Vendor risk

Overview

The vendor risk register (WB.17) is Vigilo's catalog of third-party suppliers, their risk tier, the assessments performed against them, and the contractual artifacts that govern the relationship. The model triplet is Vendor (the supplier), VendorAssessment (a point-in-time evaluation), and VendorQuestionnaireTemplate (the reusable question set the assessment uses). A seed migration populates five industry-standard questionnaire templates so new workspaces don't start from a blank page.

The pages live at /ws/{slug}/governance/vendors. The default view is the heat map — every vendor as a tile sized by tier and colored by current risk score. Filter by tier, contract renewal window, or assessment freshness; drill into any vendor for the full risk dossier.

Why it exists

Most modern security breaches involve a third party — a contractor laptop, a sub-processor's exposed bucket, a SaaS vendor whose own SaaS vendor got compromised. Auditors increasingly look not at "what do you do?" but at "what do your vendors do, and how do you know?". A vendor risk program answers this with a register (who do we use?), tiered assessment (how thoroughly do we evaluate each?), evidence (we asked, here's what they said), and ongoing watch (is anything about them changing?).

Vigilo gives you all four in one place, with the bonus of feeding vendor assessment results back into the compliance framework as evidence for vendor-management controls.

Vendor model

Fields:

• workspace — scope.
• name — vendor company.
• category — enum: saas, infrastructure, professional_services, data_processor, payment_processor, other.
• data_sensitivity — enum: none, low, medium, high, critical. Drives automatic tier classification.
• tier — auto-classified 1/2/3/4 based on data_sensitivity and category. Tier 1 is the most critical (e.g. payment processor handling cardholder data); tier 4 is a SaaS with no PII.
• status — prospective, active, suspended, terminated.
• owner — internal UserProfile responsible for the relationship.
• sla_url — link to the SLA document (typically Confluence or a contract repo).
• contract_renews — DateField; powers the renewal calendar.
• notes — markdown free-text.

Tier auto-classification

The classifier runs on save:

• data_sensitivity == 'critical' OR category in ['payment_processor', 'data_processor'] → Tier 1.
• data_sensitivity == 'high' → Tier 2.
• data_sensitivity == 'medium' → Tier 3.
• Everything else → Tier 4.

Override is possible (admin-only) by ticking Manual tier override on the vendor edit page; the override is captured in the audit log so an auditor can see "this vendor was bumped down from tier 1 to tier 2 by admin X on date Y, reason Z".

VendorAssessment model

A point-in-time evaluation. Fields:

• vendor — FK.
• template — FK to VendorQuestionnaireTemplate (or null for a free-form assessment).
• responses — JSONField storing question_id → response pairs.
• risk_score — auto-computed from responses (0-100, higher = more risk).
• assessor — internal user who ran it.
• assessed_at.
• valid_until — DateField; assessments expire (default validity 365 days). Expired assessments show a red badge.
• attached_documents — many-to-many to file uploads (SOC2 report, ISO certificate, pentest summary).
• decision — approved, approved_with_conditions, rejected, pending.

VendorQuestionnaireTemplate library

Five built-in templates (seeded by WB.17 migration):

1. General SaaS — 30 questions on auth, data handling, encryption, sub-processors, incident response. Suitable for tier 3/4.
2. High-risk data processor — 60 questions covering everything in the general template plus DPIA, cross-border transfer, sub-processor flow-down, breach notification SLAs. Suitable for tier 1/2 with PII.
3. Payment processor — 45 questions focused on PCI DSS attestation, cardholder data flow, tokenization, audit reports. Suitable for tier 1 payments.
4. Infrastructure / cloud provider — 40 questions on physical security, network isolation, key management, customer audit rights, SOC2 / ISO scope.
5. Professional services / contractor — 25 questions on background checks, NDA terms, device security, code/asset handover.

Custom templates can be created from Settings → Vendor questionnaires → New template. Each question has a type (single-select, multi-select, free-text, file-attach), a weight contributing to the risk score, and optional answer-to-risk mapping (e.g. "No SOC2" answer adds 20 points to risk score).

SLA + contract renewal

Vendor.sla_url and contract_renews drive the renewal calendar. The calendar page (/governance/vendors/calendar) shows every contract renewal date as a calendar tile, color-coded by tier — tier 1 renewals are red, tier 4 are gray. A reminder Celery task vigilo.vendors.renewal_reminder runs daily and emails the vendor owner 90 / 60 / 30 / 7 days before renewal. The 30-day reminder also creates a Task in the workspace's task system with the vendor owner as assignee.

Portfolio heat map

The heat map (default landing view) is a treemap. Each vendor is a tile; tile area is proportional to inverse tier (tier 1 vendors are biggest), color is the most-recent assessment's risk_score (green low, red high). Hover for vendor name + score + assessment date. Click to drill in.

The heat map immediately surfaces:

• Tier 1 vendors with red scores → priority remediation
• Tier 1 vendors with no recent assessment (gray tiles) → priority assessment
• Tier 4 vendors with red scores → either re-tier upward or replace

Wiring vendor assessment results into compliance evidence

A VendorAssessment row is a valid WorkspaceControlEvidence source. Two ways to wire it:

Manual: open the control, Attach evidence → From vendor assessment, pick the assessment.

Automated: create a ComplianceEvidenceQuery with query_kind=vendor_assessment, filters {"decision": "approved", "assessed_within_days": 30}, target the vendor-management control (SOC2 CC9.2 commonly). New approved assessments auto-attach as evidence on the next collect sweep.

This is the common pattern: "we assessed all critical vendors in the last 90 days, here's the proof from the live system".

Common workflows

1. Add a new vendor and run an assessment

1. Governance → Vendors → New vendor. Fill in name, category, data sensitivity, owner.
2. Save. Tier is auto-classified; the heat map adds a gray tile (no assessment).
3. On the vendor page, click New assessment → General SaaS (or the appropriate template).
4. Fill in responses. The risk score updates live as you answer.
5. Set decision (approved, approved_with_conditions, etc.). Attach the vendor's SOC2 report.
6. Save. The tile turns green/yellow/red based on score.

2. Manage contract renewals

1. Vendors → Calendar. See every renewal in the next 12 months.
2. Click a tile to jump to the vendor.
3. Update contract_renews after the renewal closes; the next reminder cycle starts.

3. Identify your weakest critical vendors

1. Vendors → Heat map.
2. Filter to Tier 1.
3. Sort tiles by risk score descending. Red tiles at top are the priority list.

4. Spot vendors with stale assessments

1. Vendors → All vendors → Filter: assessment age >180 days.
2. Bulk-select → Trigger reassessment task. Creates a task per vendor in the owner's queue.

Permissions

Troubleshooting

Risk score doesn't update when I answer questions. The template's question-to-score mapping is incomplete. Open the template editor and assign weights to each question / answer.

A vendor's tier flipped after I changed category. Auto-classification ran. If you want the previous tier, use Manual tier override.

Renewal reminder didn't arrive. Either the vendor owner has no email on file, or the Celery task isn't running. Check vigilo.vendors.renewal_reminder in Celery Beat.

Heat map is empty. Either no vendors exist, or every vendor lacks an assessment (assessments drive the color). Run at least one assessment per vendor for it to render.

Custom template's risk score is always 0. Question weights default to 0; you must set them when creating the template.

Related articles

• Compliance frameworks — vendor-management controls evidence flows here.
• Evidence collection — query_kind=vendor_assessment automates the wiring.
• Risk register — vendor escalations can auto-create risk entries.