RiskWatch
Vendor Risk Platform · TPRM

Vendor risk management, tier by tier.

Onboard, tier, score, monitor. Auto-tiering on intake, SIG / CAIQ / NIST 800-161 questionnaires, SOC 2 auto-parsing, and continuous monitoring across 8 risk categories.

  • Risk-based tiering · right-sized due diligence
  • Pre-built SIG · CAIQ · NIST 800-161 questionnaires
  • SOC 2 auto-parsing · gaps flagged · evidence stored
  • Continuous monitoring + breach alerts on Tier 1 vendors
Start 30-day free trialWatch 4-min platform tour
No credit card · SIG + CAIQ ship day 1
app.riskwatch.com / vendor-risk
Live · 247 vendors
Aggregate Vendor Risk · portfolio
0/100
0 vs Q3
Inherent82
Residual64
Target42
SLA breaches3
Active vendors
0 tracked
Tier 1 critical
0 high-risk
Reassessments due
0 30d
SOC 2 collected
0%
Top 5 vendors · by composite risk score
Vendor X · Cloud infra · Tier 1
0
Vendor Y · Payment processor
0
Vendor Z · Marketing SaaS
0
Vendor W · Identity provider
0
Vendor V · Logistics partner
0
Trusted by TPRM teams across regulated industries
Aon
Marsh & McLennan
Kroll
Stryker
Trane
First Citizens Bank
Catholic Health
NTT DATA
Aon
Marsh & McLennan
Kroll
Stryker
Trane
First Citizens Bank
Catholic Health
NTT DATA
Aon
Marsh & McLennan
Kroll
Stryker
Trane
First Citizens Bank
Catholic Health
NTT DATA
What it is

What is vendor risk management software?

Stop sending the 200-question SIG to the logo vendor. Tier vendors at intake, run the right questionnaire for each tier (SIG, CAIQ, NIST 800-161), and let the SOC 2 auto-parser extract findings without a human reading 80 pages. Aligned to NIST SP 800-161 and OCC 2013-29 third-party guidance. Also called TPRM software, vendor risk assessment software, or vendor management software.

Why teams move to RiskWatch

You can't treat the cloud-infra Tier 1 the same as the logo vendor. And right now you're trying.

TPRM teams we talk to manage 200–2,000 vendors. Most are still running the same 200-question intake on every vendor and reading SOC 2 reports nobody asked for. Here's what that costs.

Pain #1

Every vendor gets the same 200-question intake. Nobody finishes it.

Tier 3 logo vendors and Tier 1 cloud-infra vendors don't need the same depth. Auto-tiering on intake routes each vendor to the right questionnaire — full SIG, lite CAIQ, or self-attest.

Pain #2

SOC 2 reports pile up unread.

You collect them at renewal. They sit in SharePoint. The auditor asks if you reviewed them. SOC 2 auto-parser extracts findings, exceptions, and CUECs — flags gaps against your control library.

Pain #3

Annual reassessment is annual surprise.

Vendor X had a breach in March. You found out at the November renewal questionnaire. Continuous monitoring fires alerts on breaches, financial distress, and SLA breaches the moment they hit the news.

8×
Risk categories scored
cyber · compliance · physical · financial · operational · reputational · strategic · 4th-party
3
Questionnaire libraries built in
SIG · CAIQ · NIST 800-161
80%
Time saved per vendor cycle
vs spreadsheet-based TPRM
The platform

Every module a modern TPRM team needs — in one platform.

Sixteen flagship modules sharing the vendor inventory, audit trail, and control library. Built around tiering so each vendor gets right-sized due diligence.

Vendor Dashboard

Portfolio risk on one screen

Aggregate risk index, top-N vendors by score, due-diligence cadence, SLA breaches — readable in 10 seconds.

Vendor Inventory

Every vendor, every contract

Onboard via SSO from your contract repository. Capture spend, contract end-date, scope, and data-access types.

Risk-Based Tiering

Auto-tier on intake

Tier 1 critical · Tier 2 significant · Tier 3 standard. Tier drives the questionnaire depth and reassessment cadence.

Questionnaire Library

SIG · CAIQ · NIST 800-161

Pre-built questionnaire libraries you can send as-is or extend. No questionnaire authoring required.

Vendor Portal

Vendors respond directly

Send a link, vendor logs in, completes the questionnaire, attaches SOC 2. No email chains, no PDF round-trips.

SOC 2 Auto-Parser

Type 1/2 reports extracted

Auto-extract trust services criteria, exceptions, complementary user-entity controls (CUECs), and gap findings.

8-Category Scoring

Cyber · compliance · physical · reputational · financial · operational · strategic · 4th-party

Each vendor scored across all eight categories. Composite risk plus per-category drill-down.

