Vendor Profiles
Vendor profiles are the central records for every third party in your vendor risk program. Each profile captures the vendor’s basic information, risk classification, assessment history, questionnaire responses, documents, and team assignments.
Vendor dashboard
The vendor dashboard is the main view for managing all vendors. It displays four key metrics at the top: total vendors, active assessments, high-risk vendors, and pending questionnaires. Below the metrics, a searchable and filterable list shows all vendors with their name, tier, risk level, assessment status, and last assessment date.
Creating a vendor profile
Navigate to vendor management
Go to Third-Party Exposure from the sidebar and click Add Vendor.
Fill in vendor details
Provide the following information:
| Field | Description |
|---|---|
| Vendor Name | Legal name of the vendor |
| Description | Brief description of the vendor and their services |
| Website | Vendor’s website URL |
| Industry | Vendor’s industry classification |
| Vendor Tier | Risk tier: Tier 1 (Critical), Tier 2 (High), Tier 3 (Medium), or Tier 4 (Low) |
| Service Criticality | How critical the vendor’s service is to your operations |
| Data Access Level | What level of access the vendor has to your data: Full, Partial, Minimal, or None |
| Integration Depth | How deeply integrated the vendor is: Deep, Moderate, Surface, or None |
| Geographic Risk | Geographic risk factors: High, Medium, or Low |
| Contact Name | Primary contact at the vendor |
| Contact Email | Primary contact email |
Save the vendor
Click Create Vendor to save. The system creates the profile and calculates an initial inherent risk score based on the tier, criticality, data access, integration depth, and geographic risk.
Vendor detail page
Each vendor profile has six tabs:
Overview — Summary of vendor information, current risk levels (inherent and residual), assessment status, and key metrics. Displays the vendor’s tier, service criticality, and contact information.
Inherent Risk — The baseline risk assessment based on five risk factors. You can update the inherent risk assessment at any time by clicking Assess Inherent Risk and adjusting the factor values.
Questionnaires — Lists all questionnaires sent to this vendor and their completion status. From here you can send a new questionnaire or review completed responses.
Assessments — All risk assessments for this vendor, showing assessment type, status (Draft, In Progress, Completed, Rejected), inherent and residual risk scores, and linked questionnaire responses. Create new assessments and calculate residual risk from this tab.
Documents — Upload and manage vendor-related documents such as certifications, audit reports, contracts, and security documentation. Documents are organized by type and include upload dates and descriptions.
Team — Manage team assignments for this vendor. Assign users to roles (GRC Team, Security Ops, Executive Approver) at the vendor level to override tenant-level defaults. See approval workflows for details on role-based approvals.
Editing and deleting vendors
To edit a vendor profile, open the vendor detail page and click Edit Vendor. Update any fields and click Save. To delete a vendor, click the delete option from the vendor’s actions menu. Deleting a vendor also removes all associated assessments, questionnaire responses, and remediation actions.
Deleting a vendor is permanent and cannot be undone. All associated data (assessments, questionnaire responses, remediation actions) will also be deleted.
Best practices
Use vendor tiers consistently to classify vendors by their risk impact. Tier 1 vendors are mission-critical and require the most rigorous assessment. Keep vendor contact information current to ensure questionnaires reach the right people. Complete the inherent risk assessment before sending questionnaires — it provides the baseline against which residual risk is measured.