Vendor risk management, which is also known as supplier risk management and third-party risk management, is a relatively new discipline in the IT industry. It is a type of service that you need to be familiar with because it is likely that your system is currently exposed to risks that you don’t know about.
Here is our list of the six best vendor risk management software:
- OneTrust Vendorpedia Third-Party Risk Exchange EDITOR’S CHOICE A unique community-sourced database of existing risk evaluations on more than 70,000 vendors that is constantly updated.
- TrustArc Vendor Risk Management A security assessment platform that combines automated processes data gathering frameworks, and human experts to provide a comprehensive risk management service.
- Resolver Vendor Risk Management Software A vendor risk management system that is part of a GRC platform and enables you to assemble a document base for standards compliance proof.
- CyberScore A vendor risk management platform that is based around an assessment method that operates through a questionnaire format.
- BWise Vendor Risk Management Partnered with data protection and standards auditing systems, this is a cloud-based platform that is a good option for those that need to comply with GDPR.
- SureCloud A cloud-hosted vendor risk assessor that is questionnaire-driven and forms part of a wider compliance management suite.
You can read more about each of these options in the following sections.
With risk management, you investigate your company’s working practices and IT security that could lead to data disclosure if they are not tight enough. Data loss events damage your company’s reputation and lead to ruinous losses through blackmail, litigation, and fines.
Unfortunately, being able to blame a software supplier for data loss events is rarely an option. Ultimately, your company is legally responsible for the security of the data it holds. Even if you get a Business Associate Agreement (BAA) from a data management service or storage provider you could still be on the hook. If that company has a better legal team than yours or if it goes bust, all of the cost of a data loss event would fall on your company.
Legal wrangling after the fact is less effective and more expensive than preventative measures to avert data disclosure. Checking your system for potential security weakness is very important but it isn’t enough. You also need to check the security of all of those service providers that you now use.
Cloud services and Software-as-a-Service packages are very popular. They reduce administration tasks, address the global shortage of skilled IT professionals, and cut costs. However, despite the extensive uptake of cloud systems throughout the advanced economies, some company executives are still reluctant to allow their IT systems to be managed outside the building by other companies. They worry about loss of control and they have a right to be nervous.
If your company is ultimately legally liable for the errors of service providers, it can be reasonably argued that outsourcing functions are too much of a risk. The only way to counter that exposure is through vendor risk management.
How does vendor risk management work?
The obvious way to check on the security systems of suppliers is to ask them or look through the sales information. However, like your company, those suppliers are going to present a good image of themselves wherever possible. They are not going to tell you the problems that they have faced.
Not only do you need to look into your suppliers before you sign up for their services, but you need to know about the security of their suppliers. Many cloud services don’t manage their servers; they rent space on cloud servers run by other companies. Those service providers also might use the software provided by other companies. That software might include APIs provided by other companies that access processes running on other servers, run by other providers.
To fully assess a vendor, you also need to disclose what other businesses are involved in delivering a service.
It just isn’t realistic to expect a busy IT manager to spend the time to investigate every single contributing supplier in the chain of provision for cloud services. A full investigation would require subscriptions to court reports, tracing systems to identify associated suppliers and access to specialist investigators. Buying in all of those services for every single IT service contract would be prohibitively expensive. Vendor risk management software and services bundle all of those elements together in an affordable package.
Vendor risk systems operate as a combination of services. One is a database of legal actions against companies and the other is a framework for assessing compliance measurements, such as standards accreditation. Vendor risk management systems are usually subscription services and once a list of software providers have been registered, the risk management service continues to track legal actions and data disclosure notifications and will alert if one arises for software or services that are on the list for one of the risk management service’s clients.
The best vendor risk management software
The best vendor risk management software is part of an ongoing service that will continue to search for legal issues related to the companies that supply the clients of that risk management service.
What should you look for in a vendor risk management system?
We reviewed the market for vendor risk management software and analyzed the options based on the following criteria:
- A system that can impose a standard framework on vendor assessment
- A strong legal research team to back the software service
- A subscription service with ongoing supplier status updates
- Options for legal advice
- A service that has a worldwide visibility
- The option of a no-risk assessment period either through a free trial or a money-back guarantee
- A valuable service that is worth the price
When seeking vendor risk management software for this list, we kept those selection criteria in mind but also looked for a range of price options. Although the very best vendor risk management system might be well worth paying for, not every business, especially startups and small businesses can afford the best legal representation in the world.
Process automation and sharing out the cost of legal experts across many clients allows vendor risk management services to bring costs down. So, we looked for the best value possible.
OneTrust Vendorpedia Third-Party Risk Exchange is a database of “SIGs” filled out by other businesses and made available to other Vendorpedia subscribers. A SIG is a Standardized Information Gathering questionnaire, a standard intelligence recording format in corporate risk assessment.
- A crowd-sourced data pool
- Commercial intel
- Records security failures
- Breaches categorized by data protection standard
- Moderated by legal experts
By entering the names of suppliers, the database brings up any intel on data breaches that occurred involving that business or any failed standards audits. The reporting in this database assesses risk according to a long list of data protection standards that include NIST, HIPAA, PCI DSS, GDPR, EBA, CCPA.
Vendorpedia is a division of OneTrust, which is a very well-respected provider of legal services for IT systems. As a top-of-the-line provider, OneTrust is expensive. So, the Risk Exchange is a very clever way to cut the costs of the high-priced service of risk management. Community-provided data reduces the number of highly-paid OneTrust legal experts that need to be involved in providing the service.
Assessments are added to the system all of the time, so subscribers get up-to-the-minute data on vendors and the suppliers of your potential service providers. The system isn’t totally unsupervised. OneTrust legal experts moderate the data entered into the assessment database and add in the risk assessments that they perform themselves on behalf of clients. Assessments are filed on a per-service basis. This is useful because if one product of a company encounters problems that doesn’t mean that the whole business is compromised.
- A definitive source of data breach information, called SIGs
- Lists companies that failed data protection standards audits
- Identifies companies that present a risk according to a list of standards
- Relates to NIST, HIPAA, PCI DSS, GDPR, EBA, CCPA
- Database entries are verified by legal experts
- Not a free service
The system is enhanced by OneTrust DataGuidance. This is a risk assessment tool developed by OneTrust based on the techniques used by its in-house risk assessors. You can request a demo to get a full understanding of the Risk Exchange system.
OneTrust Third-Party Risk Exchange is an expert-moderated database of community-provided risk assessment SIGs. The system is a great way to get access to up-to-date information on the suppliers that you are thinking of getting services or software from. The assessments go down to product level so you can get precise product evaluations to ensure that your suppliers will be able to support you in your obligations over data protection.
Request a demo: www.vendorpedia.com/request-demo
Operating system: Cloud-based
The TrustArc Vendor Risk Management software is a framework for noting vendor assessments. This tool is operated as a cloud-based platform. It includes a mix of assessment forms (SIGs), a legal notification feed and matching service, and consultation with the vendors themselves.
- A cloud-based system
- Investigation forms
- Legal research service
- Vendor interviews
The TrustArc system isn’t all automated; it isn’t totally reliant on software. Legal experts working for TrustArc perform assessments of vendors and even interview suppliers entered into the system for risk assessment by clients.
Vendors participate in the system because they want to make sales. Each data service and software vendor makes claims to data protection standard accreditation. So, the first step in the assessment is to verify that certification. The vendor should be able to provide data audit results and compliance verification.
- Mediates with vendors to gain compliance information
- Includes the services of consultants
- Verifies the compliance of software packages
- Checks certification and stores proof
- A lot of manual processes
Consultants of TrustArc validate all of the compliance proof supplied by vendors, which does a lot of the legwork for you. The combination of software and reliable human expertise is a very reassuring package. It is like hiring a private detective to investigate suppliers. TrustArc consultants also guide exactly what type of privacy performance you need to expect from suppliers depending on which standards you are working to. Supplier issues, such as location, viability, and insurance are also taken into account.
Resolver Vendor Risk Management Software is part of a suite of Governance, Risk management, and Compliance (GRC) tools. This is a cloud platform that can be accessed through any standard browser. The system will check on the suppliers of hardware, software, services, and applications.
- Supplier assessment package
- Continuous monitoring
- Alerts for new risk data
Once vendors and their suppliers are identified, Resolver continues to monitor the risk status of those businesses so you can be sure that you won’t be caught further down the line. The Resolver system can be used to assess the suppliers of new purchases and also to audit your existing system.
The Resolver system provides an assessment framework that standardizes a checklist of expectations the suppliers need to match to contribute towards standards and legislation compliance. The assessment forms in the service should be sent out to vendors for completion. The assessment requests also list requirements for copies of certificates, which can then be stored within the Vendor Risk Management system to document confirmation of accreditation as part of the standards compliance audit requirements.
- Research into a given list of businesses
- Check for evidence of data breaches or audit fails
- Acquires and stores accreditation certificates
- No free trial
You can request a demo of the Resolver GRC platform, which includes the Vendor Risk Management software.
CyberScore is an online platform for vendor risk assessment that is provided by ComplyScore. The system is based on a questionnaire format, which creates a standard assessment framework for each vendor.
- Assessment framework
- A library of questionnaires
- Ripples through the supply chain
The assessment questionnaires should be sent out to vendors for information. The completed responses then go into an online database where analytical tools grade them to provide a ranking of each vendor’s suitability. A response can also reveal suppliers to those first-tier vendors, who then can be approached to fill out more questionnaires and possibly reveal deeper layer suppliers.
The result of an investigation will be a hierarchy of suppliers behind each product, whether that be hardware, software, applications, or services. The risk scoring of each collection of suppliers can be adapted according to the standards that you need to comply with.
The risk management platform also includes a contract risk assessor. You can store all risk assessments and business documentation in a collated store to identify the risk assessment status of each vendor. The platform also offers a Residual Risk service, which continues to check on the statuses of all logged suppliers.
- Provides a set of forms to send to suppliers as part of the acquisition process
- Contract risk assessor package
- Supply chain examination
- Very expensive
The ComplyScore service is offered in three editions. The packages are pricey, with the cheapest edition, called Standard, starting at a subscription price of $50,000 per year plus an Implementation Fee of $15,000. You can request a demo to assess the ComplyScore system.
The BWise Vendor Risk Management software system is part of a wider GRC system. BWise is a subdivision of SAI Global. Other modules in the platform include governance and compliance features for companies that need to handle PII.
- Corporate Research
- Vendor investigation
- Frequent rechecks
This service allows you to put all of your vendor management tasks in one place. Assess initial options for purchases by checking on their providers and then continuing ongoing monitoring of vendor reputation and compliance.
The system includes a risk identification service, so you don’t waste time verifying suppliers of products that don’t impact data protection standards requirements. The vendor management system also ranks suppliers by the level of criticality. The overview of vendor management lets you see exactly how many different suppliers you currently deal with.
The system provides a framework for vendor risk assessment through firms and checklists. There is also a section for contract conformance that tracks the delivery of SLAs. In each case, workflows in the assessment framework provide points for interaction with the provider and checklists of points to confirm. Some measures can be undertaken to address risks that are identified by the process.
- Part of a GRC platform of modules
- Offers contract service level agreement tracking
- An acquisition framework
- A manual research service
The discovery of a problem with a supplier might lead you to drop its products. The Vendor Risk Management software lays down procedures to follow for finding replacement services, hardware, or software in that event.
SureCloud is a package of governance and compliance services that includes a risk management module. The Third-Party Risk Management software system gives you a central repository for your vendor assessments and verification. The system is offered in three plans with greater automation with higher editions. The lower edition, called Standard, provides a space for you to log your assessments. The higher plans, called Business and Premium are form and workflow-driven, automating much of the vendor risk assessment process.
- Form-based assessments
- Risk assessment feed
- Vendor verification service
The process of vendor risk management has two strands. You can set up a form-based assessment that requires the participation of the vendor. This workflow also indicates the documentation, such as standards accreditation and audit certificates, that you need to ask for and store. These questionnaires are tailored to the standards that you are following and the category of product that each vendor supplies.
The second powerful element in the Third-Party Risk Management system is a feed from BitSight, which is a security rating agency. This provides an instant assessment of the risk attached to each of the vendors that you enter into the system. That service is an add-on and isn’t included in the plan subscription price.
- A data set of corporate issues that could block compliance certification
- A framework for manual investigation
- A questionnaire library to promote communication with vendors
- No free trial
You can request a demo to see the cloud-hosted Third-Party Risk Management system for yourself.