Critical Capabilities for IT Vendor Risk Management Tools

ARCHIVED

31 August 2021 - ID G00734656 - 42 min read

By Edward Weinstein, Joanne Spencer, and 1 more

The market for IT vendor risk management tools includes products and services that automate processes in the vendor risk management life cycle. Sourcing, procurement and vendor management leaders should use this research to help inform buying decisions in this market.

Overview

Key Findings

As enterprises become more dependent on an ever-growing number of vendors, sourcing, procurement and vendor management leaders are seeking to improve their risk management maturity, response to increasing regulations and controls, and risk mitigation.
IT vendor risk management (VRM) solutions have evolved beyond process and workflow automation, with some offering vendor risk assessments as a service, and some providing access to verified vendor risk assessment data through marketplaces or shared exchanges.
Enterprises continue to be increasingly interested in offerings beyond regulatory compliance, security and privacy. More varied vendor threats and risks (financial, operational, reputational, etc.) can also harm business, and IT VRM solution providers are adding capabilities to meet this demand.

Recommendations

Sourcing, procurement and vendor management (SPVM) leaders looking to improve the ways they manage vendor performance and risks should:

Assess VRM maturity in terms of process, workflows, program goals, risk appetites etc. and identify use cases that are suitable to both the current and anticipated future maturity of the discipline.
Prioritize VRM requirements and align them with the critical capabilities of a VRM solution, ensuring that any solution selected is adaptable and scalable to both their immediate and future VRM program needs.
Plan to operate VRM as an integrated discipline, ensuring a flow of vendor risk information across multiple domains, and work to establish a cross-organizational governance model that defines responsibilities and accountabilities for vendor risks across teams.

What You Need to Know

VRM solutions enable SPVM leaders to manage the assessment process for third parties and vendors over the life cycle of their relationships. These solutions can be used to collect and aggregate a range of risk data from vendors, third parties and external content sources in order to support regulatory vendor risk requirements, as well as internal policies governing the engagement of vendors. Vendor risks fall into several categories with varying likelihoods of occurrence, and can have a wide range of business impacts (e.g., fines or brand and reputational impacts). These potential impacts, along with regulatory requirements, fuel the market for VRM solutions. However, VRM solutions alone do not make VRM programs effective. Without defining vendor risk appetite, governance, agreed-to processes and organizational alignment, any VRM solution’s potential is limited.

VRM solutions supply the tools to automate processes, provide risk and performance reporting, and enable better risk-based decision-making over the life cycle of a vendor relationship. This research examines the ability of VRM software to address three use cases based on vendor risk requirements often expressed by Gartner clients:

Vendor Risk Management Solution: The VRM solution is either deployed on-premises, hosted externally or provided via a SaaS-based delivery model. The client uses the solution to perform the following vendor risk management activities:
- Identify vendor risks
- Manage vendor risk assessments
- Analyze vendor risk data
- Manage vendor risk remediation and mitigation
- Monitor these vendor risks

The solution provides the ability to customize the risk management workflows for the organization. The key differentiator within this use case is that the customer of the VRM solution manages the inputs and outputs of their VRM program.

Vendor Risk Management Solution and Managed Support Services: Along with the VRM solution, the vendor directly provides managed services or support for some or all of the customer’s VRM activities described in the Vendor Risk Management Solution use case. The key differentiator within this use case is that some or all of the vendor risk management inputs and outputs are performed by the solution vendor or white-labelled partners.
Vendor Risk Management Solution and Vendor Risk Assessment Data: Along with the VRM solution, the vendor provides assessment data and/or other vendor-risk-supporting content in support of one or more of the customer’s VRM activities described in the Vendor Risk Management Solution use case. This use case relies heavily on the establishment or use of a vendor risk exchange or marketplace model, whereby vendor risk data is collected, assessed, validated, reported and monitored. This data can be shared among multiple customers of the solution. The key differentiator within this use case is that vendor risk data is provided by the VRM solution vendor.

All the use cases would include support across the VRM life cycle, which consists of the following activities:

Identification
Assessment
Analysis
Remediation or mitigation
Monitoring

The most common use case among the vendors in this study is that of a VRM Solution. Most customers looking for VRM solutions are searching for software or a SaaS-based offering that enables them to collect and manage vendor risk data. The VRM Solution and Managed Support Services use case sees increasing interest among enterprises that are looking for a fully managed service, or for support to supplement their own assessment processes. A shortage of internal resources is typically cited as the reason for seeking the VRM Solution and Managed Support Services use case.

The VRM Solution and Vendor Risk Assessment Data use case continues to be an emerging model in the market. Enterprises and vendors see an opportunity to improve the efficiency of assessment processes, which can be lengthy and labor-intensive. Enterprises who only use a VRM solution are not necessarily limited in their access to services or risk data. There are managed service offerings, industry consortia and vendors offering their own assessment exchange models in the absence of an assessment platform.

Analysis

Critical Capabilities Use-Case Graphics

Vendors’ Product Scores for VRM Solution Use Case

Source: Gartner (August 2021)

Vendors’ Product Scores for VRM Solution and Managed Support Services Use Case

Source: Gartner (August 2021)

Vendors’ Product Scores for VRM Solution and Vendor Risk Assessment Data Use Case

Source: Gartner (August 2021)

Vendors

Allgress

Allgress offers an IT VRM solution based on its broader integrated risk management (IRM) platform, which includes IT VRM capabilities. The Allgress offering includes the ability to triage and tier vendors based on an initial set of questions that are configured during the assessment process. Allgress’ product also supports the ability to tie specific vendor risks by contract back to a business unit and to a project or an initiative. Allgress allows for flexibility in the development of surveys and provides access to a survey library. Dynamic questioning is also available.

