The Best Vendor Risk Management Software

Vendor risk management, which is also known as supplier risk management and third-party risk management, is a relatively new discipline in the IT industry. It is a type of service that you need to be familiar with because it is likely that your system is currently exposed to risks that you don’t know about.

With risk management, you investigate your company’s working practices and IT security that could lead to data disclosure if they are not tight enough. Data loss events damage your company’s reputation and lead to ruinous losses through blackmail, litigation, and fines.

Here is our list of the best vendor risk management software:

1. Gatekeeper EDITOR’S CHOICE This cloud platform provides vendor and contract lifecycle management with an extensive vendor risk assessment module that connects to the contract creation and tracing system in the platform. Request a demo.
2. OneTrust Third-Party Risk Exchange A unique community-sourced database of existing risk evaluations on more than 70,000 vendors that is constantly updated.
3. TrustArc Vendor Risk Management A security assessment platform that combines automated processes data gathering frameworks, and human experts to provide a comprehensive risk management service.
4. Resolver Vendor Risk Management Software A vendor risk management system that is part of a GRC platform and enables you to assemble a document base for standards compliance proof.
5. ComplyScore Risk Scoring A vendor risk management platform that is based around an assessment method that operates through a questionnaire format.
6. SAI360 Vendor Risk Management Partnered with data protection and standards auditing systems, this is a cloud-based platform that is a good option for those that need to comply with GDPR.
7. SureCloud A cloud-hosted vendor risk assessor that is questionnaire-driven and forms part of a wider compliance management suite.

Unfortunately, being able to blame a software supplier for data loss events is rarely an option. Ultimately, your company is legally responsible for the security of the data it holds. Even if you get a Business Associate Agreement (BAA) from a data management service or storage provider you could still be on the hook. If that company has a better legal team than yours or if it goes bust, all of the cost of a data loss event would fall on your company.

Legal wrangling after the fact is less effective and more expensive than preventative measures to avert data disclosure. Checking your system for potential security weakness is very important but it isn’t enough. You also need to check the security of all of those service providers that you now use.

Cloud services and Software-as-a-Service packages are very popular. They reduce administration tasks, address the global shortage of skilled IT professionals, and cut costs. However, despite the extensive uptake of cloud systems throughout the advanced economies, some company executives are still reluctant to allow their IT systems to be managed outside the building by other companies. They worry about loss of control and they have a right to be nervous.

If your company is ultimately legally liable for the errors of service providers, it can be reasonably argued that outsourcing functions are too much of a risk. The only way to counter that exposure is through vendor risk management.

How does vendor risk management work?

The obvious way to check on the security systems of suppliers is to ask them or look through the sales information. However, like your company, those suppliers are going to present a good image of themselves wherever possible. They are not going to tell you the problems that they have faced.

Not only do you need to look into your suppliers before you sign up for their services, but you need to know about the security of their suppliers. Many cloud services don’t manage their servers; they rent space on cloud servers run by other companies. Those service providers also might use the software provided by other companies. That software might include APIs provided by other companies that access processes running on other servers, run by other providers.

To fully assess a vendor, you also need to disclose what other businesses are involved in delivering a service.

It just isn’t realistic to expect a busy IT manager to spend the time to investigate every single contributing supplier in the chain of provision for cloud services. A full investigation would require subscriptions to court reports, tracing systems to identify associated suppliers and access to specialist investigators. Buying in all of those services for every single IT service contract would be prohibitively expensive. Vendor risk management software and services bundle all of those elements together in an affordable package.

Vendor risk systems operate as a combination of services. One is a database of legal actions against companies and the other is a framework for assessing compliance measurements, such as standards accreditation. Vendor risk management systems are usually subscription services and once a list of software providers have been registered, the risk management service continues to track legal actions and data disclosure notifications and will alert if one arises for software or services that are on the list for one of the risk management service’s clients.

The best vendor risk management software

The best vendor risk management software is part of an ongoing service that will continue to search for legal issues related to the companies that supply the clients of that risk management service.

When seeking vendor risk management software for this list, we kept those selection criteria in mind but also looked for a range of price options. Although the very best vendor risk management system might be well worth paying for, not every business, especially startups and small businesses can afford the best legal representation in the world.