Risk Categories

Beyond cybersecurity

Financial distress, geopolitical exposure, sanctions screening, ESG. Vendor risk is more than just cyber.

Continuous Monitoring

Breach alerts in real time

External feeds (BitSight, SecurityScorecard, sanctions watchlists) hit your dashboard the moment they trigger.

Reassessment Workflows

Cadence by tier

Tier 1 quarterly, Tier 2 annually, Tier 3 on contract renewal. Reminders + escalations automatic.

Control Mapping

Vendor controls → your controls

Map each vendor's SOC 2 / ISO 27001 controls to your internal control library. Spot coverage gaps.

Due Diligence

Documented and timestamped

Site visits, video walks, financial review, sanctions checks — every artifact in one audit-ready folder per vendor.

Fourth-Party Tracking

Vendor's vendors, mapped

Capture each Tier 1 vendor's critical sub-processors. Cascade alerts when their suppliers have an incident.

Vendor Risk Reports

Board-ready exports

Per-vendor scorecard, portfolio rollup, regulatory exam pack (FFIEC, OCC, EBA). PDF + Excel.

Bulk Tools

Onboard 500 vendors in an Excel paste

Bulk import inventory, contracts, contacts. Customize fields without IT involvement.

Audit Trail

"Who reviewed this vendor?" answered instantly

Timestamped log of every questionnaire response, approval, and gap closure. Admissible in regulator review.

Risk-based tiering

Not every vendor needs the SIG. Tier on intake.

Auto-classify each vendor on intake as Tier 1 critical, Tier 2 significant, or Tier 3 standard. Tier drives the questionnaire depth, due-diligence cadence, and monitoring intensity. Auto-tier-up triggers when a vendor's scope or data access expands during the year.

  • Tier on intakeTier 1 / 2 / 3 drives questionnaire + cadence
  • Right-size diligence200-Q for Tier 1, 60-Q for Tier 2, 15-Q for Tier 3
  • Score with librariesSIG, CAIQ, NIST 800-161 — pre-built and extensible
  • Monitor continuouslyExternal feeds + breach alerts for Tier 1 vendors
See tiering in action
Risk-based vendor tiering
Tier 1 · Critical
38vendors
  • Annual on-site or video due diligence
  • Continuous monitoring + breach alerts
  • Quarterly SLA + financial review
Tier 2 · Significant
84vendors
  • Annual questionnaire (full SIG/CAIQ)
  • SOC 2 Type 2 collected + parsed
  • Reassessment on contract renewal
Tier 3 · Standard
125vendors
  • Lite questionnaire on onboarding
  • Annual self-attestation
  • Auto-tier-up if scope changes
Auto-tier on intake →Right-sized due diligence per vendor
Questionnaire library → Vendor score
Industry-standard questionnaires
SIG
Standardized Info Gathering
Shared Assessments · 1,500+ controls
CAIQ
Cloud Security Alliance CAIQ
Cloud-vendor controls (CCM v4)
NIST 800-161
Supply chain risk
Federal supply-chain controls
RiskWatch outputs
Output
Composite vendor score
Inherent · Residual · Target
Output
Auto-flagged gaps
Mapped to your control library
Output
SOC 2 evidence parsed
Type 1/2 reports auto-extracted
Pre-built libraries →No questionnaire authoring required
Questionnaire library

SIG, CAIQ, NIST 800-161. No authoring required.

Send pre-built industry-standard questionnaires from day one. SIG covers banking and healthcare TPRM. CAIQ is the cloud-vendor de-facto. NIST 800-161 covers federal supply chain. Or upload your own custom set. Vendor responses populate composite scoring automatically and SOC 2 reports auto-parse to extract findings, exceptions, and CUECs.

  • 8-category scorecardcyber · compliance · physical · financial · operational · reputational · strategic · 4th-party
  • Per-vendor drill-downquestionnaire results, SOC 2 findings, due-diligence artifacts, control coverage
  • Portfolio rollupaggregate risk index, top-N risks, tier distribution, reassessments due
  • Regulatory exam packFFIEC IT, OCC TPRM, EBA Outsourcing, NYDFS 500 — pre-formatted exports
  • Fourth-party heat mapTier 1 vendors' critical sub-processors and their risk levels
Eight risk categories

Vendor risk is more than cyber. We score all eight.