Allgress continues to develop integration with other solutions, such as BitSight, Microsoft Power BI, SAP BusinessObjects and service desk ticketing systems. The user interface has been modernized in recent versions, and improvements to the intuitiveness of the screens and workflows have been made. Most Allgress customers are larger enterprises, primarily in financial services, healthcare, technology and government.

Allgress has a complete risk assessment and risk analysis solution, but does not offer its own risk assessment data. Allgress also has a managed services offering that was not widely available at the time of this analysis.

Aravo

Aravo offers cloud-based risk and workflow management tools for IT VRM, including tools for intake, assessment, due diligence, issue management and remediation, and ongoing monitoring. Assessments and workflows are designed to be highly configurable by users, with the solution offering flexibility around both content and activity. For example, it offers customizable fields and scoping for Standardized Information Gathering (SIG) questionnaires, business-rule-based workflow automation and internal or external completion of assessments. AI/ML-based decision support is available out-of-the-box for Aravo applications and utilizes actual decisions made by users to train the ML engine. The dashboarding/reporting functionality is also designed to be customizable, with the overall goal of “code-free” configurability throughout the application via visual drag-and-drop interfaces.

While based primarily in the U.S., Aravo deals with several multinational companies and has a London office to support its presence in EMEA. Aravo works with large organizations, focusing on the financial services, life sciences, IT/cloud services, consumer goods and industrial sectors, but it is also actively courting the midmarket.

Managed services are not offered directly by Aravo, but rather through partners (Deloitte) that contract directly with clients and use the Aravo platform for functions such as assessment and ongoing monitoring. The Aravo offering contains questionnaires, surveys, assessments and integration with external data sources (SecurityScorecard and BitSight) to generate total risk scores. Aravo offers risk assessment and analysis, but does not offer managed services or its own risk assessment data.

Archer

Archer provides VRM solutions as part of its Third Party Governance offering. These solutions are packaged as separately licensed (and separately priced) use cases. They include Archer Third-Party Catalog, Archer Third Party Engagement, Archer Third Party Risk Management, Archer Third Party Governance (performance management), Archer Third Party Security Risk Monitoring and Archer Engage for Vendors. Archer also offers optional professional services globally in support of its solutions. Deployment options include on-premises, hosted (by Archer or a third party) and a SaaS offering, with the majority of current deployments being on-premises.

Archer offers a prebuilt recommended questionnaire based on the services a vendor is rendering, which addresses a range of risks. APIs to create integrations with products such as SAP Ariba, and other sources of risk data and analytics are available. Prebuilt integrations for BitSight, SecurityScorecard and SupplyWisdom are available, as well as content from a variety of regulatory standards, including the industry standard SIG questionnaire.

In addition to risk assessment capabilities, Archer provides workflow and assessment capabilities through Archer Engage for Vendors around new and expanded vendor engagements, vendor financials and third-party insurance and certificate tracking. Clients can maintain IT VRM, contract and vendor profile data, as well as performance management, remediation and assessment data. The product is targeted at large and midsize enterprises, often with more mature VRM programs. Smaller and/or less mature organizations can also start small and add use cases to enhance functionality as their programs progress. Customers for these products and services exist across industries such as financial services, healthcare and public sector/government.

Archer provides a VRM solution, but does not directly offer managed services or its own risk assessment data.

CyberGRX

CyberGRX is a third-party cyber-risk management provider that offers a vendor risk exchange platform and service that collects and validates third-party cybersecurity risk. It serves as an alternative or supplement to traditional IRM or VRM platforms. Cycle times to collect and analyze assessment data, and to conduct ongoing monitoring of vendors, can be reduced and scaled to support small to large volumes of vendor assessments.

The CyberGRX service provides access to a standardized vendor assessment survey, analysis and reporting based on the National Institute of Standards and Technology (NIST) SP 800-53 and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 frameworks. It offers three tiers of pricing based on the level of assessment. CyberGRX includes access to a vendor’s cybersecurity controls through the use of its own proprietary rating service and through an integration with BitSight. The solution’s assessment results can be mapped back against other standards and frameworks. Some users have needed to integrate this data into a separate VRM/workflow tool that allows for full life cycle management.

CyberGRX has been evaluated exclusively as an exchange for vendor risk data and appears under this use case. While CyberGRX does not offer a customizable assessment questionnaire or customer-controlled VRM tool, it has launched service offerings that became generally available after the commencement of this analysis.

Diligent

Diligent’s VRM offering, ThirdPartyBond, is part of its broader HighBond IRM suite of products. Diligent Corporation acquired Galvanize in April 2021. Galvanize was the result of a renamed entity that emerged from ACL’s acquisition of Rsam in 2019. ThirdPartyBond targets short implementations through a baseline VRM module that clients can then configure. Its offering provides access to a library of assessment surveys that address more than 30 domains and include Cloud Security Alliance, General Data Protection Regulation (GDPR), NIST and Shared Assessments SIG. Clients can use its templates to enter and track remediations, and the templates also provide historical exception data by vendors tracked.

ThirdPartyBond includes dynamic questioning, provides vendor self-service capabilities and integrates with BitSight, SecurityScorecard, Dun & Bradstreet and RapidRatings. ThirdPartyBond supports the collection and tracking of fourth-party relationships and can link vendor risks to specific assets in an organization. Assessments are driven by vendor criticality or tiering. Users of the system can enter and track vendor performance SLAs that are fed manually or automated.

