook covers some of the essential details and highlights new or expanded expectations. 

Download the eBook to learn: 

• Who is covered under the new guidance 

• 7 key takeaways from the guidance

• Common questions about the guidance with answers

Results from Venminder’s seventh annual Third-Party Risk Management survey provides an in-depth look at current practices, challenges, compliance incentives, and third-party risk management benefits. This whitepaper is full of industry statistics from data collected on a wide variety of organizations and industries, including financial services, fintech, retail, food services, insurance, healthcare, information technology, and more in a nice balance of different sizes ranging from less than $1B assets or less than 100 employees to more than $10B assets or more than 5,000 employees. While third-party risk management is a well-established practice, it’s also a constantly evolving one. Organizations of all sizes and industries must continually adapt and change to effectively identify, assess, manage, and monitor vendor risks. 

Download the whitepaper for industry stats and best practices you need to be aware of to make informed decisions on topics such as: 

• Organizational structure and program investment

• Vendor landscape and operating models

• Vendor risk assessments and vendor due diligence questionnaires and requirements

• TPRM metrics, pressures, emerging risks, ROI

• Outsourcing TPRM

• And much more!

Third-party risk management guidelines and regulations are no longer only issued by financial services regulatory agencies. Many other industries are seeing the value in managing risk and looking at it with more scrutiny. And, it’s always recommended to look to one another and follow current third-party risk management best practices. This eBook contains helpful information and tips to comply with some of the third-party risk management best practices. 

Download the eBook to learn:

• Industry regulators and guidance and regulations to be aware of

• Key takeaways from each one

• Tips to comply with TPRM guidance and regulations

Writing and updating a third-party risk management policy can be a time-consuming process, and without guidance or help, it can be challenging to know where to start. 

These two valuable templates can be used as the foundation to customize and align to your organization’s third-party risk management framework. Each policy contains best practices and processes to meet regulatory requirements and/or follow the third-party risk management lifecycle. 

Download the templates for:  

• Two customizable and fillable third-party risk management policy documents 

• Instructions and supporting guides to assist 

• Best practice structure and flow 

• Following regulatory requirements in your third-party risk management policy 

• Aligning to the third-party risk management lifecycle

Performing a vendor risk assessment can be intimidating, but it’s a worthwhile time investment and a necessary component of a third-party risk management program. You don’t know the risk elements and level of risk associated with a vendor until you do one. Learn the tried-and-true steps to completing a vendor risk assessment by downloading this infographic. 

Download the infographic to learn:

• Steps to complete a vendor risk assessment 

• Determining inherent and residual vendor risk

• Next steps after the vendor risk assessment

Not all vendors have the same level of risk. Risk-based vendor due diligence will save you valuable time and resources in your vendor risk management program. To ensure your organization is more effectively managing vendor risk, it’s important to define the types, amounts, and frequencies of due diligence based on the vendor engagement’s risks. 

Download the infographic and matrix to learn: 

• What risk-based vendor due diligence is and why it matters

• The steps of performing risk-based vendor due diligence

• Examples of risk-based vendor due diligence

• A matrix that provides guidelines for the suggested frequency of due diligence reviews based on criticality and inherent risk

To verify your vendor has adequate internal control in place to protect your data, you must request and assess their SOC reports. It can get confusing what each SOC report covers and what each report means. To help guide you and your team in understanding what those differences are, here’s a simple one-page infographic. 

Download the infographic to learn:

• What the SSAE 18 and SSAE 20 are

• Definitions of each vendor SOC report and when to use them

• How each SOC report benefits your organization

Even for seasoned professionals, reviewing a vendor’s SOC report can be a daunting task. It’s great if there are no red flags, but what do you do if the SOC report is filled with issues that the auditor found? Your organization must determine how to proceed with the vendor, whether that’s addressing the issues or passing on the vendor relationship. This infographic covers the key next steps after an unfavorable SOC report. 

Download the infographic to learn:

• Next steps after an unfavorable vendor SOC report

• Examples of responses to your vendor

• Reminders to ensure your review of a vendor’s SOC report is effective

Regardless of your industry, the third-party risk management lifecycle is a practical, risk-based framework to identify and mitigate issues that come from third-party relationships while also explaining ongoing and offboarding activities. Use this lifecycle to optimize your third-party risk management program resources, achieve regulatory compliance, and protect your organization and its customers from vendor risk. 

Download the full lifecycle toolkit that includes:

• eBook: A comprehensive guide covering the third-party risk management lifecycle stages

• Infographic: A more concise version of the stages of the third-party risk management lifecycle

• PowerPoint Template: A customizable template to help train your team about key aspects of third-party risk

• Printable 1-Page PDF: An easy-to-print overview of the third-party risk management lifecycle

Third-party risk management reports should be consistent, accurate, and easily accessible. Stakeholders, such as risk committees, senior leadership, and the board of directors, need high-quality reports that will support their decision-making. Use this infographic as a guideline for important data to collect and continuously update. 

Download the infographic to learn:

• 6 types of third-party risk management reports to develop and maintain

• Data to include in the reports

• The purpose of each report and how to get started

• Pro tips to be aware of

What are the vendor due diligence items you need to consider when reviewing your third parties? There are many due diligence related documents and information to gather. Use this handy checklist when thinking through the vendor due diligence you should be collecting and assessing. 

Download this checklist for: 

• What items you should consider gathering

• Keep track and check off each item as you complete your process

• Have confidence thorough vendor due diligence is being performed