Vendors & vendor risks

Use Vendors to manage external entities providing AI-related products, services, or components to your organization. Track vendor information, compliance status, review progress, and associated risks for supply chain security and third-party risk oversight.

Prerequisites

Permissions

• Admin or Editor role: Create, edit, and delete vendor records and risks

• Viewer role: View vendor records and risks only

Access

• Navigate to Sidebar → Discovery → Vendors

Overview

Vendors manages external AI service providers and associated risks throughout the vendor lifecycle. Each vendor record captures contact information, services provided, review status, and project assignments. Risk tracking documents potential issues, impacts, severity assessments, and mitigation plans.

The feature organizes information across two tabs:

• Vendors: Vendor directory with review workflow

• Risks: Risk assessment with auto-calculated risk levels

Key capabilities:

• Register vendors with contact details, services, and website URLs

• Link vendors to use cases and track project dependencies

• Manage review workflows with four status states and enforced separation of duties

• Document risks with severity and likelihood selections that auto-calculate risk levels

• Filter vendors by use case; filter risks by use case, vendor, and deletion status

• Track mitigation through detailed action plans and assigned risk owners

Accessing Vendors

To access the Vendors page:

1. Open the sidebar navigation

2. Navigate to the Discovery section

3. Select Vendors

The page displays tab navigation at the top, followed by filter controls and either the vendor table or risk table depending on the active tab.

Creating a new vendor record

Prerequisites: At least one use case must exist in the system. Vendors require association with a use case.

To register a vendor:

1. Ensure you're on the Vendors tab

2. Click Add new vendor in the upper right corner

3. Complete the required fields in the vendor form

4. Click Save to create the record

The form includes required and optional fields.

Vendor name (required)

Enter the official name of the vendor or organization providing AI services.

Examples

• "OpenAI"

• "Anthropic"

• "Google Cloud AI"

• "AWS Machine Learning"

• "DataRobot"

Website (required)

Enter the vendor's website URL. The system automatically adds "http://" if you don't include a protocol.

Examples

• "https://www.openai.com"

• "anthropic.com" (automatically becomes "http://anthropic.com")

• "https://cloud.google.com/ai"

Use cases (required)

Select one or more AI use cases or projects where this vendor provides services. The multi-select dropdown populates from your organization's project registry. Select all relevant projects.

Linking vendors to use cases enables dependency tracking and impact assessment when vendor relationships change or vendors experience service disruptions.

Vendor provides (required)

Describe the products, services, or components this vendor supplies to your organization.

Examples

• "Large language model API access and embeddings"

• "Cloud infrastructure for ML model training and deployment"

• "Pre-trained computer vision models for image classification"

• "Data labeling and annotation services"

• "MLOps platform and model monitoring tools"

Vendor contact person (required)

Enter the name of the primary contact at the vendor organization. Use full name format.

Examples

• "John Smith"

• "Jane Doe"

• "Michael Johnson"

Assignee (required)

Select the internal team member responsible for managing this vendor relationship from the user dropdown. The list populates from your organization's user directory.

The assignee handles day-to-day vendor interactions, monitors service delivery, and escalates issues.

Review status

Track vendor review or assessment progress through four states:

Not started No review has been initiated. Use for newly registered vendors.

In review Assessment is currently underway. Active investigation or evaluation in progress.

Reviewed Review has been completed and documented.

Requires follow-up Additional information, clarification, or corrective action needed before finalizing the review.

Reviewer

Select the person responsible for conducting the vendor review or assessment. The list populates from your organization's user directory.

Validation: The reviewer and assignee cannot be the same person. The system prevents this conflict to maintain separation of duties.

Review date

Enter the date when the review was conducted or is scheduled. The field defaults to today's date. Use the date picker to select a different date.

Review result

Document the outcome of the vendor review or assessment. This field accepts detailed findings, recommendations, or decisions.

Examples

• "Vendor approved for use in non-critical applications"

• "Security assessment passed, requires annual re-review"

• "Identified data residency concerns, mitigation plan required"

• "Vendor meets all compliance requirements, approved"

After completing required fields, click Save. The system displays a success message and adds the new vendor to the table.

Viewing and editing vendor records

Two methods provide access to edit vendor records:

Quick edit: Click anywhere on a vendor row in the table Action menu: Click the Edit icon (pencil) in the Actions column

The edit modal opens displaying all current vendor data in form fields. The modal header shows "Edit Vendor". Modify any field, then click Update vendor to save. The system confirms the update and refreshes the table with new information.

Permission requirement: Only Admin and Editor roles can edit vendor records. Viewers have read-only access. If you cannot see the edit icon or click table rows, verify your role permissions with your system administrator.

Deleting a vendor record

Deletion permanently removes vendor records from the system.

To delete a vendor:

1. Locate the vendor in the table

2. Click the Delete icon (trash) in the Actions column

3. Confirm deletion in the dialog

The system immediately removes the vendor record.

Warning: Deletion is permanent and irreversible. Deleted records cannot be recovered. You must manually recreate records if deleted by mistake.

Permission requirement: The delete icon appears only for users with deletion permissions (Admin and Editor roles). If the icon is not visible, your role lacks deletion rights.

Filtering vendors

The use case filter narrows the vendor table to show only vendors associated with a specific project.

To filter by use case:

1. Click the use case dropdown above the table

2. Select an option:

   • All Use Cases: Shows all vendors (default)

   • Specific project name: Shows vendors associated with that project

The table updates immediately to display only matching vendors.

Understanding the vendors table

The table displays vendor records with one row per vendor and nine columns of information.

Table columns

Vendor Name The official name of the vendor organization.

Website The vendor's website URL, displayed as clickable links.

Vendor Provides Description of products or services the vendor supplies.

Vendor Contact Person Name of the primary contact at the vendor organization.

Review Status Current state of the vendor review process (Not started, In review, Reviewed, Requires follow-up).

Reviewer Full name of the person responsible for conducting the vendor review.

Review Date Date when the review was conducted or scheduled, shown in YYYY-MM-DD format.

Assignee Internal team member responsible for managing the vendor relationship.

Actions Edit and delete buttons (pencil and trash icons). Visible only if you have appropriate permissions for these operations.

Row interaction

Click anywhere on a table row to open that vendor record in edit mode. This provides quick access without clicking the edit icon.

Working with vendor risks

The Risks tab tracks potential issues, impacts, severity assessments, and mitigation plans for vendors in your directory.

Accessing vendor risks

Click the Risks tab at the top of the page. The tab badge shows the count of tracked risks.

Between the tabs and the table, risk summary cards display counts by risk level (Very high, High, Medium, Low, Very low).

Creating a vendor risk

Prerequisites: At least one vendor must exist in your directory. Risks require association with a vendor.

To create a risk:

1. Click the Risks tab

2. Click Add new Risk in the upper right corner

3. Complete the risk form fields

4. Click Save to create the risk record

The system auto-calculates risk level in real-time as you select severity and likelihood values.

Risk form fields

Vendor (required) Select which vendor this risk applies to from the dropdown. The list includes all vendors in your directory.

Risk description (required) Describe the potential issue or concern with this vendor. Include what could go wrong and why it matters.

Examples

• "Vendor's data center located in country with weak data protection laws"

• "Single-vendor dependency creates availability risk if service interrupted"

• "Vendor lacks SOC 2 Type II certification required for compliance"

• "Insufficient vendor security controls for handling sensitive training data"

Impact description (required) Detail the potential consequences if this risk materializes. Describe effects on operations, compliance, security, or business outcomes.

Examples

• "Potential data breach exposing customer PII and violating GDPR requirements"

• "Project delays of 2-4 weeks if vendor service becomes unavailable"

• "Failed audit findings and regulatory fines up to $50,000"

• "Model training compromised, requiring complete retraining cycle"

Action owner (required) Select the person responsible for managing and mitigating this risk. The list populates from your organization's user directory.

Risk severity (required) Assess impact magnitude if the risk materializes. Select from five levels:

• Negligible: Minimal impact, no significant consequences

• Minor: Limited impact, small scope or short duration

• Moderate: Noticeable impact requiring attention and resources

• Major: Significant impact affecting operations, compliance, or business continuity

• Catastrophic: Severe impact with widespread, long-term consequences

Likelihood (required) Assess occurrence probability. Select from five levels:

• Rare: Highly unlikely under normal circumstances

• Unlikely: Could occur but not expected under typical conditions

• Possible: May occur at some point

• Likely: Probable in most circumstances

• Almost Certain: Expected in most situations

Action plan (required) Document steps planned or taken to mitigate or eliminate this risk. Include specific actions, timelines, or responsible parties.

Examples

• "Negotiate data processing addendum requiring EU data residency"

• "Identify and qualify backup vendor by Q2, establish relationship by Q3"

• "Require vendor to obtain SOC 2 Type II certification within 90 days"

• "Implement additional encryption layer for data shared with vendor"

Risk level (auto-calculated) The system calculates overall risk level (Very high, High, Medium, Low, Very low) by combining your severity and likelihood selections. The field updates in real-time as you modify either value.

The calculation uses a standard 5x5 risk matrix where higher severity and likelihood combinations produce higher risk levels.

After completing required fields, click Save. The system confirms creation, adds the risk to the table, and updates the risk summary cards to reflect the new risk level distribution.

Filtering vendor risks

Three filters narrow the risk list:

Use case filter Show only risks for vendors linked to a specific project. Options: "All Use Cases" (default) or specific project names.