The ThirdPartyBond offering is currently provided exclusively via SaaS on Amazon Web Services (AWS). Legacy customers with on-premises instances are still fully supported and have the option to convert from on-premises to cloud. Through prebuilt integrations and APIs, customers can get access to other bolt-on HighBond applications, analytics and enterprise or external data sources. Galvanize targets midsize and large companies in highly regulated industries. Historically, it has focused primarily on North America, but has been expanding into EMEA and Asia/Pacific (APAC). Galvanize has a global 24/7 support team, with support in eight languages across North America, EMEA and APAC.

Diligent has a vendor risk assessment and analysis solution in ThirdPartyBond, but does not offer managed services or its own risk assessment data.

Fusion Risk Management

Fusion Risk Management’s Fusion Framework System is a SaaS-based IRM suite built on the Salesforce Lightning platform. Fusion Risk Management offers VRM functionality in addition to other elements (enterprise risk, business continuity, disaster recovery, operational and incident management). This functionality is a recent addition to the overall Fusion Framework System. The VRM component’s ability to integrate with the rest of the IRM applications in the Fusion Framework makes the system an attractive and scalable option for those who are looking for a broader risk management toolset.

The Fusion Framework System’s VRM offering is an assessment tool that enables risk management across the vendor life cycle. Risk management spans from performing precontract due diligence and establishing vendor profiles through to continuously monitoring risks and controls via the application’s configurable workflows. These capabilities are built into the broader IRM application as part of a larger operational resilience management strategy. While a series of connectors and APIs are available to allow for integration with exchanges such as OneTrust and CyberGRX, the Fusion Framework System does not include a built-in mechanism for provisioning externally sourced vendor risk data. Fusion Risk Management is currently most active in North America and EMEA, and is looking to increase its global presence.

Fusion Risk Management offers a VRM solution and services supporting the ongoing administration of that solution. It does not offer its own risk assessment data.

IBM

IBM OpenPages is available as a SaaS-based or on-premises IRM tool that includes VRM capabilities. IBM OpenPages provides VRM functionality through surveys and assessments, with standard questionnaires such as SIG available out-of-the-box.

Customizable user workflows enable individual questionnaires or more tailored, complex assessments to be conducted with granular control over responses, mitigation, exceptions and approvals. In addition, compliance tracking is available through integration with additional providers, such as Thomson Reuters, Unified Compliance and Wolters Kluwer.

OpenPages contains integration and configuration options for IT VRM workflows. It includes an API that allows for the bilateral exchange of data with existing customer systems (such as procurement tools). Continuous monitoring capabilities are enhanced through integrations with Security Scorecard and Supply Wisdom. Dashboards and user interfaces are configurable through graphical interfaces, and the solution embeds IBM Cognos Analytics as part of the base product for extensive reporting capabilities. IBM has OpenPages customers across all global regions. Although around 50% of OpenPages customers are in financial services, the product is also represented in the energy/utility, telecom, manufacturing, retail and healthcare sectors.

IBM offers VRM as part of its OpenPages suite, but does not directly offer managed services (handled through other IBM groups, such as IBM Global Business Services and Promontory Financial Group) or risk assessment/exchange data.

LogicManager

The LogicManager VRM product is offered exclusively as an out-of-the-box SaaS tool. LogicManager’s Integration Hub includes out-of-the-box integrations with third parties, such as SecurityScorecard and Argos Risk, to provide ongoing monitoring services for information security and vendor onboarding approval. It can also integrate external risk data into workflows and vendor management processes.

LogicManager’s Horizon user interface, workflows and processes are designed to support high ease of use. Users can create reports and dashboards by using built-in templates based on best practices, or they can build custom reports and dashboards by dragging and dropping fields. Vendor assessments are integrated into the product and can be created as a one-off activity or as part of an ongoing program. LogicManager’s core market has been midsize organizations, though they do have some very large enterprises among their customers. Financial services make up some 50% of LogicManager’s customer base, with multiple industries accounting for the remainder.

LogicManager offers a VRM solution, but does not offer managed services or vendor risk assessment data directly.

MetricStream

MetricStream’s VRM offering is built on its IRM platform, and can be acquired either with other IRM modules or as a stand-alone product. MetricStream links to a wide range of external content providers, and the vendor profile function tracks risk, relationship and contract information. Access to the SIG library is provided out-of-the-box, and clients can customize surveys according to their own preferences. Additionally, the VRM tool supports the collection of vendor resilience plans and integration with internal business continuity management policies and controls. The tool also supports risk assessment of a project or initiative prior to assessment of vendors and impacts related to that project.

The MetricStream application offers chatbots and conversational interfaces that use AI and machine learning, enabling users to interact with first-line and vendor resources to collect and validate risk information, automatically identify issues related to vendor risk assessments and recommend remediation actions. The product is primarily a SaaS offering targeted to highly regulated industries. MetricStream’s main geographic market is North America, but it also has sales staff in EMEA and APAC.

MetricStream provides a vendor risk management solution, but does not directly provide managed services (available through partnerships with system integrators) or vendor risk assessment data.

NAVEX Global

Available in Standard and Enterprise editions, NAVEX Global’s Lockpath product provides users with vendor management, compliance management, risk management, business continuity, audit management and reporting capabilities. Lockpath provides purpose-built integrations across these risk management offerings to enable due diligence and continuous monitoring throughout the vendor life cycle. Stand-alone editions (Business Continuity, Privacy Risk and Compliance, and Third-Party Risk) are also available based on the Standard Edition product, for users who seek only specific functionality or who want to scale up iteratively. NAVEX Global offers Lockpath as a SaaS offering in AWS or the NAVEX Global cloud. NAVEX Global offers access to the Shared Assessments SIG library and the Cloud Security Alliance Security Trust Assurance and Risk (STAR) registry. It also allows for customization/modifications. In addition, specific policy, contract or regulatory questionnaires can be autogenerated by the platform. The tool can map controls to survey questions in order to generate findings based on how the questions are answered. The tool offers dynamic questioning and can develop a risk register to track risks and exceptions.

