Inventory

Vendor inventory and risk

Modern teams depend on dozens of third parties — payment processors, identity providers, cloud platforms, support tools. Vigilo's vendor inventory treats…

Last updated

Modern teams depend on dozens of third parties — payment processors, identity providers, cloud platforms, support tools. Vigilo's vendor inventory treats each of them as a first-class CMDB entity: who they are, what data you trust them with, when the contract renews, how risky they are, and what evidence you hold to back that judgement up.

Overview

A Vendor row tracks one external supplier: identity (name, website, description), commercial posture (status, contract_starts, contract_renews, annual_cost, owner), risk posture (criticality, data_sensitivity, risk_tier), and compliance attestations (has_dpa, has_soc2, has_iso27001). Each Vendor can host any number of VendorAssessment rows — point-in-time questionnaires with attached evidence — and VendorSLA rows that track contractual commitments.

Why it exists

Procurement, security, and operations each keep their own vendor list. The procurement list has costs and renewal dates; the security list has SOC 2 reports and DPIA links; the ops list has Slack channels and on-call escalation paths. None is complete, and nobody can answer "what is our exposure if Vendor X has an outage on Friday?" Vigilo collapses the three lists into one entity that all teams can edit and read, with role-based field visibility where needed.

Key concepts

  • Vendor fieldskey (VEN-NNN workspace-sequential), name, website, description, status (prospective, active, offboarding, retired), criticality (low, medium, high, critical), data_sensitivity (none, public, internal, confidential, regulated), has_dpa, has_soc2, has_iso27001, contract_starts, contract_renews, annual_cost, owner (FK to UserProfile).
  • Risk tierrisk_tier is computed from criticality and data_sensitivity. A vendor that holds regulated data and is operationally critical becomes critical; one that holds only public data and is operationally low-impact becomes low. The tier drives questionnaire frequency, escalation, and dashboard placement.
  • VendorAssessment — a point-in-time questionnaire with status (draft, sent, returned, reviewed, expired), responses, attached evidence files, and a reviewer signature. Assessments expire after a workspace-configurable window (default 12 months for critical tier, 24 months for high, 36 months for medium).
  • VendorQuestionnaireTemplate library (WB.17) — Vigilo ships templates for SIG Lite, CAIQ, SOC 2 carve-out questions, and a generic supplier intake. Workspaces can clone and customise templates, or build their own from scratch.
  • VendorSLA — captures contracted availability or response time targets. Breaches can auto-open incidents in the operations side of Vigilo so vendor performance becomes part of the ops review, not just a procurement footnote.
  • Renewal calendar — combines contract_renews across all active vendors into a single calendar view, with configurable notify-ahead windows (default 90/30/7 days).
  • Risk heat map — dashboard widget that plots vendors on a criticality × data-sensitivity grid. Each cell shows count + drill-in link.

Common workflows

1. Onboard a new vendor

  1. Open Inventory → Vendors → + Add vendor.
  2. Name (required), Website, Status: prospective while in evaluation, active once contracted.
  3. Criticality and Data sensitivity — these two combined determine risk_tier and how often assessments must be refreshed.
  4. Contract starts / renews, Annual cost (optional, used by the procurement dashboard).
  5. Owner — the workspace member accountable for the relationship. Renewal reminders go to this person.
  6. Save. The vendor appears in the list with risk_tier filled in by the computation.

2. Send a SIG Lite questionnaire

  1. Open the vendor detail page → Assessments tab → + New assessment.
  2. Pick the SIG Lite template from the library.
  3. Optionally edit the question list to add company-specific questions before sending.
  4. Enter the vendor contact's email and click Send. Vigilo emails a tokenised link; the vendor responds without needing a Vigilo account.
  5. As responses arrive, the assessment status moves from sentreturned. A reviewer in your workspace marks it reviewed with a comment and an outcome (pass / pass with conditions / fail). Evidence files attached by the vendor are stored against the assessment.

3. Track an SLA breach

  1. Open the vendor → SLAs tab. Each row shows commitment (e.g. "99.9% API availability per month"), period, current performance.
  2. Vigilo computes performance from your monitoring data when the vendor's service is represented as an Asset with an SLO; manual entry is also supported for vendors you cannot probe directly.
  3. When a period closes with performance below commitment, a VendorSLABreach row is opened. The vendor's risk_tier may auto-bump and a notification fires to the owner.
  4. Use the breach record to drive the credit conversation with the vendor.

4. Use the renewal calendar

  1. Open Vendors → Renewal calendar.
  2. The month view shows every contract_renews as a coloured pill (colour = risk_tier).
  3. Click a pill to open the vendor with the renewal context panel pre-expanded — last assessment date, breaches in the current term, cost trend.
  4. Enable Auto-notify owner in Settings → Vendors to send a reminder email 90 / 30 / 7 days before each renewal.

5. Read the risk heat map

  1. The Vendors dashboard widget plots criticality (X) against data sensitivity (Y).
  2. The top-right cell (critical × regulated) is the hot zone. Click it to drill into the vendor list filtered to that segment.
  3. Use the heat map in steering committee reviews to argue for additional controls on the hot-zone vendors.

Permissions

Action Roles
View vendors and SLAs All workspace members
Add / edit vendor Operator, Admin, Owner
Delete vendor Admin, Owner
Create / send assessment Operator, Admin, Owner
Review assessment Auditor, Admin, Owner
Edit questionnaire templates Admin, Owner
Configure auto-notify thresholds Admin, Owner

Sensitive fields (annual_cost, contract-PDF attachments, assessment evidence) are role-gated separately so Operators can read operational SLA data without seeing commercial details.

Troubleshooting

Risk tier did not update after I changed data sensitivity. The tier is recomputed on save. If the chip in the list view still shows the old value, refresh the page — the table caches for 30 seconds.

Vendor cannot open the assessment link. Tokens expire 30 days after issuance. Re-send from the assessment detail page; the original link is invalidated.

Renewal calendar shows a vendor twice. Check whether two Vendor rows exist for the same supplier (often happens when both procurement and security create one). Merge via Vendor → … → Merge into…, which moves all assessments and SLAs to the surviving row and soft-deletes the duplicate.

SLA breach did not auto-open an incident. Verify that Settings → Vendors → SLA breach → Open incident is enabled and the threshold severity is at or below the vendor's criticality. Critical vendors above threshold auto-open; below threshold the breach is logged but no incident is created.

Heat map widget shows zero vendors. A filter is hiding the data. The widget respects the dashboard's global filter — clear it or use Vendors → All to see the full picture.

Related articles

  • Asset CMDB — link vendor-supplied assets to the vendor record for end-to-end traceability.
  • Asset discovery — auto-discovered cloud accounts can be tagged with the corresponding vendor.
  • Governance → vendor risk programme — for the broader risk register and treatment plan workflows.