Vendors and third-party risk

The Vendors (TPRM) register lists the suppliers and third parties your organization depends on. Each vendor gets a criticality tier, a data classification, contract dates, and a review cadence. Periodic assessments score the vendor on four dimensions, and the assessment outcome sets the vendor's status. Use it to prove supplier control for ISO audits and to keep vendor reviews from being forgotten. The page is at /vendors, under Vendors (TPRM) in the side nav.

Before you start

The page shows four counters (Total, Critical tier, Approved, Overdue reviews), a filter bar (Status and Tier), and the vendor list.

Add a vendor

  1. Open Vendors (TPRM) in the side nav.
  2. Click Add Vendor (top right).
  3. Fill Name (required).
  4. Optionally fill Category, for example "Cloud hosting" or "Logistics".
  5. Pick a Tier: Critical, High, Medium (default), or Low. The tier says how much you depend on the vendor.
  6. Pick a Status. New vendors usually stay Prospective (default). The full list: Prospective, Approved, Conditional, Suspended, Offboarded.
  7. Pick a Data classification: No data shared (default), Internal, Confidential, or Restricted. This is the highest classification of your data the vendor handles.
  8. Optionally fill Contact name, Contact email, Website, and Services provided.
  9. Optionally set Contract start and Contract end with the date buttons. When the contract end passes, the card shows a red "Contract ended" tag.
  10. Optionally set Next review date. This drives the review cadence and the overdue counters.
  11. Pick an Owner from the organization members (default Unassigned).
  12. Optionally add Notes.
  13. Click Add vendor.

To edit later, click the pencil icon and click Save. To remove a vendor, click the delete icon: it is deactivated (removed from the register) but its assessment history is kept.

Assess a vendor

Assessments are the heart of TPRM. Each one scores up to four dimensions from 1 (poor) to 5 (excellent), and its outcome moves the vendor's status.

  1. Click Assess on the vendor's row.
  2. Score any of the four axes, each 1 to 5 or Not scored:
    • Security
    • Quality
    • Delivery
    • Financial
  3. Watch the live Overall score: the average of the axes you scored, out of 5. It shows in red when below 3. Unscored axes are ignored; score at least one axis to get an overall.
  4. Pick the Outcome: Approved, Conditional, or Rejected. The dialog tells you what happens: saving sets the vendor status to approved, conditional, or suspended respectively.
  5. Optionally write a Findings summary with the key findings and conditions.
  6. Optionally set the Next review date. The picker suggests one year out. Saving copies this date onto the vendor, resetting its review cadence.
  7. Click Save assessment.

You get a confirmation like "Acme Cloud assessed, Approved", and the vendor's status tag updates.

To see past assessments, click History on the vendor's row. Each entry shows the date, the assessor, the outcome, the overall and per-axis scores, the next review date, and the findings summary.

Keep reviews on schedule

Every vendor with a Next review date is tracked:

The Refresh button in the page header derives review tasks before reloading: every active vendor whose next review is within the next 30 days, or already overdue, raises a task titled "Vendor review due: " in the Task Center. The task is assigned to the vendor's Owner, carries the review date as its due date, and is high severity when the review is already overdue (medium otherwise). Duplicates are not created while an earlier task for the same vendor is still open.

To clear an overdue review, run a new assessment and set a fresh Next review date in the assess dialog.

Filter the register

Use the Status and Tier selects above the list to narrow the view, for example Status "Approved" plus Tier "Critical" for your most sensitive approved suppliers. The four counters at the top always cover the whole register, not the filtered view.

Try it

If something goes wrong

← Back to CompStack