The tool is designed to be configurable by administrators, and includes connectors and some prebuilt integrations with external content sources, including financial data and security rating services. The tool offers embedded access to top-level rating scores from SecurityScorecard and to RSS feeds for vendor information. A configurable connector called Lockpath Ambassador enables integration with other systems not available out-of-the-box. NAVEX Global targets clients based in North America and EMEA, and serves several industries, including business and financial services, healthcare, manufacturing and the public sector. It serves organizations ranging from small and midsize to large enterprises.

NAVEX Global offers Lockpath Third-Party Risk Management and other editions. Managed support services are offered through partners. NAVEX Global does not provide vendor risk assessment data.

Ncontracts

Ncontracts provides a vendor risk assessment product and managed support services for the collection and analysis of vendor risk assessment data, with a specific focus on the needs of the financial services industry. It enables vendor self-service and dynamic questioning that ties questions to regulatory control requirements. Vendor risk ratings and rankings can be customized. Ncontracts provides vendor monitoring, which allows for comprehensive and detailed views of the security footprint of vendors, as well as active monitoring for the Office of Foreign Assets Control (OFAC)/Bank Security Act (BSA) and vendor financials. Managed support services are delivered via Ncontracts’ resources, and include development of vendor risk policies, collection and analysis of vendor risk assessment data, and reporting.

Ncontracts provides assessment gathering and analysis through its own library of over 500 questions, as well as through standardized questionnaires, such as NIST, COBIT and the ISO/IEC 27000 series. Detailed contract information can be collected through a contract management module that is available separately from the VRM application. Ncontracts also offers fourth-party vendor relationship and onboarding capabilities as part of its vendor management support. Although Ncontracts has a small number of customers in the healthcare and technology sectors, its customer base is nearly 100% made up of U.S.-based financial services companies. Consequently, the tool provides built-in risk reporting and dashboards that are aligned to regulatory requirements in financial services.

Ncontracts has a vendor risk assessment and analysis solution as well as a managed services offering, but does not provide its own risk assessment data.

OneTrust

OneTrust offers the Vendorpedia solution, which includes vendor risk management, managed support services and access to vendor risk assessment data through its proprietary exchange. The VRM solution is configurable by users via intuitive UI workflows and processes, and offers integrations with other systems and data sources. Vendorpedia is integrated with OneTrust’s privacy management, data governance, ethics and ESG offerings. As a vendor with a heritage in privacy management, OneTrust maintains a database within OneTrust DataGuidance that is continually updated as privacy, security and compliance regulations change, enabling scalability across dynamic industry and geographic requirements.

OneTrust offers assessment services that can be ordered directly through the product portal. OneTrust resources are available to assist with assessment completion. These services are included without cost when out-of-the-box assessments are used, but a fee will apply for customizations. More in-depth managed assessment services that would include remote or on-site audits, are delivered via a partner network and can also be ordered through the OneTrust platform. The Vendorpedia exchange is populated with vendor profile and assessment data collected through service engagements or direct vendor participation. With a global set of customers across several industries (financial services, technology, industrial, etc.), the platform is translated into 18 languages, which are all supported within Vendorpedia.

OneTrust offers a VRM solution, managed services and risk data through Vendorpedia. It is one of four vendors in this analysis that satisfy all three use cases as a single provider.

Prevalent

Prevalent currently provides an IT VRM solution for identification, assessment, analysis, remediation, mitigation and monitoring of vendor risks. It provides managed support services for the collection, analysis and reporting of assessment data, as well as a proprietary vendor risk monitoring capability. In addition, connections to its Healthcare Vendor Network (HVN), Legal Vendor Network (LVN) and Prevalent Exchange provide access to its network of assessment exchanges across multiple industries. Prevalent’s SaaS VRM tool is designed to map the controls from SIG, NIST, ISO/IEC and other standards back to a client’s internal controls, and to create separate summary reports in terms and formats relevant to specific audiences. Through a drag-and-drop interface, clients have the flexibility to modify workflows, fields and drop-downs. Clients also have flexibility in designing assessment surveys, which use dynamic questioning through initial vendor triage.

Prevalent has three Risk Operations Centers (ROCs) in the U.S., the U.K. and Canada that employ risk professionals responsible for collecting and analyzing vendor assessments. It also operates several assessment exchanges providing validated vendor assessment data. In addition, Prevalent can perform remediation services or offer them through its list of certified partners.

Prevalent delivers its products and services primarily in North America and EMEA. Prevalent sells directly or through resellers, primarily to midsize and large enterprise clients with strong compliance-centric needs (e.g., financial services, insurance and healthcare).

Prevalent can bundle its assessment platform, access to the shared vendor assessment exchanges and threat monitoring services into one package (it will also sell those modules or services separately). This model allows for Prevalent’s inclusion in all three use cases.

ProcessUnity

ProcessUnity is an IRM platform provider offering a SaaS-based IT VRM solution. ProcessUnity VRM provides a library of assessment surveys and industry-relevant questionnaires. The tool enables users to map the assessment questions back to industry-standard controls, such as NIST. ProcessUnity VRM is fully configurable through drag-and-drop features that support changes to workflows, fields, buttons and drop-down menus. The offering also provides tracking of third-party risk considerations beyond security and compliance, such as contract and service-level reviews.

ProcessUnity VRM also offers vendor self-service. It enables the vendor to use and integrate an already-completed SIG questionnaire and align the responses to the customer’s questionnaire. This “connector” enables completed surveys to be linked to the ProcessUnity survey. The vendor then has to complete only what is missing. Targeting midsize and enterprise organizations with an emphasis on financial services and highly regulated industries, ProcessUnity primarily serves North America. However, it has some growing business in EMEA and a small percentage in APAC, where it is actively targeting Australia and New Zealand.