Vendor filter Show only risks for a specific vendor. Options: "All Vendors" (default) or specific vendor names. The vendor list updates automatically when you change the use case filter, showing only vendors associated with the selected project.

Status filter Control visibility of deleted risks:

• Active only: Non-deleted risks only (default)

• Active + deleted: All risks including deleted records

• Deleted only: Only deleted risks

Filters combine. Apply multiple simultaneously to narrow results. Example: Select a project in use case filter and a vendor in vendor filter to view all risks for that vendor-project relationship.

Understanding risk summary cards

Five summary cards below the tabs on the Risks view show risk distribution by calculated risk level.

Very high risk (dark red card) Count of risks requiring immediate executive attention and urgent mitigation.

High risk (red card) Count of risks needing prompt action, dedicated resources, and escalation.

Medium risk (yellow card) Count of risks requiring active monitoring and planned mitigation within standard timelines.

Low risk (light green card) Count of risks needing basic tracking with periodic review.

Very low risk (green card) Count of risks requiring minimal oversight and routine monitoring.

The sum across all cards equals total vendor risk count (excluding deleted risks when "Active only" filter is selected).

Understanding the vendor risks table

The table displays risk records with one row per risk and ten columns of information.

Vendor Name The vendor to which this risk applies.

Use Case The project or use case where this vendor risk is relevant.

Risk Description Brief description of the potential issue or concern.

Impact Description Description of consequences if the risk materializes.

Risk Severity Magnitude of potential impact (Negligible, Minor, Moderate, Major, Catastrophic).

Likelihood Probability of the risk occurring (Rare, Unlikely, Possible, Likely, Almost Certain).

Risk Level Auto-calculated overall risk level shown as a color-coded badge:

• Very high risk: Dark red badge

• High risk: Red badge

• Medium risk: Yellow badge

• Low risk: Light green badge

• Very low risk: Green badge

Action Owner Person responsible for managing this risk.

Action Plan Mitigation steps planned or taken to address the risk.

Actions Edit and delete buttons (pencil and trash icons). Visible only if you have appropriate permissions.

Editing and deleting risks

Click the edit icon (pencil) to modify risk details. Click the delete icon (trash) to remove risks. Deletion marks risks as deleted but preserves them in the database. View deleted risks by selecting "Active + deleted" or "Deleted only" in the status filter.

Best practices

Follow these practices to maintain accurate vendor records and effective risk management.

Vendor documentation

Use official names Record vendors with official legal or trade names. Avoid abbreviations or informal names that create confusion in contracts, communications, or audit documentation.

Complete contact information Include accurate contact details and current website URLs. Up-to-date information accelerates issue resolution, contract negotiations, and incident response.

Describe services specifically Document precisely what the vendor provides. Avoid vague descriptions like "AI services." Specific descriptions enable accurate criticality assessment and dependency mapping.

Review management

Set appropriate review status Start vendors with "Not started" status. Update to "In review" when assessment begins. Change to "Reviewed" only after completing documentation.

Separate reviewer and assignee The system enforces separation between reviewer and assignee. Choose different people to maintain objectivity in vendor assessments.

Document review outcomes Complete the review result field with specific findings and recommendations. Vague results like "approved" lack the detail needed for future reference.

Use case association

Link to active projects only Associate vendors only with projects currently using their services. Accurate associations enable dependency tracking and impact analysis.

Update associations promptly Remove vendor-project links immediately when projects end or switch vendors. Outdated associations mislead dependency analysis and cost allocation.

Troubleshooting

Common issues and their solutions.

Cannot create or edit vendor records

Cause: Insufficient permissions for the operation.

Solution: Verify your user role. Only Admin and Editor roles can create, edit, or delete vendor records and risks. Viewer role has read-only access. Contact your system administrator if you need elevated permissions.

Cannot create vendor without use case

Cause: No use cases exist in the system. Vendors require association with at least one use case.

Solution: Navigate to the Projects or Use Cases section and create at least one use case first. Then return to Vendors to create vendor records.

Cannot create risk without vendors

Cause: No vendors exist in the directory. Risks require association with a vendor.

Solution: Click the Vendors tab and create at least one vendor record first. Then return to the Risks tab to create risk records.

Reviewer and assignee validation error

Cause: Same person selected for both reviewer and assignee fields.

Solution: Select different people for reviewer and assignee roles. The system enforces separation of duties to maintain objectivity. If only one person is available, leave the reviewer field empty.

Vendor filter shows no options

Cause: No vendors exist for the selected use case, or use case filter is constraining vendor list.

Solution: The vendor dropdown only shows vendors linked to the selected use case. If a specific project is selected in the use case filter and shows no vendors, either no vendors are associated with that project or no vendors exist in the system. Select "All Use Cases" to see all vendors regardless of project association.