As supply chains grow more complex, managed service providers and channel partners must prepare for a future where vendor risk management (VRM) is as automated as possible.
From food and healthcare to software development, vendor risks can have severe consequences for industry supply chains. Because digital systems are inherently vulnerable, a growing reliance on IT capabilities means MSPs, the IT vendors who supply them, and organizations at large must add due diligence, continued risk evaluations, and adequate termination of vendor relationships to their process stack.
Also known as third-party risk management (TPRM), VRM goes beyond the general risk management (RM) and governance, risk, and compliance (GRC) solutions with risk management for organizations working with third parties.
Cyberattacks like the Kaseya breach in July underscore the importance of addressing supply chain vulnerabilities, and organizations can no longer ignore vendor risks. Vendor risk management can help fill the gap, so this article looks at some of the top VRM solutions and what buyers should consider before purchasing.
Top Vendor Risk Management (VRM) Tools
Here are our top picks for VRM tools based on product capabilities, vendor reputation, standards designations, user reviews and ratings, growth, and more.
Aravo Third-Party Management
A couple of decades ago, Aravo Solutions started to meet the need for enterprise supplier management. Today, the reputable SaaS-based supplier management vendor offers three product tiers for its Third-Party Management solution and additional compliance, performance management, and data privacy solutions. Vendor risk management features include intake of new vendors, automated risk assessments, due diligence for inherent risk, and off-boarding of clients.
Gartner Peer Insights | 4.6 out of 5 stars – 21 ratings |
Review Positives | Pricing/contract flexibility; configurability; expert consultation |
Gartner Magic Quadrant | Challenger (IT VRM Tools, 2020) |
Forrester Wave | Leader (TPRM, 2020); Leader (Supplier Risk Platforms, 2020) |
Also read: MSPs with Data Protection Expertise Are in Demand
BitSight Security Ratings Platform and TPRM
Since its start in 2010, BitSight has become a dominant force in the budding security rating space. Ten years later, BitSight has 32 patents and 40 million companies rated. To show just how successful BitSight’s been, BitSight customers write more than 50% of global cybersecurity insurance premiums. Using a proprietary algorithm to calculate daily security ratings, BitSight can help organizations reduce cyber risk, onboard vendors faster, and facilitate security discussions. BitSight also integrates with ServiceNow and ProcessUnity.
Gartner Peer Insights | 4.5 / 5 stars – 183 ratings |
Review Positives | Timeliness of vendor response to product questions; patching cadence |
Forrester Wave | Leader (Cybersecurity Risk Rating Platforms, 2021) |
Black Kite Cyber Risk Rating System
Black Kite’s on a mission to build a cybersecurity risk rating platform for managing third-party relationships. Using frameworks like MITRE to calculate ratings, assign scores, and communicate implications, Black Kite uses the same open-source intelligence tools and tactics hackers use to inform remediation and defense posturing. Black Kite uses non-intrusive scans (OSINT) to identify risks without touching the target supplier and offers cyber ratings for an organization’s susceptibility to ransomware.
Gartner Peer Insights | 4.7 / 5 stars with 37 ratings |
Review Positives | Ease of deployment; controls for assessing, validating, and monitoring |
Gartner Magic Quadrant | Challenger (IT VRM Tools, 2020) |
Forrester Wave | Contender (Cybersecurity Risk Rating Platforms, 2021) |
Also read: Aftermath of Kaseya Ransomware Attack Promises to Be Lengthy – and Costly
Coupa TPRM
Headquartered in San Mateo, California, Coupa Software is a cloud platform with applications specializing in procurement, finance, and spending management. While our other picks lean more toward cybersecurity or GRC, Coupa has an impressive fleet of business spend management products, including supplier and TPRM. Coupa’s VRM solution features include a comprehensive portal for onboarding suppliers, AI-enabled continuous monitoring, and insights into more than 5 million suppliers engaging with the Coupa client network.