ProcessUnity has a risk assessment and risk analysis solution, but does not offer managed services or its own risk assessment data.

SAI360

SAI360 offers a broad set of tools for VRM. The product has been built out over the years through prior acquisitions of Compliance 360, Modulo International, Strategic BCP and BWise. SAI360 offers its VRM solution primarily via SaaS, but will also deliver the solution on-premises. SAI360 currently provides managed support services, but does not directly provide vendor risk assessment data. Workflows, reporting and dashboarding are designed to be intuitive, allowing for flexible data visualization and relationship mapping across multiple devices, including mobile (for on-site collection and audit). Integration with Microsoft Power BI recently became available. SAI360 can be configured to suit an organization’s risk framework and provides dynamic questioning. Vendor self-service is available through Microsoft Excel uploads. SAI360 has more recently added automated data collection through chatbots.

SAI360 provides access to a knowledge repository containing more than 1,000 controls and compliance set libraries, along with the ability to map controls in ISO/IEC 27001 back to the SIG. It integrates with SecurityScorecard for cyber ratings, Refinitiv World-Check for additional risk event screening and due diligence, Argos Risk for financial and credit risk information, and ZeroFOX for digital risk management. SAI360 maps vendors, contracts and risks back to departments or assets. SAI360 primarily focuses on the financial services, insurance, manufacturing, healthcare and energy industries. The majority of its business is in North America, followed by EMEA and APAC.

SAI360’s offerings satisfy the VRM Solution use case. SAI360 also offers managed services for onboarding vendors and for collecting and analyzing assessment data, in support of the VRM Solution and Managed Support Services use case.

ServiceNow

ServiceNow offers an IT VRM solution to complement the IRM capabilities provided through its SaaS model. ServiceNow’s dedicated vendor portal provides ready access to vendors, third parties and their response teams to upload or complete assessments. Assessments can be conducted through questionnaires such as SIG, and support exists for risk frameworks and considerations such as NIST Cybersecurity Framework (CSF), NIST Risk Management Framework (RMF) and GDPR. Reporting is user-friendly. Data can be pulled from multiple sources and integrated with other vendor reports, such as performance dashboards, providing a visual overview of the vendor relationship, risk and performance.

IT VRM natively integrates with other ServiceNow capabilities on the same platform; this is a key differentiator ServiceNow uses to promote the VRM solution. Integrations include IT and enterprise risk management capabilities, IT assets and incidents in ITSM and CMDB, and vendor and contract management. ServiceNow has a configurable, intuitive and user-friendly UI that enables users to configure assessments and manage the assessment process by using artificial intelligence/machine learning capabilities, such as intelligent search and chatbots. As a global provider, ServiceNow targets all geographies, with a strong focus on North America and EMEA. ServiceNow targets its existing customer base, with an emphasis on financial services, healthcare, life sciences, government, telecommunications and technology, promoting its ability to integrate vendor data with enterprise assets.

ServiceNow provides a VRM solution, but does not offer managed services directly or provide its own risk assessment data.

SureCloud

SureCloud offers a series of prebuilt IRM products, including a SaaS-based VRM offering, which facilitates the creation and distribution of questionnaires to vendors and aggregates the risk results for analysis against operational controls. The UI and configurability are user-friendly, with the ability to build customized assessment surveys, although reporting is limited out-of-the-box.

Assessments can be aligned with standard frameworks (e.g., ISO/IEC 27001, GDPR, Payment Card Industry Data Security Standard [PCI DSS] v.3.2.1) and questions can be self-defined by clients, with the opportunity to create exceptions where needed.

Custom reporting is available. However, clients can also create their own reports using several graphical and tabular representations. SureCloud primarily targets the U.S. and U.K. technology, financial services and retail sectors, and is expanding its presence in other industries such as healthcare and the public sector.

SureCloud offers a VRM solution, but does not provide its own risk assessment data. It offers Third Party Supplier Assurance services that provide assessment and ongoing management of business-critical vendors, thus qualifying SureCloud for consideration in the VRM Solution and Managed Support Services use case.

Venminder

Venminder provides a SaaS-based IT VRM offering that is heavily focused on banking and financial services. Assessments and questionnaires can be created and customized for both vendors and internal staff, and all submissions can be carried out through the platform or via document uploads. Custom risk assessments can calculate inherent and residual risk based on existing methodologies or those recommended by Venminder. Additional key features include vendor profile management, contract management, vendor onboarding, SLA and issue management, and dashboarding and reporting. Venminder also provides vendor risk management services, ranging from contract compliance reviews to risk control assessments. An exchange made up of Venminder’s Control Assessments (gathered and assessed by Venminder) is also available for a fee.

Venminder partners with BitSight, SecurityScorecard and Argos Risk to provide additional monitoring services for information security and an early warning system that is displayed on the client’s vendor dashboard. Venminder integrates with other IRM/VRM platforms to provide risk assessment data, and will partner to provide additional managed services support. Venminder provides services and solutions primarily to midsize and large companies in the U.S. banking and financial services market, with some activity in EMEA and Australia.

Venminder provides a VRM solution, managed support services and a vendor risk assessment exchange model supplying vendor risk assessment data.

Context

Enterprises look to acquire VRM solutions to support the following activities:

Automate the vendor risk assessment process
Develop advanced analytics and reporting capabilities
Drive efficiency in an often labor-intensive and complex risk process
Integrate vendor risk data from various sources
Support the implementation of a VRM program

Vendor risk management has historically relied on a combination of homegrown, manual or quasi-automated systems (for example, spreadsheets and email) to identify, assess, monitor, remediate and mitigate vendor risks. In an environment of increased outsourcing, cloud computing adoption, regulatory requirements and risks, these methods are not scalable or sustainable. Vendor and third-party risks require a complex set of risk assessment approaches, processes and workflows that often cross organizational boundaries.

The challenge with this market is to develop products that can fit a wide range of client maturities, requirements, users and stakeholders. Furthermore, the market for these solutions continues to evolve, as many organizations are tired of highly customized applications that struggle to perform and deliver against their intended use cases. Data sources and data integrity also remain a problem, as organizations often lack easily found and easily integrated data on vendors, their contracts and their extended networks of subcontractors and fourth-party relationships. Solutions continue to unfold to support this dynamic market and its evolving needs.

This research for VRM solutions is intended to provide insight into the available options in the VRM market, so that prospective buyers are better informed in their product selection. VRM buyers should consider the following recommendations:

Start early — Typically, VRM solution identification should begin at least six months before the anticipated contract award date. Internal buy-in, agreement on requirement specifications and business case approval can take one to two months. Vendors may take several weeks to respond to proposal requirements, depending on the complexity of the RFx process. Proof of concept (POC) efforts and detailed briefings can add several weeks. Final vendor evaluation, selection and contract negotiation can take weeks to months.
Develop the use case for VRM — These solutions can support a range of vendor risks across several domains of business. Understand how your risk sensitivities and requirements will map to the specific risk capabilities in these solutions. Will you be looking for a platform that provides support for collecting and analyzing vendor risk data, or one that includes collected and prevalidated vendor risk controls? Will you be looking to assess just vendor cyber and data security, or do you require a broader approach to other operational risks, such as vendor financial health, business continuity management (BCM) or reputational concerns?
Define VRM risk processes and workflows before contacting vendors — Develop workflows and processes designed specifically to address identified risk sensitivities and potential business impacts. Align risk workflows with critical business processes. Although you can expect refinements to these workflows and processes when adopting a VRM solution, you should arrive at clear definitions — and agreement on these definitions — before contacting VRM solution vendors. Sponsors of IT-related risk management, governance and security initiatives must gauge the need to involve consultants early on. Such a decision is based on the inherent complexity of an initiative in each enterprise.
Obtain stakeholder buy-in — Collaborate with key stakeholders and leaders in procurement, vendor management, IT, business continuity, security, digital and risk initiatives in the organization before developing a SOW and/or RFP. These sponsors should have representation from the business.
Focus on must-have risk outcomes — Create a list of both your top five must-have outcomes and your top five desired outcomes. Drive consensus among stakeholders around must-have versus desired functionality.
Ask references about their VRM journey — Don’t just ask references prospective vendors provide you about VRM software and support experience. Request information about these references’ VRM journeys, implementation and integration challenges, team resources and sizes, and what their expectations were of the VRM solutions being looked at.
Align VRM goals with broader IRM solutions — IRM goals can be roughly categorized under simplification, automation and integration. VRM buyers should identify whether their requirements align with a point solution that is focused on VRM capabilities or with a broader platform-based solution that may address more IRM capabilities. The key factor in determining whether to go down the broader integration path is to understand whether all the needed applications have the same or a similar level of maturity to leverage the benefits of an integrated platform.

Product/Service Class Definition

Vendor risk management is the discipline of ensuring that the use of external providers, IT vendors and other third parties does not create unacceptable potential for business disruption or a negative impact on business performance. VRM solutions support enterprises that want to assess, monitor and manage their exposure to risks arising from their use of IT products and services from third parties or vendors across multiple risk domains (security/data, financial health, reputational risk, etc.). VRM solution capabilities continue to improve and expand, with most solutions now supporting the increased demands around due diligence of a vendor’s suppliers and subcontractors (or fourth-party relationships). Other solutions are extending capabilities into the aggregation and dissemination of risk and assessment data.

Critical Capabilities Definition

Assess/Validate/Monitor Controls

This includes evaluation of control validity and effectiveness; process management that, at a minimum, supports the workflow for the application; and functions such as exception management and reporting.

Advanced abilities include modeling and simulation, creation of executable processes for data collection, and development of rules for risk monitoring and control enforcement. This category also includes the ability to assess the effectiveness of security and risk controls within a vendor (or reported by a vendor) and carry out ongoing monitoring of vendor risks.

Features of this capability include:

Processes that support workflows for other functions, including exception management and reporting.
Vendor risk modeling, as well as risk scenarios and simulations.
Predictive analytics, AI and other advanced risk evaluation mechanisms.
Direct risk monitoring functions or the ability to integrate with risk monitoring and/or control validation capabilities from third parties.
Development and implementation of testing procedures required to inspect the results of vendor self-assessments.
Monitoring vendor risks with threat and risk monitoring services.

Regularly updated assessments and automatically generated annual (or more frequent) reassessments and validation.

Assessment

This involves the ability to categorize vendors and/or their services and contracts into different tiers of risk. It includes customizable capabilities to support methodologies for the detailed assessment of risks associated with services and contracts.

Also included is the ability to assess the impact of vendor risks against compliance obligations, as well as qualitative and quantitative analytical tools to assess and prioritize risk. Templates and frameworks are designed to support specific mandates and regulatory requirements. Shared content includes a database of vendor risk assessments or scores that can be used by multiple customers. In addition, this area embraces the ability to create a risk register, which includes a description of risks and their metrics from a business perspective. The assessment process maps risk to controls, owners, remediation actions, vendors, business entities and performance metrics, for example. This area also includes the ability to complete an assessment of vendor risks through the collection, categorization and rating of risk information from vendors.

