Vendor Risk Management

Workflow

Workflow

Complete Workflow (Step-by-Step)

1. Vendor Onboarding

You first add vendors into the system:

  • Company details
  • Contact person
  • Email & communication info
  • Vendor tier (critical, medium, low)

This creates a vendor profile.

2. Creating & Sending Assessments

You send a questionnaire (assessment) to vendors.

These include questions like:

  • Do you use Multi-Factor Authentication (MFA)?
  • Do you follow ISO/SOC2 standards?
  • How do you store sensitive data?

You can:

  • Send to one vendor
  • Send to multiple vendors at once (campaign)

3. Invitations & Access

When you send an assessment:

  • Vendor receives an email invitation
  • It includes:
    • Assessment link
    • Deadline
    • Instructions

Vendor clicks and starts filling it.

4. Reminder System (IMPORTANT)

This is something you asked for — and it's very important in real-world use.

If vendor does NOT respond:

  • Automatic reminders are sent:
    • Before due date
    • On due date
    • After due date (overdue reminder)
  • Reminders include:
    • Pending assessment link
    • Updated deadline (if extended)
    • Warning or urgency message

Benefits:

  • Improves completion rate
  • Reduces manual follow-ups
  • Keeps process automated

You can also:

  • Manually resend reminders
  • Set custom reminder schedules

5. Vendor Completes Assessment

Vendor:

  • Answers all questions
  • Uploads supporting documents (proof)
  • Submits the assessment

Example:

  • Upload security policy PDF
  • Provide numbers (e.g., % of employees trained)

6. Scoring & Evaluation

System automatically evaluates responses:

  • Each answer has a score
  • Some questions have more importance (weightage)

Example:

Score = (Achieved Value / Expected Value) × 100

Example:

  • Vendor trained 80 out of 100 employees\n→ Score = 80%

7. Compliance Check

System checks vendor against frameworks like:

  • ISO 27001
  • SOC 2
  • NIST

It shows:

  • Which controls are met
  • Which are missing

8. Risk Identification

If vendor fails certain criteria:

System automatically creates risks.

Example:

Issue Risk
No MFA High Risk
No employee training Medium Risk
Weak vulnerability handling Critical Risk

Each risk includes:

  • Severity (High / Medium / Low)
  • Impact
  • Probability
  • Suggested mitigation

9. Document Verification

Vendor uploads documents like:

  • Policies
  • Certificates
  • Reports

System:

  • Stores them securely
  • Allows search (AI-powered)
  • Links them to answers

Helps in audits and verification

10. Certificate Generation

If vendor performs well:

  • System generates a certificate
  • Includes:
    • Vendor name
    • Score
    • Completion date
    • Expiry date

Useful for:

  • Trust building
  • Compliance proof

11. Dashboard & Reporting

You get a centralized dashboard showing:

  • Total vendors
  • High-risk vendors
  • Compliance score
  • Pending assessments
  • Completed assessments
  • Risk trends