Third-Party Risk Management

Govern the full third-party risk lifecycle

Manage vendor assessments, lifecycle reviews, security findings, ownership, and risk decisions in one governed workflow — with a complete audit trail behind every record.

Vendor risk, on one governed workflow

Most teams spread vendor risk across questionnaires, spreadsheets, and disconnected tools, then rebuild context at audit time. VeriGRC manages the entire vendor lifecycle — from onboarding to offboarding — in one place, where assessments, security findings, ownership, evidence, and risk decisions stay connected and every action is recorded.

What you can do

A governed lifecycle for vendors — from first assessment to final risk decision and audit.

Governed vendor lifecycle

Onboard, review, re-assess, and offboard vendors through a controlled workflow, with a recurrence scheduler for ongoing due diligence.

AI-driven assessments

Run VeriSAQ — VeriGRC's own vendor security assessments, available as VeriSAQ Lite and VeriSAQ Full — scored with AI-generated findings and supporting rationale your team can review and act on.

Security findings and ratings

Pair assessment results with ongoing vendor security ratings and external attack surface signals for a fuller risk picture.

Ownership and risk decisions

Assign owners, record accept or treat decisions, and track remediation — so every risk has a clear owner and a clear outcome.

Evidence in one place

Vendors submit evidence directly through the portal, and it stays attached to the assessment and to the audit trail.

Complete audit trail

Invitations, submissions, scoring, and decisions are captured in an append-only audit log behind every vendor record.

How vendors are brought in

A controlled onboarding path that gives vendors access to exactly what they need — and nothing else.

  1. 1

    Your team invites the vendor

    An authorized user sends the vendor an invitation to the assessment or items they need to complete.

  2. 2

    The vendor accepts the invitation

    The vendor accepts the invitation and sets up their access to the vendor portal.

  3. 3

    They sign in securely

    Vendors sign in with a local login, or with configured single sign-on.

  4. 4

    They see only what is assigned

    A vendor only sees the assessments or items assigned to them — nothing else in your organization's workspace.

  5. 5

    Activity is tracked and auditable

    Every action a vendor takes is recorded, giving you a clear, reviewable history.

Secure access for auditors

When it is time for an audit, you can grant external auditors secure, time-limited access to only the evidence and records they need. Access is revocable at any time, and every auditor action is logged — so external review never means handing over broad access to your platform.

Connected to the rest of your program

Third-party risk does not live in isolation. Vendor findings flow into your vendor security ratings and external attack surface picture, link to the controls they affect, feed your risk register, and surface through the AI Assistant. Explore the full platform.

Third-party risk — frequently asked questions

What is third-party risk management?

Third-party risk management is the process of identifying, assessing, monitoring, and deciding how to handle the risks that vendors, suppliers, and other external partners introduce. VeriGRC supports it with a governed workflow for vendor assessments, security findings, ownership, evidence, and risk decisions, all backed by an audit trail.

What is VeriSAQ?

VeriSAQ is VeriGRC's own family of vendor security assessments. VeriSAQ Lite provides a faster baseline review, and VeriSAQ Full supports deeper due diligence. Assessments are scored with AI-generated findings, and a vendor only sees the items assigned to them.

How do vendors access VeriGRC?

Your team invites a vendor, the vendor accepts the invitation and sets up access, and then signs in to the vendor portal. Vendors only see the assessments or items assigned to them, and their activity is tracked and auditable.

Can vendors sign in with SSO?

Yes. Vendors can sign in with a local login or single sign-on. Where configured, VeriGRC supports single sign-on for customer organizations using SAML or OpenID Connect, and a vendor only ever sees the items assigned to them.

How does auditor access work?

You can grant external auditors secure, time-limited access to only the evidence and records they need. Access is revocable at any time, and every auditor action is logged for accountability.

How does VeriGRC connect vendor risk to the rest of my program?

Because the platform shares one data model, vendor findings connect to security ratings and external attack surface signals, link to the controls they affect, feed the risk register, and are available to the AI Assistant — without manual exports.

Does VeriGRC keep an audit trail of vendor activity?

Yes. Invitations, submissions, assessment scoring, and risk decisions are captured in an append-only audit log, so the history behind each vendor record stays reviewable over time.

Ready to consolidate your GRC stack?

Book a walkthrough and see third-party risk, compliance, and audit evidence on one platform.