Features of this capability include:

A library of assessment surveys and required artifacts, attestations, certifications and audits.
Due diligence and internal and external precontract screening of vendors.
Triage of vendors based on their relative risk.
Vendor self-service capabilities that complete assessment information through controlled access to the assessment platform.
Configuration of surveys and questionnaires based on the relative risk of vendors, as well as specific compliance or regulatory requirements.
User-friendly assessment tools and comprehensive assessment libraries.
Tracking of risk elements through a risk register, mapping risks to controls and remediation of those risks.
Templates and/or frameworks designed to support specific regulatory mandates.

Connectors and Integration

Many vendor risk managers need to access, connect to and populate critical risk data from third parties. This data can include financial information, security ratings and risk analytics. Support for connecting to and aggregating external information and content feeds is increasing in importance.

This area also covers application integration methods (such as API or built-in/native integration), specific applications and content sources supported, data association mapping on import, and data validation on import.

Features of this capability include:

Connection to common and newly emerging news feeds, ownership structures, liens, safety violations and financial performance data, risk-related alerts and risk ratings.
Aggregation of externally sourced risk information.
Advanced functionality, including a means to control record updates and alert individuals of important information relevant to vendor risks.

History and Reporting

This area includes the ability to track vendor risk status over time (such as the previous quarter or year) and provide reporting on vendor risk posture. This includes analytics, extent of visualization, custom dashboard and report creation, extensiveness of object inclusion, drag-and-drop functionality, customer branding, extent of drill-down functionality and VRM program management extent/coordination throughout the VRM life cycle.

Features of this capability include:

Logging of risk status.
Tracking of risk status and risk changes.

Collection of vendor risk data and assessment of that data against expected service levels and deliverables.

Reporting of vendor risk data as part of a VRM program through scorecards and dashboards.

Profile Management

This involves the ability to import, organize and present vendor contracts, performance and related intelligence from various sources; to manage vendor documentation and other content; and to provide self-service capabilities that enable vendors to maintain and update information.

This also includes the ability to import, or manually input, vendor and related contract (engagement) data from other systems, as well as collect and organize intelligence about vendors.

Features of this capability include:

Collection of information at the engagement or contract level of a vendor relationship.
Onboarding process support to allow for the entry of vendor information, as well as to support contract evaluation.
Collection and organization of intelligence about vendors.
Deduplication of vendor information, including the ability to identify duplicate vendors and duplicate contracts or services from vendors.

Remediation & Exception Management

This involves recording action plans to identify control failures and other vendor risk deficiencies; tracking those plans to fulfillment; and tailoring guidance on remediation or mitigation of vendor risks.

The capability also applies to instances where exceptions to control requirements are determined to be necessary; approaches for management of exceptions, compensating controls to mitigate risks and periodic reviews of required exceptions are evaluated here.

Features of this capability include:

Action plan logging and tracking.
Remediation guidance and workflows.
Issue and exception logging.
Remediation actions for addressing approved and unapproved exceptions.
Follow-up processes for reevaluating exception conditions.

Usability and Access

This refers to the usability of the workflows and screens. It implies that the workflows are somewhat intuitive, do not require an extensive learning curve and are accessible and usable across multiple organizational roles, as well as through vendor self-service. This includes configuration and the ease with which it can be accomplished. It covers code-free changes, look-and-feel configuration, template configuration, label/term changes, database object creation and management, page/screen updating support and organizational hierarchy management support.

User needs in VRM solutions vary. Different levels of required access depend on a user’s role and workflows. Solutions should have the ability to provide roles for personalized access to an IT VRM application and to assign relationships among job roles and individuals, risks and controls.

In addition, vendors and third parties will require access to upload or complete assessments and attestations.

Features of this capability include:

Simple and intuitive UI.
Visualization support.
Browser support.
Drag-and-drop support.
Help functionality.
Navigation wizards.
Search capabilities.
Service delivery options.

User-/role-specific system access and controls.

Workflows and Collaboration

This area covers the ease of creating and editing workflows, workflow-level limitations, approval and escalation options, notification capability, rule engines for automated decision making and escalation, calendar population, to-do lists and project management schedules.

It also involves enabling users to work together, communicate and share information on vendor risks and remediation. Included are email integration, document sharing and engagement of multiple parties in a given workflow.

Features of this capability include:

Integration with email and other collaboration tools.
Document sharing within a team.
Multiuser capability for people working on a document or record.
Responsible, accountable, consulted and informed (RACI) documentation for VRM.

Use Cases

VRM Solution

The VRM Solution is either deployed on-premises, externally hosted or provided as SaaS. The client uses the solution to perform the following vendor risk management activities: identify vendor risks, manage vendor risk assessments, analyze vendor risk data, manage vendor risk remediation and mitigation, and monitor these vendor risks.

The solution provides the ability to customize risk management workflows for the organization. The key differentiator within this use case is that the customer of the vendor risk solution manages the inputs and outputs of their vendor risk management program themselves.

VRM Solution and Managed Support Services

Along with the VRM Solution, the vendor directly provides managed services or support for some or all of the customer’s vendor risk management activities described in the Vendor Risk Management Solution use case.

The key differentiator within this use case is that some or all of the vendor risk management inputs and outputs are performed by the solution vendor or white-labelled partners.

VRM Solution and Vendor Risk Assessment Data

Along with the VRM Solution, the vendor provides assessment data and/or other vendor-risk-supporting content in support of one or more of the customer’s vendor risk management activities described in the Vendor Risk Management Solution use case.

This use case relies heavily on the establishment or use of a vendor risk exchange or marketplace model, whereby vendor risk data is collected, assessed, validated, reported and monitored. This data can be shared among multiple customers of the solution. The key differentiator within this use case is that vendor risk data is provided by the VRM solution vendor.

