| Security ratings software with questionnaire capabilities | Automated security & compliance software with questionnaire capabilities | Governance, Risk & Compliance (GRC) software | Third-Party Risk Management (TPRM) / Vendor risk management (VRM) software | Outsourced TPRM / VRM professional services firm |
Architecture & Strategic Value
These characteristics are a useful checklist for the overall capabilities of the TPRM solution, covering the breadth of service, the operating capacity of the software, and the long-term strategic viability of the tool.
| Purpose-built to be best-in-class at Third-Party Risk Management |
|
|
||||
| Dual-sided platform addressing the needs of both vendors and those assessing vendors |
|
|
||||
| On-demand access to security and compliance documentation on thousands of vendors through an Exchange |
|
|
||||
| Product / Service-level architecture to allow for multiple assessments across a suite of products at a single vendor company |
|
|
||||
| Integrated or built-in continuous cybersecurity risk monitoring |
|
|
|
|
||
| Proprietary scoring algorithm |
|
|
AI Capabilities
Modern TPRM—the ability to automate the bulk of manual tasks on both sides of the vendor assessment and response process—depends on reliable, secure AI capabilities. These benchmarks ensure your solution will help you achieve automation, maintain control and transparency, and enrich decision-making insights in a secure way.
| AI-First Third-Party Risk Management (i.e. > 50% of vendor assessment lifecycle workflow powered by AI capabilities) |
|
|||||
| AI transparency includes generative AI answer explanations, confidence scores, direct access to sources, etc. |
|
|||||
| AI-powered SOC 2 Summarization |
|
|||||
| AI-powered assessments (i.e. determine vendor control compliance from PDF, Excel, Word, and other file types) |
|
|||||
| AI-powered search to deliver insights from a vendor's library of documentation or imported Trust Center |
|
|||||
| AI-powered risk insights to get answers to plain-text questions from vendor documentation across your entire vendor population or filtered groupings of vendors |
|
Questionnaire & Framework Capabilities
Standardized frameworks and questionnaires are essential for regulatory compliance and efficiency, while customized questionnaires are purpose-built for the unique needs of your business. These capabilities ensure your solution has you covered for both, saving you time and money in the process.
| Cross-mapping for 50+ standardized frameworks |
|
|||||
| Support for industry standard questionnaires |
|
|
|
|
|
|
| Support for custom questionnaires |
|
|
|
|
|
|
| Serves as system of record and TPRM workflow for all customers |
|
|
|
|||
| Robust, multi-layer questionnaire logic with support for 5+ question types |
|
|
Workflow Capabilities
TPRM software improves the speed, efficiency, and quality of your program by fitting seamlessly with your existing workflows. These capabilities reflect the tool’s ability to match the way you work, so you can get to value faster.
| Inherent risk questionnaire / vendor intake to drive risk triage |
|
|
|
|
||
| Automated inherent risk scoring triggered upon vendor intake |
|
|
|
|||
| Issue management & remediation suite of capabilities, including in-platform communication with vendors |
|
|
|
|||
| Automated reassessment workflow that can be triggered based on inherent risk level |
|
|
|
|
||
| Document request workflow |
|
|
|
|
|
|
| Workflow to re-engage business sponsors in advance of reassessment to update scope and intake information |
|
General Capabilities
These features help you to understand the overall usability of the solution. They shed light on how user-friendly the tool is, how it assists with reporting to measure the health and improvement of your program, and how customizable it is to your evolving needs.
| Usable out-of-the-box without requiring extensive resources, development or customization |
|
|
|
|||
| Robust customization and enterprise-grade TPRM capabilities |
|
|
|
|||
| Robust reporting suite, with the ability to report on custom fields and create custom report templates |
|
|
|
|
|
|
| Self-serve open API, self-serve webhook subscription & standard integrations |
|
|
||||
| Customizable, automated email notifications configurable to send from your own domain |
|
|
|
|||
| Audit trail and exportable audit log |
|
|
|
|||
| Data risk classification model support and customization |
|
|
|
|
Vendor Capabilities
TPRM is a dual-sided process impacting both assessors and their vendors—along with a host of key stakeholders in your own business affected by TPRM. Make sure your solution has the features to make your program more impactful and collaborative for all parties.
| AI-powered questionnaire response leveraging uploaded documentation |
|
|||||
| Free, self-service access for vendors to respond to assessment requests, provide documentation, etc. |
|
|
|
|
|
|
| Option to publish vendor Trust Center to an Exchange to eliminate redundant assessment requests |
|
|||||
| Add collaborators to assessment requests, set due dates, receive automated notifications and reminder, and assign questions to teammates |
|
|
|