Process automation and sharing out the cost of legal experts across many clients allows vendor risk management services to bring costs down. So, we looked for the best value possible.

1. Gatekeeper (GET DEMO)

Gatekeeper sets itself apart by integrating contract management with vendor relationships and full risk management service, adopting a Vendor and Contract Lifecycle Management (VCLM) approach. The full platform is designed to automate purchasing through contract definition and enforcement. No company can afford to be let down by a supplier and the Gatekeeper system ensures that will not happen.

Key Features:

• Integrates vendor risk management with contracts lifecycle management
• Continuous monitoring
• Alerts for new risk data
• Workflow engine for automatic risk mitigation
• Collaboration management
• Unified view of financial, cybersecurity, PEPs, sanctions, and other risks

Why do we recommend it?

The vendor risk management service in the Gatekeeper platform is integrated with a credit assessment system and contracts management. This means that the vendor approval process is integrated into the contract creation and management lifecycle. Vendor risk can change over time and the platform accounts for such eventualities.

The Risk module in the Gatekeeper console enables companies to load up vendor details and perform a risk assessment of each. The risk scores of all suppliers are listed in one screen, showing a traffic light color scheme that shows clearly which vendors are high, medium, or low risk. The Risk Dashboard also lets you see overviews of your current risk position, showing overall risk per vendor sector or per business function. Another summary shows what created a high-risk score for the vendors in your list.

Risk Dashboard also shows a Risk Heat Map, which groups the vendors on your list by risk level, letting you see how much your company is exposed to high-risk suppliers. From there it is up to you how you act on that information.

Clearly, high-risk vendors won’t make it to your supplier list. However, those that pass approval can be selected within the contract creation module to set up an agreement. This section extends to the creation of service level agreements (SLAs) and non-disclosure agreements (NDAs). The system also has an integrated eSign service, so all contact can be agreed digitally.

Who is it recommended for?

Gatekeeper is particularly recommended for organizations operating in regulated industries, such as financial services and healthcare, where meticulous monitoring and auditability of third-party relationships are imperative. Their pricing details are available on their website, starting from $1,125 per month for unlimited users.

The Gatekeeper system is delivered as a cloud platform. There isn’t a free trial for the platform but you can request a demo to assess the package.

2. OneTrust Third-Party Risk Exchange

OneTrust Third-Party Risk Exchange is a database of “SIGs” filled out by other businesses and made available to other OneTrust Third-Party Risk Exchange subscribers. A SIG is a Standardized Information Gathering questionnaire, a standard intelligence recording format in corporate risk assessment.

Key Features:

• A crowd-sourced data pool
• Commercial intel
• Records security failures
• Breaches categorized by data protection standard
• Moderated by legal experts

Why do we recommend it?

The OneTrust Third-Party Risk Exchange is a common sense approach to vendor investigations because it shares the findings of companies, so enquires don’t have to be constantly repeated. The exchange data can be accessed repeatedly for updates, providing an alert if a previously cleared vendor experiences a data breach or other weakness.

By entering the names of suppliers, the database brings up any intel on data breaches that occurred involving that business or any failed standards audits. The reporting in this database assesses risk according to a long list of data protection standards that include NIST, HIPAA, PCI DSS, GDPR, EBA, CCPA.

Third-Party Risk Exchange is a division of OneTrust, which is a very well-respected provider of legal services for IT systems. As a top-of-the-line provider, OneTrust is expensive. So, the Risk Exchange is a very clever way to cut the costs of the high-priced service of risk management. Community-provided data reduces the number of highly-paid OneTrust legal experts that need to be involved in providing the service.

Assessments are added to the system all of the time, so subscribers get up-to-the-minute data on vendors and the suppliers of your potential service providers. The system isn’t totally unsupervised. OneTrust legal experts moderate the data entered into the assessment database and add in the risk assessments that they perform themselves on behalf of clients. Assessments are filed on a per-service basis. This is useful because if one product of a company encounters problems that doesn’t mean that the whole business is compromised.

Who is it recommended for?

This tool is undeniably an essential input for any business that needs to lock down risk. The service cuts down time and costs for third-party risk assessment and it can crawl through supply chains. You will need to get an automated risk management tool that can ingest this feed without manual intervention.

The system is enhanced by OneTrust DataGuidance. This is a risk assessment tool developed by OneTrust based on the techniques used by its in-house risk assessors. You can request a demo to get a full understanding of the Risk Exchange system.

3. TrustArc Vendor Risk Management

The TrustArc Vendor Risk Management software is a framework for noting vendor assessments. This tool is operated as a cloud-based platform. It includes a mix of assessment forms (SIGs), a legal notification feed and matching service, and consultation with the vendors themselves.

Key Features:

• A cloud-based system
• Investigation forms
• Legal research service
• Vendor interviews

Why do we recommend it?

TrustArc Vendor Risk Management is implemented in the platform’s Risk Profile module. This provides a study of internal risk as well as third-party risk. A nice feature of this tool is that it provides reports that show you how far you have progressed towards a risk-free system. This enables compliance teams to accurately display their value.

The TrustArc system isn’t all automated; it isn’t totally reliant on software. Legal experts working for TrustArc perform assessments of vendors and even interview suppliers entered into the system for risk assessment by clients.

Vendors participate in the system because they want to make sales. Each data service and software vendor makes claims to data protection standard accreditation. So, the first step in the assessment is to verify that certification. The vendor should be able to provide data audit results and compliance verification.

Who is it recommended for?

The TrustArc system is a wider package than the vendor risk assessment system. The full package requires a lot of input and effort during onboarding to get the company compliant and there there is a low-level constant background process needed to ensure that the business remains compliant.

Consultants of TrustArc validate all of the compliance proof supplied by vendors, which does a lot of the legwork for you. The combination of software and reliable human expertise is a very reassuring package. It is like hiring a private detective to investigate suppliers. TrustArc consultants also guide exactly what type of privacy performance you need to expect from suppliers depending on which standards you are working to. Supplier issues, such as location, viability, and insurance are also taken into account.

4. Resolver Vendor Risk Management Software

Resolver Vendor Risk Management Software is part of a suite of Governance, Risk management, and Compliance (GRC) tools. This is a cloud platform that can be accessed through any standard browser. The system will check on the suppliers of hardware, software, services, and applications.

Key Features:

• Supplier assessment package
• Continuous monitoring
• Alerts for new risk data

Why do we recommend it?

Resolver Vendor Risk Management Software is a component of a cloud-resident GRC suite. The full platform also provides a security monitoring service for ongoing risk assessment once the business is fully compliant. This tool also examines the brand value and reputation of vendors in addition to tracking recent security breaches.

Once vendors and their suppliers are identified, Resolver continues to monitor the risk status of those businesses so you can be sure that you won’t be caught further down the line. The Resolver system can be used to assess the suppliers of new purchases and also to audit your existing system.

The Resolver system provides an assessment framework that standardizes a checklist of expectations the suppliers need to match to contribute towards standards and legislation compliance. The assessment forms in the service should be sent out to vendors for completion. The assessment requests also list requirements for copies of certificates, which can then be stored within the Vendor Risk Management system to document confirmation of accreditation as part of the standards compliance audit requirements.

Who is it recommended for?

The Resolver system is a package for large companies. The company doesn’t publish its price list. In terms of market sector, the platform has customers across industries, including the health sector and financial institutions. The tool provides a benchmark that is a useful judgment on progress for businesses that are new to system risk management.

You can request a demo of the Resolver GRC platform, which includes the Vendor Risk Management software.

5. ComplyScore Risk Scoring

ComplyScore Risk Scoring is an online platform for vendor risk assessment that is provided by ComplyScore. The system is based on a questionnaire format, which creates a standard assessment framework for each vendor.

Key Features:

• Assessment framework
• A library of questionnaires
• Ripples through the supply chain

Why do we recommend it?

ComplyScore Risk Scoring focuses on third-party risk management. The entire ComplyScore platform is a third-party risk management system. The software also implements ongoing GRC. The central value of the service is that it gives you a benchmark of acceptable risk. That’s useful for businesses that have no experience in risk assessing.

The assessment questionnaires should be sent out to vendors for information. The completed responses then go into an online database where analytical tools grade them to provide a ranking of each vendor’s suitability. A response can also reveal suppliers to those first-tier vendors, who then can be approached to fill out more questionnaires and possibly reveal deeper layer suppliers.

The result of an investigation will be a hierarchy of suppliers behind each product, whether that be hardware, software, applications, or services. The risk scoring of each collection of suppliers can be adapted according to the standards that you need to comply with.

The risk management platform also includes a contract risk assessor. You can store all risk assessments and business documentation in a collated store to identify the risk assessment status of each vendor. The platform also offers a Residual Risk service, which continues to check on the statuses of all logged suppliers.

Who is it recommended for?

The ComplyScore company offers its risk management system for use by businesses and it also has a managed vendor risk package, which gives you the consultants and technicians to run the system and perform vendor risk assessment for you. Unfortunately, ComplyScore doesn’t publish its price list.

The ComplyScore service is offered in three editions. The packages are pricey, with the cheapest edition, called Standard, starting at a subscription price of $50,000 per year plus an Implementation Fee of $15,000. You can request a demo to assess the ComplyScore system.

6. SAI360 Vendor Risk Management

The SAI360 Vendor Risk Management software system is part of a wider GRC system. BWise is a subdivision of SAI Global. Other modules in the platform include governance and compliance features for companies that need to handle PII.

Key Features:

• Corporate Research
• Vendor investigation
• Frequent rechecks

Why do we recommend it?

SAI360 Vendor Risk Management goes through third-party risk management to fourth-party risk as well. The tool prioritizes the risks that you need to deal with, which could mean adjusting your partnership programs or supply chain, or, if you also use the platform’s internal risk management and compliance management tools, your own working practices.

This service allows you to put all of your vendor management tasks in one place. Assess initial options for purchases by checking on their providers and then continuing ongoing monitoring of vendor reputation and compliance.

The system includes a risk identification service, so you don’t waste time verifying suppliers of products that don’t impact data protection standards requirements. The vendor management system also ranks suppliers by the level of criticality. The overview of vendor management lets you see exactly how many different suppliers you currently deal with.

The system provides a framework for vendor risk assessment through firms and checklists. There is also a section for contract conformance that tracks the delivery of SLAs. In each case, workflows in the assessment framework provide points for interaction with the provider and checklists of points to confirm. Some measures can be undertaken to address risks that are identified by the process.

Who is it recommended for?

Like most of the tools on this list, the SAI360 package is designed for use by large organizations. Big businesses are more likely to suffer a risk if their vendors have a security breach than if their customers are damaged. With small businesses the reverse is true.

The discovery of a problem with a supplier might lead you to drop its products. The Vendor Risk Management software lays down procedures to follow for finding replacement services, hardware, or software in that event.

7. SureCloud

SureCloud is a package of governance and compliance services that includes a risk management module. The Third-Party Risk Management software system gives you a central repository for your vendor assessments and verification. The system is offered in three plans with greater automation with higher editions. The lower edition, called Standard, provides a space for you to log your assessments. The higher plans, called Business and Premium are form and workflow-driven, automating much of the vendor risk assessment process.

Key Features:

• Form-based assessments
• Risk assessment feed
• Vendor verification service

Why do we recommend it?

SureCloud is a large GRC platform with many modules and the Third-Party Risk Management tool is one of them. This service works best in conjunction with all of the other services on the platform to get a company into compliance and then stay there and prove it.

The process of vendor risk management has two strands. You can set up a form-based assessment that requires the participation of the vendor. This workflow also indicates the documentation, such as standards accreditation and audit certificates, that you need to ask for and store. These questionnaires are tailored to the standards that you are following and the category of product that each vendor supplies.

The second powerful element in the Third-Party Risk Management system is a feed from BitSight, which is a security rating agency. This provides an instant assessment of the risk attached to each of the vendors that you enter into the system. That service is an add-on and isn’t included in the plan subscription price.

Who is it recommended for?

This service focuses on technology suppliers such as SaaS providers. It also looks at the software packages that companies run on site. Rather than scanning those tools, the system scans for reports of data breaches suffered by each provider or reported weaknesses in the software. SureCloud doesn’t publish a price list.

You can request a demo to see the cloud-hosted Third-Party Risk Management system for yourself.