Review Positives | Product capabilities; history; remediation/exception management |
Forrester Wave | Leader (Supplier Risk Platforms, 2020); Strong Performer (TPRM, 2020) |
Galvanize ThirdPartyBond
One of the oldest vendors on our list, Galvanize started in Vancouver in 1998. More than 20 years later, Diligent acquired the audit, risk, and compliance solutions vendor for $1 billion. Galvanize ThirdPartyBond is the firm’s end-to-end, automated tool for continuously monitoring and reporting supplier relationship data to manage vendor risk. With ThirdPartyBond, organizations can access a library of assessment surveys and questionnaires, optimize contract management, and compare suppliers in a matrix for risk-based project planning.
Gartner Peer Insights | 4.4 / 5 stars – 63 ratings |
Review Positives | Product questions; integration and deployment; increased efficiency |
Gartner Magic Quadrant | Leader (IT VRM Tools, 2020) |
Forrester Wave | Leader (TPRM, 2020) |
Also read: Managed Service Security Providers (MSSPs): Making the MSP Switch
Ivalua
Like Coupa, Ivalua specializes in comprehensive spend management solutions through their SaaS platform. The French vendor earned unicorn status in 2019 with a private equity valuation of over $1 billion. Ivalua boasts over 500,000 users and millions of suppliers from 70+ countries contributing to the Ivalua platform’s intelligence. For vendor risk management, Ivalua’s platform offers interactive risk analytics, configurable scorecards and KPIs, campaign management, and supplier risk scores from the Ivalua network.
Gartner Peer Insights | 4.5 / 5 stars – 44 reviews |
Review Positives | Product capabilities; technical support; meeting organizational needs |
Forrester Wave | Leader (Supplier Risk Platforms, 2020) |
LogicManager TPRM
LogicManager is a global vendor of enterprise risk management SaaS solutions. Launched in 2006, the Boston-based company focuses on risk and business process management with their patented technologies for GRC taxonomy and the Risk Maturity Model (RMM). For third-party risk management software, LogicManager’s VRM solution offers vendor due diligence, annual risk assessments, vendor SLA monitoring, contract management, and SOC report tracking.
Gartner Peer Insights | 4.5 / 5 stars – 64 reviews |
Review Positives | Ease of deployment; flexible pricing; improved performance |
Gartner Magic Quadrant | Challenger (IT VRM Tools, 2020) |
Forrester Wave | Strong Performer (TPRM, 2020) |
Also read: What DevOps Really Is and How You Can Integrate It into Your Business
MetricStream TPRM
MetricStream is an enterprise solutions provider for quality management, compliance, risk management, and governance out of Silicon Valley. Available on the MetricStream platform or as a standalone product, its vendor risk management solution offers an integrated view of the extended enterprise. MetricStream Third-Party Risk Management includes a user-friendly dashboard, due diligence for onboarding, continuous monitoring, and periodic assessments. Clients report an 80% reduction in third-party onboarding time using the solution.
Review Positives | Contract flexibility; end-user training; integrated view |
Gartner Magic Quadrant | Leader (IT VRM Tools, 2020) |
Forrester Wave | Strong Performer (TPRM, 2020) |
NAVEX Global Lockpath
NAVEX Global is a global leader in integrated risk and compliance management software and services. Hailing from Lake Oswego, Oregon, NAVEX Global has a suite of risk management solutions, including third-party risk monitoring and screening and vendor risk management. Its TPRM, RiskRate, is an automated risk management component of its platform to assess each third party, facilitate onboarding, and track changes in supplier risk profiles. Acquired in 2019, Lockpath offers a 90-day implementation plan guarantee, thorough training, and custom client solutions.
Review Positives | Product capabilities; investigative case management; workflow processes |
Gartner Magic Quadrant | Leader (IT VRM Tools, 2020) |
Forrester Wave | Contender (TPRM, 2020) |
OneTrust Vendorpedia
Privacy management and marketing compliance vendor OneTrust launched five years ago and is already valued at over a billion dollars today. OneTrust’s Vendorpedia is a globally recognized tool for third-party risk exchange and management and automating questionnaire communications. Clients can leverage Vendorpedia’s pre-completed assessments and profiles for over 70,000 suppliers to inform their risk exposure and defensive posture. Fit for various company sizes, Vendorpedia comes with features like simplified due diligence, issue tracking, and AI-powered answer-matching technology.
Gartner Peer Insights | 4.5 / 5 stars – 139 ratings |
Review Positives | Usability and access; technical support; vendor management automation |
Gartner Magic Quadrant | Leader (IT VRM Tools, 2020) |
Forrester Wave | Leader (TPRM, 2020) |
Panorays
Celebrating its fifth anniversary, Panorays is a Tel Aviv-based vendor with an automated, third-party security platform for managing risk and remediation. In a dual approach, Panorays combines dynamic security questionnaires for existing suppliers with non-intrusive attack surface assessments to give clients visibility into vendor risk postures. Through the Panorays platform, organizations have the tools to meet compliance standards like GDPR and HIPAA and scale business with reduced onboarding and risk exposure.
Gartner Peer Insights | 4.5 / 5 stars – 45 reviews |
Review Positives | Ease of deployment; integration using APIs; technical support |
Forrester Wave | Strong Performer (Cybersecurity Risk Rating Platforms, 2021) |
Also read: Guide to HIPAA Compliance in IT
ProcessUnity VRM
ProcessUnity is a SaaS vendor for managing governance, risk, and compliance (GRC) through TPRM, cybersecurity, enterprise risk management, and policy and procedure management. For managing third-party risks, its Vendor Risk Management software enables organizations to evaluate, monitor, and conduct due diligence for potential suppliers. Features include inherent risk scoring, vendor classification, vendor issue management, and on-site vendor control assessments.
Gartner Peer Insights | 4.5 / 5 stars – 91 ratings |
Review Positives | Timely support responses; product configurability; added features |
Gartner Magic Quadrant | Leader (IT VRM Tools, 2020) |
Forrester Wave | Strong Performer (TPRM, 2020) |
Quantivate
Offering web-based continuity, risk management, and compliance solutions since 2005, Quantivate has a comprehensive suite of GRC products. For a VRM solution, the company provides Quantivate Vendor and Third-Party Management Software. Quantivate’s complete reporting features include audit-ready, predefined templates, SOC reports, and custom reports. Quantivate also offers compliance guarantees for eight standards, including CFPB, FDIC, FTC, and PCI.
Review Positives | Contract flexibility; end-user training; timeliness of vendor response |
Gartner Magic Quadrant | Challenger (IT VRM Tools, 2020) |
Also read: MSPs Can’t Be All Things to All People, So Specialize
SecurityScorecard Platform
Founded by two risk experts, SecurityScorecard launched in 2013 in New York City as a cyber risk rating platform. The platform offers four products and services, including Security Ratings, Atlas, Security Data, and Professional Services that help minimize cyber risk. With instant insights into a vendor’s security posture, an accelerated questionnaire exchange, and a validation process, SecurityScorecard is more than just a rating provider. SecurityScorecard’s Professional Service plan offers advisory and managed services for implementing TPRM.
Gartner Peer Insights | 4.5 / 5 stars – 190 ratings |
Review Positives | Ease of deployment; customer support; public-facing infrastructure risk |
Gartner Magic Quadrant | Challenger (IT VRM Tools, 2020) |
Forrester Wave | Leader (Cybersecurity Risk Rating Platforms, 2021) |
ServiceNow VRM
Enterprise software provider ServiceNow is one of the more comprehensive vendors on our list, offering solutions for IT, employee, customer, and creator workflows. Available as a part of ServiceNow’s GRC bundle or as a standalone product, ServiceNow Vendor Risk Management includes vendor tiering, assessment management, and issue generation. The VRM comes equipped with single sign-on (SSO) for the vendor portal, integration with other GRC services like security scores, and vendor hierarchies showing parent-child and fourth-party relationships.=
Gartner Peer Insights | 4.3 / 5 stars – 84 ratings |
Review Positives | Remediation/exception management; API integration; contract efficiency |
Gartner Magic Quadrant | Leader (IT VRM Tools, 2020) |
Forrester Wave | Strong Performer (TPRM, 2020) |
Also read: Top Remote Desktop Software Vendors
UpGuard Vendor Risk
California-based UpGuard uses proprietary technology to test an organization’s risk posture for future intrusions and outages. The company offers its third-party risk management solution, UpGuard Vendor Risk, to provide ongoing evaluations of every server and network device involved through its cyber resilience platform. Through a metric dubbed the CSTAR score, organizations can identify and evaluate risk positions of potential suppliers before engaging in a business relationship. CSTAR scores are also usable for cybersecurity insurance underwriting.
