Understanding Vendor Risk Management

The Vendor Risk Management application provides a centralized process for managing your organization's vendor portfolio and completing the vendor assessment and remediation lifecycle. Also, integrating with other GRC applications, provides top-down traceability for compliance with controls and risks.

Who uses Vendor Risk Management?

  • Risk analysts
  • Vendor risk manager
  • Functional department heads responsible for vendor compliance. For example:
    • Account Executive
    • Senior Corporate Counsel
    • Director, Information Security
    • Director, HR Operations
    • Director, Information Technology

Vendor Risk Management workflow

  1. The vendor risk manager can add vendors and specify the primary contact and other contact information.
  2. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps controls to the assessment questions.
  3. The vendor risk manager creates assessment templates, questionnaire templates, and document request template, and prepares the assessments.
  4. The vendor risk assessor prepares and sends assessment to the vendor.
  5. The vendor primary contact receives the assessment in email and signs into the Vendor Portal. From the portal, the primary contact can invite other collaborators to complete portions of the assessments.
  6. The Vendor Portal provides a listing of all assessments and the status of each. Once complete, the primary contact submits the assessment through the portal back to the vendor risk analyst.
  7. The vendor risk analyst uses the Vendor Portal to see the progress of all assessments, see all the responses and see any generated observations.