Vendor Risk Assessment & Monitoring Survey

How do new vendors complete your initial risk questionnaire?*

Secure portal with a standardized, dynamic questionnaireWeb form without conditional logicSpreadsheet template sent by emailAd hoc questions by email or meetings

How do you support vendors that do not have a continuity or IT recovery plan?

Provide guidance and a basic templateProvide a structured questionnaire that generates a plan from answersAsk the vendor to create their own plan and resubmit laterNot currently addressed

Average time to complete an initial vendor risk assessment from intake to decision:

Which best describes your use of external cyber exposure scans for vendors?

Continuous scanning for all in-scope vendorsScans at onboarding and then quarterlyScans for critical or high-risk vendors onlyPerformed on request or as neededNot currently used

Do your contracts require an annual vendor attestation that you treat as part of monitoring?

How do you use the annual attestation outcomes? Select all that apply.

Update risk tier or segmentationReset evidence expiration and next review dateCreate remediation tasks with owners and due datesFeed a dashboard and KPI roll-upsStore for compliance records onlyNot consistently used today

Which statement best matches your monitoring program today?

Central dashboard with alerts and SLAs for all in-scope vendorsScheduled reviews with some external signals and basic trackingEvent-driven monitoring only when incidents occurLimited or no formal monitoring

Do you combine operational and cyber inputs into a vendor resilience score with linked evidence?

Yes, portfolio-wide with evidence and refresh datesFor critical vendors onlyWe use separate indicators without a combined scoreNot in place today

Who receives vendor risk reporting/insights today?

How do they receive those insights?

Centralized live dashboard with drill-downsAudit/board-ready PDF or slide packScheduled email summaries (weekly/monthly/quarterly)Export/API to GRC/ITSM tools (e.g., Archer, ServiceNow, Jira)Ad hoc spreadsheets or one-off reportsIn-meeting verbal readouts only

Select the top items that would speed assessment and monitoring.

Standardized digital intake with conditional logicStructured questionnaire that generates a vendor BCP from answersIntegrated cyber scans with clear, actionable findingsExplainable resilience scoring with evidence linksUnified dashboard with board-ready KPIsAutomated reminders and status trackingVendor self-service portal for updates and attestationsIntegration with GRC or ITSM toolsClear playbooks for business owners and SMEs

What is one practical change that improved/would improve your assessment or monitoring throughput?*

Email for results (optional)

If you would like the one-page snapshot emailed to you, enter your work email.

Risk & Compliance Survey

Vendor Risk Assessment and Monitoring