Vendors Added and Dropped

Dropped

LogicGate
Quantivate
Riskonnect
ThirdPartyTrust
Whistic

Inclusion Criteria

To qualify for inclusion, vendors need:

A defined solution that automates a customer’s processes and workflows involved in identifying, assessing, analyzing, remediating and monitoring IT vendor risks.
A defined solution that the customer can implement within their infrastructure or that can be accessed via external hosting or delivered as software as a service (SaaS).
A solution that can be customized or configured to support a customer’s unique requirements, processes and workflows.
Annual revenue of $5 million or more, exclusively from IT VRM solutions, independent of consulting or implementation revenue.
A minimum of 50 IT VRM customer implementations.
A strong likelihood of customer growth over the next three years, as indicated by CAGR new customer growth for IT VRM solutions of 15% for the calendar years 2018, 2019 and 2020.
Overall market interest and vendor visibility, as determined by serious consideration for selection by enterprise clients.

We also review qualitative criteria to determine which vendors qualify for this Critical Capabilities research. We want to ensure that each vendor has:

A defined offering for VRM.
Existing and prospective customers that are considering this offering.
A defined product roadmap for VRM solutions that supports vendor risk identification, assessment, analysis, remediation, mitigation and monitoring.

To that end, each vendor should have:

Overall market interest and vendor visibility, as determined by serious consideration for selection by enterprise clients.
Breadth of capability and technical/solution-related expertise, combined with domain and process knowledge in the field of VRM.

Weighting for Critical Capabilities in Use Cases

Critical Capabilities	VRM Solution	VRM Solution and Managed Support Services	VRM Solution and Vendor Risk Assessment Data
Assess/Validate/Monitor Controls	10%	20%	20%
Assessment	25%	25%	50%
Connectors and Integration	5%	5%	5%
History and Reporting	15%	15%	15%
Profile Management	5%	5%	0%
Remediation & Exception Management	10%	10%	0%
Usability and Access	20%	15%	10%
Workflows and Collaboration	10%	5%	0%
As of 19 August 2021

Source: Gartner (August 2021)

This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Product/Service Rating on Critical Capabilities

Critical Capabilities	Allgress	Aravo	CyberGRX	Fusion Risk Management	Diligent	IBM	LogicManager	MetricStream	NAVEX Global	Ncontracts	OneTrust	Prevalent	ProcessUnity	Archer	SAI360	ServiceNow	SureCloud	Venminder
Assess/Validate/Monitor Controls	3.8	3.2	4.3	3.6	4.1	3.3	4.0	4.2	4.1	4.0	3.9	4.5	4.3	4.1	3.8	3.8	3.7	4.0
Assessment	3.6	3.7	4.5	3.6	4.2	3.5	3.8	3.9	4.0	3.8	4.1	4.2	4.3	3.9	3.8	4.0	4.0	4.2
Connectors and Integration	3.2	3.5	3.6	3.6	3.7	3.6	4.0	3.5	3.7	3.5	3.8	3.3	4.0	3.6	3.3	4.2	3.6	4.1
History and Reporting	3.9	3.5	3.1	3.0	3.9	3.5	3.8	3.7	3.8	3.9	4.2	3.7	4.0	4.0	3.7	3.5	4.0	4.1
Profile Management	3.6	3.5	3.1	3.6	3.6	4.0	4.0	3.6	3.8	4.0	4.3	3.8	4.2	3.6	3.3	3.7	3.5	4.0
Remediation & Exception Management	3.7	3.6	2.8	3.7	3.8	3.5	3.9	3.9	3.6	3.8	4.0	3.7	4.1	3.9	3.7	3.6	3.8	3.6
Usability and Access	3.5	4.0	3.7	3.2	4.0	3.8	3.9	4.0	4.0	4.0	4.1	3.9	4.3	4.1	4.0	3.9	3.9	4.1
Workflows and Collaboration	3.6	4.0	4.0	3.7	4.0	4.1	4.0	4.0	3.9	3.8	3.9	3.9	4.2	3.8	3.9	4.2	3.7	3.8
As of 19 August 2021

Source: Gartner (August 2021)

Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product Score in Use Cases

Use Cases	Allgress	Aravo	CyberGRX	Fusion Risk Management	Diligent	IBM	LogicManager	MetricStream	NAVEX Global	Ncontracts	OneTrust	Prevalent	ProcessUnity	Archer	SAI360	ServiceNow	SureCloud	Venminder
VRM Solution	3.64	3.68	-1.00	3.45	3.99	3.63	3.89	3.90	3.91	3.87	4.06	3.95	4.21	3.94	3.78	3.86	3.86	4.03
VRM Solution and Managed Support Services	-1.00	-1.00	-1.00	3.47	-1.00	-1.00	-1.00	-1.00	-1.00	3.88	4.05	4.01	-1.00	-1.00	3.76	-1.00	3.85	4.04
VRM Solution and Vendor Risk Assessment Data	-1.00	-1.00	4.13	-1.00	-1.00	-1.00	-1.00	-1.00	-1.00	-1.00	4.06	4.11	-1.00	-1.00	-1.00	-1.00	-1.00	4.13
As of 19 August 2021

Source: Gartner (August 2021)

To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.

"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.

In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.

The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.

Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.

Ratings and summary scores range from 1.0 to 5.0:

1 = Poor or Absent: most or all defined requirements for a capability are not achieved

2 = Fair: some requirements are not achieved

3 = Good: meets requirements

4 = Excellent: meets or exceeds some requirements

5 = Outstanding: significantly exceeds requirements

To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.

The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.