Vendors and third-party risk
The Vendors (TPRM) register lists the suppliers and third parties your organization depends on. Each vendor gets a criticality tier, a data classification, contract dates, and a review cadence. Periodic assessments score the vendor on four dimensions, and the assessment outcome sets the vendor's status. Use it to prove supplier control for ISO audits and to keep vendor reviews from being forgotten. The page is at /vendors, under Vendors (TPRM) in the side nav.
Before you start
- The Vendors (TPRM) module is off by default. An admin must enable it in Settings > Modules (Governance, risk and compliance group) before the page appears in the side nav.
- Any member of the organization can open the page, add vendors, and run assessments. No admin role is required by the UI.
- No other data is required, but assigning each vendor an Owner (an organization member) means review-due tasks land on a named person.
The page shows four counters (Total, Critical tier, Approved, Overdue reviews), a filter bar (Status and Tier), and the vendor list.
Add a vendor
- Open Vendors (TPRM) in the side nav.
- Click Add Vendor (top right).
- Fill Name (required).
- Optionally fill Category, for example "Cloud hosting" or "Logistics".
- Pick a Tier: Critical, High, Medium (default), or Low. The tier says how much you depend on the vendor.
- Pick a Status. New vendors usually stay Prospective (default). The full list: Prospective, Approved, Conditional, Suspended, Offboarded.
- Pick a Data classification: No data shared (default), Internal, Confidential, or Restricted. This is the highest classification of your data the vendor handles.
- Optionally fill Contact name, Contact email, Website, and Services provided.
- Optionally set Contract start and Contract end with the date buttons. When the contract end passes, the card shows a red "Contract ended" tag.
- Optionally set Next review date. This drives the review cadence and the overdue counters.
- Pick an Owner from the organization members (default Unassigned).
- Optionally add Notes.
- Click Add vendor.
To edit later, click the pencil icon and click Save. To remove a vendor, click the delete icon: it is deactivated (removed from the register) but its assessment history is kept.
Assess a vendor
Assessments are the heart of TPRM. Each one scores up to four dimensions from 1 (poor) to 5 (excellent), and its outcome moves the vendor's status.
- Click Assess on the vendor's row.
- Score any of the four axes, each 1 to 5 or Not scored:
- Security
- Quality
- Delivery
- Financial
- Watch the live Overall score: the average of the axes you scored, out of 5. It shows in red when below 3. Unscored axes are ignored; score at least one axis to get an overall.
- Pick the Outcome: Approved, Conditional, or Rejected. The dialog tells you what happens: saving sets the vendor status to approved, conditional, or suspended respectively.
- Optionally write a Findings summary with the key findings and conditions.
- Optionally set the Next review date. The picker suggests one year out. Saving copies this date onto the vendor, resetting its review cadence.
- Click Save assessment.
You get a confirmation like "Acme Cloud assessed, Approved", and the vendor's status tag updates.
To see past assessments, click History on the vendor's row. Each entry shows the date, the assessor, the outcome, the overall and per-axis scores, the next review date, and the findings summary.
Keep reviews on schedule
Every vendor with a Next review date is tracked:
- When the date is in the future, the card shows a teal "Review
" tag. - When the date passes, the tag turns red ("Review overdue
") and the Overdue reviews counter goes up.
The Refresh button in the page header derives review tasks before reloading: every active vendor whose next review is within the next 30 days, or already overdue, raises a task titled "Vendor review due:
To clear an overdue review, run a new assessment and set a fresh Next review date in the assess dialog.
Filter the register
Use the Status and Tier selects above the list to narrow the view, for example Status "Approved" plus Tier "Critical" for your most sensitive approved suppliers. The four counters at the top always cover the whole register, not the filtered view.
Try it
- Enable Vendors (TPRM) in Settings > Modules. Expected: "Vendors (TPRM)" appears in the side nav.
- Click Add Vendor and save "Acme Cloud" with Tier Critical, Data classification Confidential, and an Owner. Expected: the row appears with red Critical, gray Prospective, and magenta Confidential tags, and the Critical tier counter reads 1.
- Try to save a vendor with an empty Name. Expected: nothing happens; Name is required.
- Click Assess on Acme Cloud and score only Security 4 and Quality 5. Expected: the dialog shows "Overall score: 4.50 / 5".
- Set Outcome to Approved, set Next review date one year out, click Save assessment. Expected: confirmation message, the vendor's status tag turns to a green Approved, a teal "Review
" tag appears, and the Approved counter goes up. - Click History on the vendor. Expected: the assessment is listed with its overall score, per-axis scores, outcome, and next review date.
- Run another assessment with Outcome Rejected. Expected: the vendor's status flips to a red Suspended.
- Edit a vendor and set Next review date to yesterday. Expected: the tag turns red "Review overdue" and the Overdue reviews counter goes up.
- Click Refresh. Expected: a message like "1 vendor review task raised", and a task "Vendor review due: Acme Cloud" appears in Task Center assigned to the owner.
- Set the Status filter to Approved. Expected: only approved vendors are listed; the counters at the top do not change.
If something goes wrong
- Vendors (TPRM) is missing from the side nav. The module is off by default. An admin must enable it in Settings > Modules.
- "No vendors yet". The register is empty. Click Add Vendor.
- "No vendors match the filters". A Status or Tier filter is hiding rows. Set both back to "All statuses" and "All tiers".
- Overall score shows a dash. No axis was scored. Score at least one of Security, Quality, Delivery, or Financial.
- Vendor status changed unexpectedly after an assessment. That is by design: the outcome drives the status. Approved sets Approved, Conditional sets Conditional, Rejected sets Suspended. Edit the vendor to override the status manually if needed.
- No review task appeared after Refresh. Tasks are only raised for active vendors whose next review is within 30 days or overdue, and not while an earlier task for the same vendor is still open or in progress. Also check that a Next review date is set at all.
- The review task has no assignee. The vendor has no Owner. Edit the vendor and pick one.
- A deleted vendor's history is gone from the register. The vendor was deactivated, which removes it from the list view; its rows are kept in the database but the register does not currently show inactive vendors.
- A save fails with a permission error. Your session may have expired or your membership is inactive. Sign in again or ask an admin to check your membership in Settings.