Category 1
Cybersecurity

data breach, ransomware, credential compromise, insecure APIs

Category 2
Compliance

regulatory fit, framework certifications (SOC 2, ISO 27001), data-residency

Category 3
Physical

facility security, access control, BCP/DR sites, hardware supply chain

Category 4
Financial

credit health, going-concern risk, late-payment history, M&A exposure

Category 5
Operational

SLA breaches, capacity, key-person risk, incident response maturity

Category 6
Reputational

ESG, news monitoring, social-media incidents, regulatory enforcement

Category 7
Strategic

vendor lock-in, alignment, roadmap risk, geographic concentration

Category 8
Fourth-Party

vendor's critical sub-processors and their risk profile

How it works

From vendor onboarding to audit-ready in five stages.

Most teams onboard their first 50 vendors within their first week. Stage 4 runs continuously. Stage 5 is on-demand the moment your auditor asks.

1
Stage 01·Day 1

Onboard the vendor

Bulk-import from your contract repo or invite individually. Auto-classify by data-access scope and contract value.

2
Stage 02·Day 2–7

Tier and questionnaire

Tier 1 / 2 / 3 assigned automatically. Right-sized SIG / CAIQ / lite questionnaire sent to vendor portal.

3
Stage 03·Week 2

Score and gap-flag

SOC 2 auto-parsed. Responses scored. Gaps mapped to your control library. Composite risk index per vendor.

4
Stage 04·Continuous

Monitor and reassess

Breach alerts + external monitoring fire continuously. Reassessment cadence per tier kicks in automatically.

Stage 05·On-demand

Report and brief

Per-vendor scorecard, portfolio rollup, regulatory exam pack — board-ready in two clicks.

Customer stories

The 412-vendor program that stopped feeling impossible.

Real TPRM teams. Real onboarding cycles. Real breach-detection wins.

Auto-tiering cut Tier 3 onboarding from six weeks to four days. Tier 1 stays rigorous because it has to.
TG
Tom G.
Head of TPRM · Banking · 8,500 employees
Vendors managed
412
across 3 tiers
Tier-3 onboarding
↓ 90%
6 weeks → 4 days
Time-to-deploy
5 weeks
first audit-ready cycle

We had 412 vendors, no tiering, and a 200-question intake everyone hated. Auto-tiering cut Tier 3 onboarding from six weeks to four days. Tier 1 stays rigorous because it has to.

TG
Tom G.
Head of TPRM · Banking · 8,500 employees

SOC 2 auto-parser changed our review cadence. We used to read maybe one report in five. Now every report is parsed, gaps flagged, and our analyst reviews the flags — not the boilerplate.

LS
Lina S.
Director of Vendor Risk · Insurance · 3,200 employees

Continuous monitoring caught a Tier 1 vendor's breach 11 days before they emailed us. Our IR team had a head start. That alone justified two years of license cost.

RK
Reza K.
CISO · SaaS · 2,400 employees
Standards & regulations supported

If your regulator names it, we map to it.

SIG, CAIQ, NIST 800-161, OCC 2013-29, EBA Outsourcing, NYDFS 500, DORA — every regulator's third-party expectations carry pre-built mappings to the questionnaire library.

SIG
Shared Assessments
CAIQ
Cloud Security Alliance
NIST 800-161
Supply chain risk
ISO 27036
Supplier security
FFIEC IT
Banking 3rd-party
OCC 2013-29
OCC TPRM
EBA Outsourcing
EU banking
NYDFS 500
NY cybersecurity
DORA
EU ICT 3rd-party
HIPAA BAA
Healthcare BA mgmt
PCI DSS Req. 12.8
Service-provider mgmt
SOC 2 CC9.2
Vendor mgmt
ISO 27001 A.5.19
Supplier relationships
ISO 28000
Supply chain security
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with your team, or build the business case for replacing your spreadsheet TPRM.

Most popular
VRM Checklist · 32 pages
Vendor Risk
Vendor Risk Assessment Checklist
CYB
CMP
FIN
OPS
REP
PDF · 32 pages · Print-ready

Vendor Risk Assessment Checklist

Thirty-two pages covering cyber, compliance, financial, operational, and reputational risk per vendor. Use as your tier-classification worksheet or as an SIG-lite alternative.

  • 8-category scoring framework
  • Tier-classification worksheet
  • Executive summary template
Get the checklist
Free Template · 2026
Tiering Template
3-Tier VRM Workbook
RISKWATCH 2026
Excel · 6-tab template

3-Tier Vendor Risk Workbook

Pre-built tiering scorecard, lite questionnaire (15 Q), CAIQ-lite (60 Q), full SIG-lite (200 Q), reassessment cadence sheet, and an 8-category scoring formula.

