The Vendor Risk Management Process: 6 Steps for 2026
A practical guide to the vendor risk management process — from vendor identification and risk tiering through due diligence, continuous monitoring, and offboarding. With NIS2 and DORA alignment.
The Vendor Risk Management Process: 6 Steps for 2026
Managing vendor risk is not a once-a-year activity. With the average organisation managing 286 third-party vendors in 2026 — up from 237 in 2024 — and NIS2, DORA, and ISO 27001 all requiring demonstrable supply chain controls, a documented, repeatable vendor risk management process is a baseline operational requirement, not optional best practice.
This guide walks through the six stages of the vendor risk management process, with practical guidance on what to do at each stage, how depth varies by vendor tier, and how EU regulatory requirements (NIS2 Article 21, DORA Articles 28–30) shape what a defensible process looks like.
Key Takeaways
- The VRM process has six stages: vendor identification → risk tiering → due diligence → contract governance → continuous monitoring → offboarding.
- Process depth varies by risk tier: critical vendors require annual full assessments and continuous monitoring; low-risk vendors require a lightweight checklist every 3 years.
- NIS2 Article 21(2)(d) and DORA Articles 28–30 both require documented, systematic VRM processes — not ad hoc point-in-time assessments.
- 49% of organisations report their current VRM method cannot assess risk at every lifecycle stage — a gap that creates regulatory and operational exposure.
- For the organisational infrastructure that governs these processes, see our Vendor Risk Management Program Guide.
Process vs. Program: A Critical Distinction
Before walking through the steps, it is worth clarifying the distinction between a VRM process and a VRM program:
- A VRM program is the organisational infrastructure: policy, ownership, risk appetite, cross-functional governance, and reporting structure. It is the management system.
- A VRM process is the operational workflow: the specific sequence of steps executed for each vendor relationship across its lifecycle. It is what you do.
The process requires the program to exist to be effective — without governance, ownership, and documented standards, process steps produce inconsistent outputs and no audit trail. But the process is where risk is actually identified and managed.
The 6-Stage Vendor Risk Management Process
Stage 1: Vendor Identification and Inventory
You cannot manage what you have not mapped. The first stage is building and maintaining a complete, accurate register of all vendor relationships.
Inputs: Accounts payable records, IT asset management systems, legal contract repositories, SaaS discovery tools.
Key activities:
- Consolidate vendor data from at least three sources: finance/procurement, IT, and legal
- For each vendor, capture: vendor name and legal entity, services provided, data access level, system integration, business owner, and contract expiry
- Flag shadow IT: SaaS tools purchased on credit cards without IT registration
Common failure: Building the inventory from a single source. Procurement records miss SaaS tools paid by credit card. IT records miss consulting firms with access to sensitive data. Legal records miss informal arrangements.
Process output: A complete vendor register with sufficient metadata to tier each relationship.
Regulatory note: NIS2 competent authorities and DORA supervisors expect a documented, maintained vendor register — not a list assembled during audit preparation.
Stage 2: Risk Tiering and Categorisation
Not all vendors require the same level of scrutiny. Risk tiering applies a consistent methodology to classify each vendor by inherent risk, ensuring that assessment depth matches risk level — and that your team's capacity is directed to the relationships where it matters most.
Tiering criteria (score each factor 1–4):
| Factor | Low (1) | Medium (2) | High (3) | Critical (4) |
|---|---|---|---|---|
| Data sensitivity | Public only | Internal data | Confidential / personal data | Special category / regulated data |
| Data volume | None | Limited | Moderate | Large-scale processing |
| System access | No access | Read-only | Write access | Admin / privileged access |
| Service criticality | Nice-to-have | Operational support | Business-important | Mission-critical |
Tier assignment:
| Total score | Tier | Assessment depth |
|---|---|---|
| 4–7 | Tier 3 — Low risk | Lightweight checklist (~20 items) |
| 8–11 | Tier 2 — Standard | Standard questionnaire (40–60 questions + document review) |
| 12–16 | Tier 1 — High / Critical | Full assessment (80+ questions + document review + evidence verification) |
Re-tier triggers: Whenever a vendor's scope changes materially — a vendor moving from read-only access to admin access is a re-tier event, not a routine reassessment.
Stage 3: Pre-Engagement Due Diligence and Assessment
Before onboarding any new vendor, execute a structured assessment calibrated to the vendor's tier. This is the highest-leverage point in the VRM process: it is far cheaper to identify a critical risk before signing a contract than to manage it after the relationship is embedded.
Due diligence components by tier:
Tier 3 (Low): Lightweight checklist covering basic security certifications, data handling, and incident notification obligations.
Tier 2 (Standard): Questionnaire (40–60 questions) covering access management, encryption, patch management, GDPR sub-processor list, ISO 27001 or SOC 2 status. Document review: recent audit report or self-attestation.
Tier 1 (Critical): Full questionnaire (80+ questions) covering all security domains — access management, encryption, business continuity, disaster recovery, incident response, sub-contractor management, financial stability, and regulatory compliance status. Document review: current ISO 27001 certificate, SOC 2 Type II report, penetration test summary (last 12 months), BCP/DRP test results.
