Understanding Vendor Risk Management The Vendor Risk Management application provides a centralized process for managing your organization's vendor portfolio and completing the vendor assessment and remediation lifecycle. Also, integrating with other GRC applications, provides top-down traceability for compliance with controls and risks. Who uses Vendor Risk Management? Risk analysts Vendor risk manager Functional department heads responsible for vendor compliance. For example: Account Executive Senior Corporate Counsel Director, Information Security Director, HR Operations Director, Information Technology Vendor Risk Management workflow The vendor risk manager can add vendors and specify the primary contact and other contact information. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps controls to the assessment questions. The vendor risk manager creates assessment templates, questionnaire templates, and document request template, and prepares the assessments. The vendor risk assessor prepares and sends assessment to the vendor. The vendor primary contact receives the assessment in email and signs into the Vendor Portal. From the portal, the primary contact can invite other collaborators to complete portions of the assessments. The Vendor Portal provides a listing of all assessments and the status of each. Once complete, the primary contact submits the assessment through the portal back to the vendor risk analyst. The vendor risk analyst uses the Vendor Portal to see the progress of all assessments, see all the responses and see any generated observations. Activate Vendor Risk ManagementThe GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) plugin is available as a separate subscription.Domain separation and Vendor Risk ManagementThis is an overview of domain separation as it pertains to Vendor Risk Management (VRM) and how it relates to VRM data separation. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.Manage assessmentsAssessments are created from templates which define questionnaires, document requests, and frequency of the assessment. Manage vendor risk assessment issues and remediationIssues and tasks are created on-demand before the assessment is closed, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance.