Vendor risk reviews have a reputation problem.
Business teams experience them as slow, unpredictable and vaguely punitive. Security teams experience them as high-stakes, under-scoped and thankless. Vendors experience them as repetitive paperwork with unclear relevance.
Everyone is right.
The pain isn’t because vendor risk is unimportant. It’s painful because most programs are built on two bad assumptions:
-
Every vendor deserves the same rigor
-
More documentation equals more security
Neither is true. Vendor risk is a decision-making problem disguised as a questionnaire.
In the last article (You Don’t Need a Project. You Need an Answer.), the theme was: don’t turn an answerable question into a project. Vendor risk reviews are a perfect example. The business is usually asking a simple question:
“Can we use this vendor, with acceptable risk, by the date we need?”
If your process can’t answer that quickly and consistently, it will be experienced as theater.
This piece is a practical reset: why it hurts, what to fix and what “good” looks like without making it a bureaucracy.
Why vendor risk reviews feel terrible
- You’re trying to reduce uncertainty with paperwork
Most programs start with a big spreadsheet of “things we should ask vendors.”
Then that spreadsheet becomes a form, a ticket, an approval workflow, a 60-question survey, a requirement for a SOC 2 Type II report (even when the vendor is low risk).
This feels like diligence. But it’s often just document collection.
Paper can’t prove security. Paper can only provide signals. If you don’t have a model for interpreting those signals, you’ll keep asking for more paper.
- The intake is vague, so security has to guess
The business submits: “Need vendor approval. It’s urgent.” (feels familiar?).
Missing:
-
What data is involved (PII? PHI? payment? internal only?)
-
Whether the vendor is a processor/sub-processor
-
Whether the vendor has production access
-
Which systems it integrates with
-
Whether it’s mission-critical
When intake is vague, security is forced to assume worst case. Worst case triggers maximum diligence. Maximum diligence triggers delays. Delays trigger escalation. Escalation triggers shortcuts. Everyone loses.
- It’s one-size-fits-none
A $2,000/year scheduling tool gets treated like a core payment processor.
A vendor touching production customer data gets the same review as a marketing analytics plugin.
That’s not “risk-based”. That’s “process-based”.
- There’s no stopping rule
Even when vendors provide what you asked for, new questions appear:
-
“Can we see your pen test?”
-
“Can you answer these 12 follow-ups?”
-
“Can we get your IR policy?”
-
“Can we schedule a call with your security team?”
Sometimes that’s necessary. Often it’s uncontrolled scope creep.
A good program has a stopping rule: “If X is true, we decide”.
- Ownership is unclear
Security is asked to “approve,” but:
-
Legal owns contract terms
-
Procurement owns purchasing
-
The business owns the outcome
-
Privacy owns certain regulatory constraints
-
Security owns technical risk signals
When accountability is fuzzy, security becomes the default blocker. That’s when the process becomes political instead of practical.
The reality: vendor risk has only three inputs
Vendor risk can be made sane if you force yourself to evaluate three things consistently:
-
Inherent risk: what could go wrong given what the vendor will do
-
Control strength: how capable the vendor is at preventing/detecting/responding
-
Your exposure: how badly it hurts you if things go wrong
Everything else is detail.
If you can’t answer those three, you don’t have vendor risk management, you have vendor documentation management.
Fix #1: Start with a risk-based intake (the “30-second triage”)
Before any questionnaire, require a short intake that determines tier.
Vendor intake (must be filled by requester):
-
What is the vendor used for? (one sentence)
-
What data types? (none / internal / customer PII / sensitive PII / regulated)
-
Does the vendor store/process data or just access it?
-
Does it integrate with production systems?
-
Any admin access? Any direct network access? Any code execution?
-
Criticality: can we operate without it for 7 days?
This is the most important part of the program. It prevents security from guessing.
Outcome: assign a tier
-
Tier 1 (High): customer data + processing or production access
-
Tier 2 (Medium): limited customer data or limited access
-
Tier 3 (Low): no sensitive data, no production access
A tiering model doesn’t need to be perfect. It needs to be consistent.
Fix #2: Create “review lanes” with explicit SLAs
Pain comes from unpredictability. You fix that by defining lanes and timelines.
Example of lanes with associated SLA:
-
Fast lane (Tier 3): 2 business days (sanity checks + contract clauses + minimal evidence)
-
Standard lane (Tier 2): 5–10 business days (SOC 2 or equivalent, security posture questions, key compensating controls)
-
Deep lane (Tier 1): 2–4 weeks (tailored assessment, architecture review, incident history, pen test summary, DPA focus)
If everything is “urgent”, nothing is urgent. Lanes force prioritization and set expectation upfront.
Fix #3: Replace giant questionnaires with “evidence packs”
Questionnaires are painful because vendors answer vaguely, you get low-quality text, you still need evidence, everyone plays email ping-pong.
A better option is to ask for a small set of standardized evidence per tier.
Tier 2 evidence pack (example):
-
SOC 2 Type II (last 12 months) or ISO 27001 cert + SoA
-
Data flow overview (one diagram or a short description)
-
Subprocessor list (if they process customer data)
-
Breach notification commitment + incident contact
-
Basic access control + encryption confirmations
Tier 1 adds:
-
Pen test executive summary (last 12 months) or alternative assurance
-
Secure SDLC overview (short)
-
Logging/monitoring statement (short)
-
IR process overview (short)
-
Retention/deletion capabilities
Your goal is not to learn everything. Your goal is to get high-signal evidence quickly.
Fix #4: Decide with tradeoffs (not perfection)
This is the part most teams avoid: making a call when evidence is incomplete.
In real life, any of these scenarios can happen:
-
Vendor has no SOC 2 yet (startup)
-
Vendor’s SOC 2 is scoped narrowly
-
Vendor won’t share pen test details
-
Vendor is mid-maturity but strategically important
The answer isn’t “no”. The answer is: decide with compensating controls and explicit acceptance.
Example decision patterns (practical):
-
Approve with restrictions: “No customer PII until SOC 2 is available”
-
Approve with technical controls: “Use SSO, enforce MFA, least privilege, IP allowlist”
-
Approve with monitoring: “Log access, alert on admin activity, quarterly access review”
-
Approve with contract terms: “72-hour notification, audit rights, subprocessor notice”
-
Timeboxed risk acceptance: “Approved for 90 days pending evidence”
This is what mature vendor risk looks like: bounded risk, not zero risk.
Fix #5: Make the contract do its job (quietly)
A lot of vendor risk “review” is really legal protection. Good. Put it where it belongs!
Have a standard set of security/privacy clauses that scale by tier:
-
Breach notification timeline
-
Security controls representations
-
Subprocessor commitments
-
Data deletion/return
-
Audit/assurance rights
-
Liability and indemnification (as appropriate)
-
Restrictions on use of your data (especially for AI training)
Then security isn’t rewriting the same feedback in every ticket.
Fix #6: Run a monthly “vendor risk retro”
If vendor risk feels painful, you need feedback loops. Once a month, review:
-
Where did we stall?
-
Which questions created the most back-and-forth?
-
Which vendors were mis-tiered?
-
Which evidence was low-signal?
-
What would have produced a decision faster?
Vendor risk becomes calm when it becomes a product: measured, improved and predictable.
What “good” feels like
When vendor risk is working, the business says:
-
“I know what to provide”
-
“I know how long it will take”
-
“I know what the decision will be based on”
-
“If there’s risk, we’ll manage it without drama”
Security says:
-
“We’re not guessing”
-
“We’re not doing deep dives on low-risk tools”
-
“We can escalate rigor only when it’s justified”
-
“We’re deciding, not collecting”
And vendors say:
“This is reasonable. We can comply.”
That’s the goal: fewer surprises, fewer escalations, more clarity.
Closing thought: make vendor risk boring
Vendor risk doesn’t need to be heroic. It needs to be boring.
Boring means: clear intake, clear tiers, clear evidence packs, clear SLAs, clear decisions with tradeoffs and steady improvements over time.
Security becomes chaotic when decision-making becomes chaotic. Vendor risk is one of the easiest places to bring calm back, if you build it for reality instead of perfection.
Let’s talk!
If you want help redesigning your vendor risk process (tiering model, evidence packs, SLAs, templates and a lightweight operating cadence), we do scoped advisory work and implementations via Fiverr/Upwork and through our website.