Assessment domains for Tier 1:
- Information security controls (access management, encryption, vulnerability management, incident response)
- Compliance certifications and status (ISO 27001, SOC 2 Type II, GDPR, NIS2, DORA)
- Data handling (data location, sub-processors, retention and deletion)
- Business continuity (DR/BCP, RTO/RPO, geographic redundancy)
- Financial stability (insurance, solvency, key-person dependencies)
- Fourth-party risk (sub-contractor management chain)
DORA-specific note: DORA Article 28 requires a pre-contract risk assessment for all ICT providers. For critical ICT third parties (as designated by EBA/EIOPA/ESMA), enhanced due diligence is mandatory and may trigger notification obligations to the relevant European Supervisory Authority.
For a complete assessment questionnaire template, see our Vendor Risk Assessment Template.
Stage 4: Contract Governance and Risk Obligations
Due diligence identifies risk; contracts create enforceable obligations to manage it. A finding from an assessment with no corresponding contract requirement is a finding with no remedy — the vendor has no obligation to act.
Minimum contract requirements for all vendors:
- Data Processing Agreement (DPA): Required under GDPR Article 28 for any vendor processing personal data
- Security obligations: Minimum security standards the vendor must maintain throughout the relationship
- Incident notification: Vendor must notify you within a defined timeframe (typically 24–72 hours) of any security incident affecting your systems or data
- Audit rights: Your right to audit vendor security controls, or receive third-party audit reports on request
Enhanced clauses for Tier 1 vendors:
- Sub-processor approval rights: you must approve any changes to the vendor's sub-processor list
- Concentration risk disclosure: vendor must notify you if they become over-reliant on a single infrastructure provider
- Exit provisions: detailed data return, deletion, and transition support obligations on contract termination
- Remediation timelines: specific deadlines for addressing security findings
DORA-specific contract requirements (Articles 28–30):
- Service level requirements and performance reporting
- Business continuity and disaster recovery provisions
- Full data access and auditability clauses
- Exit strategy provisions that preserve operational resilience during transition
- Sub-contractor disclosure requirements (ultimate parent company identification)
Stage 5: Continuous Monitoring
Point-in-time assessments expire the day they are completed. A vendor who passed your assessment 18 months ago may have been breached 3 months ago, lost their ISO 27001 certificate 6 months ago, or acquired by a higher-risk entity last month. Continuous monitoring fills the gap between formal assessments.
Monitoring activities by tier:
| Activity | Tier 1 (Critical) | Tier 2 (Standard) | Tier 3 (Low) |
|---|---|---|---|
| Full reassessment | Annual | Every 18–24 months | Every 3 years / at renewal |
| Certificate expiry monitoring | Continuous | On renewal | On renewal |
| Security news / breach monitoring | Continuous | Quarterly | As needed |
| Sub-processor change review | All changes | Material changes | Not required |
| Financial health check | Annual | At renewal | Not required |
What to monitor continuously:
Certificate status: ISO 27001 and SOC 2 certificates expire annually or biannually. An expired certificate means the vendor's controls have not been independently verified in the current period — a material compliance gap under NIS2 and DORA.
Security incidents and advisories: Monitor vendor security bulletins, public breach disclosures, CVE announcements in vendor-supplied software, and regulatory actions against the vendor.
Fourth-party changes: Your critical vendors have their own vendors. A material change in your Tier 1 vendor's sub-processors is a risk event for your organisation.
Regulatory compliance status: NIS2 and DORA compliance obligations continue to evolve. Track whether your critical vendors remain compliant with their applicable regulations.
Event-driven reassessment triggers (regardless of scheduled cycle):
- Vendor reports a security incident affecting your data
- Vendor is acquired or merges with another entity
- Significant change in services, data access scope, or infrastructure
- Vendor loses a key certification
- Public reports of breach, financial distress, or regulatory action
Under NIS2 and DORA, ongoing monitoring is not optional — regulators expect continuous oversight, not periodic snapshots. Only 14% of procurement teams currently use continuous monitoring tools for vendor oversight, representing a significant compliance gap for most organisations.
Stage 6: Renewal or Structured Offboarding
Every vendor relationship either continues or ends. Both transitions require active management.
At renewal:
- Reassess the vendor's risk tier (scope may have changed)
- Review assessment currency: if last assessment is more than 12 months old for Tier 1, reassess before signing renewal
- Review contract terms: EU regulatory requirements evolve — contracts signed in 2022 may not include NIS2 or DORA-required clauses
- Renegotiate: pricing, SLAs, security obligations, and exit terms are all renegotiable at renewal
At offboarding:
Structured offboarding should begin 90–180 days before termination for Tier 1 vendors. Key activities:
- Access revocation: comprehensive removal of all vendor access — accounts, API keys, SSO, physical access, network certificates
- Data return: vendor returns your data in a usable format within 30 days of termination
- Data deletion confirmation: written confirmation from vendor that your data has been deleted from all systems, including backups
- Sub-processor unwinding: ensure any fourth-party access to your data via the vendor's sub-processors is also revoked
- Transition documentation: operational documentation, runbooks, and configurations transferred before exit
DORA offboarding requirement: DORA Article 28 requires exit strategies for critical ICT providers that preserve operational resilience during transition. This must be documented before onboarding, not assembled at the point of termination.
