BIPI
BIPI

Vendor Risk Management at Scale: The Real Process

Compliance

Vendor risk questionnaires are theatre. Real vendor risk management is a continuous process tied to the change events that actually create exposure. The four-stage program we install.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 12, 2026 · 7 min read

#vendor-risk#third-party-risk#grc#due-diligence

Most vendor risk programs we audit are paper exercises. A new vendor is onboarded; someone in security sends a 200-question SIG Lite questionnaire; the vendor returns it with mostly green answers; it gets filed; nobody looks at it again. Every breach in the news that involved a third-party vendor was preceded by exactly this paper exercise.

Real vendor risk management treats the questionnaire as the starting point, not the end state. The continuous program — the part that actually catches issues — is what most organisations skip.

Why questionnaires do not catch real risk

A questionnaire captures the vendor's posture at the moment it was filled out. By the time you review their answers, the moment is six weeks gone. Their staff has rotated. Their architecture has changed. Their CISO took another job. A questionnaire from January is a fossil by July.

Worse, vendors learn what answers pass. The same firm that genuinely had MFA enabled answers 'yes' the same way as the firm whose MFA covers the admin console but not the support team. The questionnaire cannot distinguish.

Continuous monitoring signals

Real signal comes from continuous data, not point-in-time attestation.

  • Public security posture services (BitSight, SecurityScorecard, Black Kite) score vendors on observable signals — open ports, expired certificates, leaked credentials, DNS hygiene. The scores are imperfect but the trend over time is meaningful.
  • Breach notification feeds. When a vendor in your portfolio appears in a breach notification, you want to know within hours, not when you read the news.
  • Public CVE feeds. If your CDN provider has a critical vulnerability disclosed, you want it routed to the team that depends on them.
  • Geopolitical signals. Country-level changes (sanctions, export controls, sudden regulatory change) affect vendor risk for vendors based in those jurisdictions.
  • Their own SBOM, when they will share it. Lets you check whether their software inherits a vulnerability you already track.

Tiering — not all vendors deserve the same scrutiny

A T-shirt printer who fulfils swag orders does not need an annual SOC 2 review. Your payment processor does. Tiering aligns scrutiny to actual exposure.

Tier 0: critical. Vendors that, if breached or unavailable, materially impact your service. Cloud providers, payment processors, identity providers, your DDoS provider. Annual deep review, continuous monitoring, contractual breach-notification clauses, exit plan.

Tier 1: significant. Vendors that handle customer data or critical internal data. Most SaaS tools your team uses. Biennial review, automated monitoring, standard DPA in place.

Tier 2: routine. Operational tools without sensitive access. Project management, communication tools, marketing platforms. Onboarding review only, monitoring optional.

Tier 3: incidental. Office supplies, swag, food delivery. Standard procurement, no security review.

Contract clauses that matter

Three clauses do most of the protective work in vendor contracts.

Notification clause. The vendor must notify you of a security breach within a defined window — 24 to 72 hours is standard. Many template MSAs do not include this; add it.

Audit right. You retain the right to audit the vendor's controls relevant to your data, either directly or via a recognised attestation (SOC 2, ISO 27001). Most vendors prefer attestation; that is fine. The clause means you can require it on schedule.

Subcontractor disclosure and consent. The vendor cannot quietly subcontract processing of your data. Material subcontractors are listed and material additions require notice. This is GDPR/DPDPA-relevant beyond contractual.

The annual reassessment lie

Many programs commit to 'annual reassessment' and then never do it. Rolling reassessment works better: each tier has a reassessment cadence, vendors are sorted by their reassessment date, the team works through 4 to 8 per quarter. No big-bang October crunch where 200 vendors need to be re-reviewed at once.

Closing

Vendor risk programs that catch issues are continuous, tiered, and tied to real signals. Programs that do not catch issues are annual paper exercises. The work to convert from one to the other is mostly process and tooling, not regulation. The breaches that happen through vendors will keep happening. The question is whether your program lets you see them at hour one or at week three.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.