Gartner Peer Insights | 4.5 / 5 stars – 66 ratings |
Review Positives | Ease of deployment; access and user controls; flexible pricing |
Forrester Wave | Contender (Cybersecurity Risk Ratings Platforms, 2021) |
Venminder
Venminder is a SaaS vendor specializing in third-party risk management. Headquartered in Elizabethtown, Kentucky, Venminder launched in 2003 with the mission to help clients with all things vendor-related. The company offers critical processes for vendor onboarding, oversight and contract management, questionnaires, SLA management, and more. The Venminder Exchange offers organizations a look at the security status for a network of suppliers and assessments for financials, disaster recovery, and SOC reports to name a few.
Gartner Peer Insights | 4.7 / 5 stars – 97 ratings |
Review Positives | End-user training; profile management; evaluation/contracting |
Gartner Magic Quadrant | Challenger (IT VRM Tools, 2020) |
What is Vendor Risk Management?
Vendor risks are the threats and vulnerabilities posed by an organization’s supply chain. As markets become more global and IT supply chains grow more complex, risks presented by vendors are on the rise.
An organization’s compliance team might be able to do the job – but what if a tool can do it better and faster? For many organizations, third-party risk management solutions could be the better choice.
Common Vendor Risks
- Financial and reputational risks affecting the organization’s brand or finances
- Operational and continuity risks impacting everyday functions for the organization
- Legal and regulatory risks like civil and criminal consequences owed to negligence
Trends in Vendor Risk Management
- Supply chain disruptions like SolarWinds and Kaseya infiltrating client networks
- Growth of public-private partnerships to develop standards for reducing supplier risk
- Affordability of solutions remains a determining factor in vendor solution choices
What are Vendor Risk Management (VRM) Solutions?
Vendor risk management (VRM) solutions are software tools that facilitate third-party risk management and relevant compliance standards.
VRM solutions utilize data from a league of network tools and supply chain management software to visibility into vendor data and compliance objectives.
Features of VRM
- Compliance policies for internal and external mandates related to supplier risk
- Supplier portals for third parties and vendors to provide adequate documentation
- Ongoing monitoring of supplier and changes to supplier risk status
- Templates for supplier risk control, oversight, and assessments
- Data and analytics to show progress in reducing third-party risk exposure
- Reports on risk monitoring and risk exposure to inform action steps
- Action steps for working with suppliers from procurement to termination
What is the Importance of Vendor Risk Management?
The move from legacy to digital systems means breaches, data loss, and human error threaten potentially sensitive information or critical systems. Because supply chain compromises have upstream ripple effects, controlling these risks at their source – the vulnerable vendor – is imperative.
Without an adequate regulatory framework for industry supply chains like software development, organizations must practice ongoing due diligence or trust their suppliers. VRM tools aim to make this effort seamless by orchestrating onboarding, risk assessments, scoring suppliers, and more.
Buying Considerations for VRM Solutions
These questions from eSecurityPlanet can help in evaluating VRM solutions.
- What are your third-party risks?
- How will the solution improve your third-party risk exposure?
- How does the VRM solution enable compliance reporting and operational management?
- Does the vendor offer flexible pricing fit for scaling third-party exposure?
- What training, deployment, and implementation support comes with purchase?
- What integrations are compatible or are configurable for use?
- What advanced features make the VRM solution stand out?
VRM Market
The vendor risk management market divides into segments for managing audits, compliance, contracts, financial controls, managed VRM, and operational risks.
Reports from Adroit Market Research, Markets and Markets, and Data Bridge Market Research estimate the vendor risk management (VRM) and third-party risk management (TPRM) industry has a CAGR up to 16% and is expected to jump from $3 billion in 2019 to $8 billion by 2025, and more than $12 billion by 2028.
Channel Insider Methodology
Channel Insider gathers information from a range of IT industry sources, analyst firms, and product data sheets to inform our top product selections. This list includes some of the industry’s leading vendors and software tools based on product capabilities, user reviews and ratings, organization reputation, public disclosures, and more.