A vendor relationship that cannot be exited cleanly represents a concentration risk — one of the key risks DORA was designed to address.
EU Regulatory Requirements for the VRM Process
NIS2 Article 21(2)(d)
NIS2 requires organisations in scope to implement risk management measures addressing security in supply chain relationships. The VRM process must:
- Maintain a documented vendor inventory with criticality classification
- Conduct pre-engagement assessment before onboarding vendors with access to critical systems
- Write minimum security requirements into vendor contracts
- Implement ongoing monitoring of critical suppliers
- Establish an incident notification chain (vendors must notify you of relevant security incidents)
NIS2 competent authorities expect documented evidence of a systematic, repeatable process — not ad hoc assessments produced during an incident or audit.
DORA Articles 28–30
DORA imposes the most prescriptive third-party risk process requirements in the EU. Financial entities must:
- Maintain a register of all ICT third-party contracts
- Conduct pre-contract risk assessments for all ICT providers
- Identify and manage concentration risk (over-reliance on single providers)
- Apply enhanced due diligence to critical ICT providers designated by EBA/EIOPA/ESMA
- Maintain documented exit strategies for critical ICT relationships
The DORA register must be available for inspection by the relevant European Supervisory Authority at any time.
UK and Norwegian Equivalents
UK FCA PS21/3: UK financial institutions must have documented, systematic processes for managing operational risks from third parties — including documented exit testing and scenario analysis. While pre-dating DORA, the requirements substantially overlap.
Norway: Norwegian organisations must comply with NIS2 via its national implementation under the EEA Agreement. The Nasjonal sikkerhetsmyndighet (NSM) provides sector-specific guidance on supply chain security requirements that complement NIS2 Article 21.
ISO 27001:2022 (Annex A 5.19–5.22)
ISO 27001-certified organisations must demonstrate:
- A.5.19: Policies governing supplier security relationships
- A.5.20: Security requirements in supplier agreements
- A.5.21: Managing information security in the ICT supply chain
- A.5.22: Monitoring, reviewing, and managing supplier service changes
Common Process Failures and How to Avoid Them
Starting assessment before establishing governance. Without a risk appetite policy and clear ownership, assessment outputs have no decision authority. Who approves onboarding a Tier 1 vendor with a high residual risk finding?
Single-source vendor inventory. Finance systems miss shadow IT. IT systems miss consulting contracts with data access. Build from three sources minimum.
Treating all vendors as Tier 1. If everything is critical, nothing gets the deep scrutiny it requires. Tiering exists to focus capacity on the relationships that warrant it.
Assessment without contract requirements. A finding in an assessment with no corresponding contract obligation has no remedy. Contracts are the enforcement mechanism.
No event-driven monitoring triggers. Calendar-based assessment schedules miss material changes between cycles. Certify that your monitoring includes event-driven triggers for acquisitions, incidents, and scope changes.
Poor offboarding process. Vendors with residual access to your systems after contract termination are a data protection and security risk. Offboarding is a compliance obligation, not an IT housekeeping task.
Automating the VRM Process
At 286 vendors, manually tracking each stage of the VRM lifecycle across your portfolio is operationally unsustainable. Only 13% of TPRM teams have fully matured automation capabilities — but the gap between them and manual teams widens each year as portfolio complexity grows.
Orbiq's Vendor Assurance Platform automates each stage of the process:
- Vendor inventory and tiering — centralised register with automatic risk classification
- Automated questionnaire distribution — send, chase, and track responses without manual follow-up
- Certificate monitoring — real-time alerts on expiry and lapses
- Continuous monitoring — security event feeds and sub-processor change tracking
- Audit-ready reporting — NIS2 and DORA-aligned documentation generated automatically
→ See the Vendor Assurance Platform → Explore continuous monitoring
Sources & References
- Secureframe — 100+ Essential Third-Party Risk Statistics 2026 — Average organisation manages 286 vendors; 49% say their method cannot assess risk at every lifecycle stage; 13% have fully matured automation
- UpGuard — Vendor Risk Management Workflow 2026 — 6-stage VRM workflow guidance
- Panorays — What is Vendor Risk Management VRM 2026 — VRM lifecycle and best practices
- Mitratech — Vendor Risk Management Workflows: 7 Critical Steps — VRM workflow process guidance
- Atlas Systems — Continuous Vendor Risk Monitoring 2026 — Continuous monitoring best practices; only 14% of procurement teams use continuous monitoring tools
- SITS — NIS2, DORA & Supply Chain Entities — EU regulatory supply chain requirements
- OneTrust — DORA and NIS2 Operational Resilience — DORA and NIS2 third-party requirements
- ApexAnalytix — VRM Process: 7 Best Practices — VRM process best practices
Further reading: