Vendor Risk Management
Assess and manage third-party risk throughout the vendor lifecycle — from onboarding through continuous monitoring to offboarding.
Vendor lifecycle
- Intake — Register new vendors with company information, contacts, and business justification
- Tiering — Classify vendors by inherent risk based on data access, criticality, and integration depth
- Assessment — Send risk questionnaires appropriate to the vendor’s tier
- Review — Evaluate questionnaire responses with analyst review and applicability scoring
- Approval — Route through multi-stage approval workflows based on risk findings
- Monitoring — Continuous posture monitoring with automated re-assessment triggers
- Offboarding — Structured vendor exit with access revocation checklist
Vendor profiles
Each vendor has a centralized profile that serves as the hub for all vendor-related activities.
Creating a vendor
Open vendor management
Navigate to Vendor Risk in the sidebar and click Add Vendor.
Enter company information
| Field | Required | Description |
|---|---|---|
| Company Name | Yes | Official company name |
| Industry | No | Industry sector (e.g., Software, Healthcare) |
| Website | No | Company website URL |
| Contact Name | No | Primary contact person |
| Contact Title | No | Job title |
| Contact Email | No | Email address |
| Description | No | Additional notes or context |
Save the vendor
Click Create Vendor. Only the company name is required — all other fields can be filled in later.
Vendor dashboard
The vendor dashboard displays four key metrics: Total Vendors, High Risk (critical or high risk level), Pending Assessments, and Completed assessments. Each vendor entry shows company name, industry, current risk level (color-coded), inherent risk, status, and available actions.
Vendor detail page
The vendor detail page has six tabs: Overview (risk overview cards, company info, contact details), Inherent Risk (assess vendor tier, service criticality, data access, integration depth, geographic risk), Questionnaires (view all sent questionnaires and their status), Assessments (view risk assessments with risk reduction metrics), Documents (upload and manage certifications, audit reports, compliance docs), and Team (assign members with specific roles, overriding tenant-level defaults).
Deleting a vendor also deletes all associated assessments, questionnaires, and documents. This cannot be undone.
Inherent risk assessment
Inherent risk represents the baseline risk level before any security controls are considered. It is calculated from five risk factors:
| Factor | Options |
|---|---|
| Vendor Tier | Tier 1 (Critical), Tier 2 (High), Tier 3 (Medium), Tier 4 (Low) |
| Service Criticality | Critical, High, Medium, Low |
| Data Access Level | Full, Partial, Minimal, None |
| Integration Depth | Deep, Moderate, Surface, None |
| Geographic Risk | High, Medium, Low |
Navigate to a vendor’s Inherent Risk tab, fill in the risk factors, and click Assess Inherent Risk. The system calculates a score and maps it to a risk level (Low, Medium, High, or Critical).
Risk assessments
Risk assessments combine inherent risk with questionnaire responses to calculate residual risk — the risk remaining after security controls are considered.
Creating an assessment
From the vendor detail page’s Assessments tab, click Create Assessment. Optionally link a completed questionnaire response and select a scoring method. The assessment is created with status Draft.
Calculating residual risk
Click Calculate Residual Risk on the assessment detail page. The system reads all reviewed questionnaire responses, applies the configured scoring formula, and produces a residual risk score (0–100) with a corresponding risk level. The dashboard also shows risk reduction metrics (absolute reduction and percentage).
Questions marked “Not Applicable” are excluded from scoring. Only “Applicable” and “Partially Applicable” responses contribute to the residual risk calculation.
Overriding risk scores
If automated scoring does not reflect the true risk, click Override Score to manually set the residual risk score (0–100), risk level, and a required rationale. Overrides are flagged in the audit trail.
Assessment statuses
Assessments progress through Draft (created, risk not yet calculated), In Progress (risk calculated, pending review), Completed (approved and finalized), and Rejected (rejected during approval).
Remediation actions
When assessments reveal risks or gaps, create remediation actions to track follow-up work.
Each action has a title, description, priority (Critical, High, Medium, or Low), optional due date, and assignee. Actions move through four statuses: Open → In Progress → Completed (or Cancelled). Optionally link actions to specific questionnaire responses for traceability.
Common use cases include documentation requests (e.g., “Request SOC 2 Type II Report” with a 30-day due date), security control implementations (e.g., “Implement MFA” with a 60-day timeline), and policy updates.
Approval workflows
Multi-stage approval workflows ensure proper review and sign-off on vendor risk assessments. See Questionnaires & Scoring for scoring method configuration.
Workflow structure
Each workflow contains sequential stages. Each stage requires approval from users with a specific role (e.g., GRC Team, Security Ops, Executive Approver). Once the minimum number of approvers at a stage approve, the workflow advances.
Example three-stage workflow: GRC Review → Security Review → Executive Approval.
Team assignment hierarchy
Role assignments follow a three-level priority: Assessment-level (highest priority, applies to one assessment) overrides Vendor-level (applies to one vendor) overrides Tenant-level (default for all vendors). This lets you set organization-wide defaults while overriding for specific vendors or high-risk assessments.
My Workspace integration
When an approval stage activates, assigned users see the assessment in My Workspace → Vendor Risk. They can review questionnaire responses, approve or reject (with required reason for rejections), and add comments.
Analytics and reporting
The analytics dashboard provides five views for monitoring your vendor risk program:
Overview Dashboard shows key metrics (total vendors, active assessments, high-risk count, open remediations) updated in real time. Risk Heatmap visualizes risk distribution with color coding and hover details. Score Distribution analyzes risk score patterns and compares inherent vs. residual risk over time. Remediation Tracking monitors action status, priority breakdown, overdue items, and completion trends. Vendor Aging Report tracks assessment lifecycles, expiration dates, and reassessment scheduling.
AI questionnaire responses
When you receive inbound security questionnaires from customers, SecureHive’s AI drafts responses based on your existing controls, policies, and certifications — reducing response time from days to minutes.
Best practices
Assess inherent risk before sending questionnaires so the right questionnaire goes to the right tier. Configure scoring methods before running assessments. Use the three-level team assignment hierarchy to balance default assignments with vendor-specific overrides. Review the analytics dashboard weekly to catch aging assessments and overdue remediation actions. Create specific, actionable remediation items rather than vague goals.