  • Tier-classification scorecard
  • 3 right-sized questionnaires
  • Reassessment cadence sheet
Get the workbook
Buyer's Guide
Buyer's Guide
Vendor Risk Platform
2026 Vendor Comparison
Vendor matrix
Continuous-monitoring comparison
Implementation timelines
24-page PDF

Vendor Risk Platform Buyer's Guide

Vendor scorecard, continuous-monitoring feature comparison, SOC 2 auto-parser benchmarks, pricing by vendor count, and implementation timelines. The shortlist tool for TPRM RFPs.

  • Feature matrix · 6 vendors
  • Continuous-monitoring comparison
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About VRM, TPRM, vendor tiering, SIG/CAIQ, SOC 2 parsing, and continuous monitoring — and how RiskWatch covers all of them.

What is vendor risk management software?
Vendor risk management (VRM) software — also called third-party risk management (TPRM) software — is a platform that helps organizations identify, assess, monitor, and report on risks introduced by their vendors and other third parties. It centralizes vendor inventory, risk-based tiering, due-diligence questionnaires (SIG, CAIQ, NIST 800-161), SOC 2 evidence collection and parsing, control mapping, continuous monitoring, and reassessment cadences. RiskWatch's VRM ships with auto-tiering on intake, pre-built questionnaire libraries, a SOC 2 auto-parser, and 8-category vendor risk scoring covering cyber, compliance, physical, financial, operational, reputational, strategic, and fourth-party risk.
What's the difference between vendor risk management and third-party risk management?
Functionally, the terms are interchangeable in 2026. Some buyers use 'vendor risk management' (VRM) when scoping is limited to direct paid-vendor relationships, and 'third-party risk management' (TPRM) when scoping expands to contractors, partners, joint ventures, and other non-vendor relationships. RiskWatch supports both — the same platform can be configured to track vendors only, or any non-employee party that creates risk for your organization. Regulators like the OCC use 'third-party' broadly; ISO 27036 uses 'supplier'.
How does risk-based vendor tiering work?
On intake, the platform automatically classifies each vendor into Tier 1 (critical — high spend, high data-access, hard to replace), Tier 2 (significant — moderate spend or scope), or Tier 3 (standard — logo vendors and low-spend services). The tier drives everything downstream: Tier 1 gets the full SIG questionnaire, annual on-site or video due diligence, continuous monitoring, and quarterly SLA review; Tier 2 gets the CAIQ-lite, annual reassessment, and SOC 2 collection; Tier 3 gets a 15-question lite intake plus annual self-attestation. Auto-tier-up triggers if a vendor's scope or data access changes during the year.
Which questionnaire libraries are included?
RiskWatch ships with three industry-standard questionnaires out of the box: SIG (Standardized Information Gathering — Shared Assessments, 1,500+ controls, used widely in banking and healthcare), CAIQ (Consensus Assessment Initiative Questionnaire — Cloud Security Alliance, 261 controls, the de-facto standard for cloud-vendor diligence), and NIST 800-161 (federal supply-chain controls). You can use them as-is, extend with custom questions, or upload your own questionnaires. Vendor responses populate composite scoring automatically.
How does the SOC 2 auto-parser work?
When a vendor uploads a SOC 2 Type 1 or Type 2 report (PDF), the platform extracts the trust services criteria covered, the auditor's opinion, exceptions, complementary user-entity controls (CUECs), and gap findings. Each finding is mapped automatically to your internal control library so you see whether the vendor's gaps create risk to your environment. The parsed evidence is stored as structured data — auditors can drill into any control and see the source SOC 2 page where the finding originated.
What is fourth-party risk?
Fourth-party risk is the risk introduced by your vendors' critical sub-processors and suppliers. If your payroll vendor uses a cloud provider that has a breach, your data may be exposed even though you have no direct relationship with the cloud provider. RiskWatch captures each Tier 1 vendor's declared sub-processors and tracks them as fourth parties — including their breach history and risk profile. Alerts cascade: when a fourth party has an incident, every Tier 1 vendor that depends on them is flagged automatically.
Does it integrate with continuous-monitoring services?
Yes. RiskWatch integrates with BitSight, SecurityScorecard, and similar external rating services for cyber posture monitoring, plus sanctions watchlists (OFAC, EU consolidated, UN), news-monitoring feeds, and breach databases. External signals fire alerts to your dashboard and the relevant vendor's record in real time, so a Tier 1 vendor's breach hits your queue the same day it hits the news — not 11 months later at the renewal questionnaire.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every questionnaire library, the SOC 2 auto-parser, auto-tiering, continuous-monitoring previews, and 8-category scoring. You can run a real vendor risk program against your own portfolio and decide before purchasing.
Ready to retire spreadsheet TPRM?

Tier your first 50 vendors this week.

Start a 30-day free trial — every questionnaire library, the SOC 2 auto-parser, auto-tiering, and continuous-monitoring previews. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime