06.03 Third-Party and Vendor Risk Assessments

Requires: Assessments Extra

External-recipient assessments are gated by the Assessments Extra. Core SimpleRisk has no way to send a questionnaire to someone outside the SimpleRisk install. The Extra activates the Assessments menu and the Assessment Contacts feature this article centers on.

Why this matters

A vendor assessment is the program's instrument for asking "tell us how you handle our data" of someone the program has no direct authority over. The vendor isn't a SimpleRisk user, isn't on the company's intranet, and won't appear in the office on a Tuesday. The assessment has to reach them through email, has to let them respond without a login they don't have, and has to produce an artifact the program can defend in front of an auditor who asks "show me your vendor due-diligence evidence."

The other reason this matters: vendor risk is the part of the program that lives outside your control. You can require strong access controls on your own systems; you can only ask the vendor about theirs. The questionnaire is the asking; the response is the evidence; the program's decision (continue working with the vendor, escalate to a contract review, terminate the engagement) is what closes the loop. Without the assessment, the vendor decision is made on intuition; with it, the decision is made on documented answers to specific questions.

The third thing worth knowing is the SimpleRisk-specific shape: there's no separate Vendor entity. The Extra uses Assessment Contacts as the de facto vendor record — a flat list of external email-and-name records, with optional company, phone, manager, and details fields. Programs needing vendor-tier classification, contract tracking, or recurring-engagement management need to layer that on (Customization Extra for tier fields, an external system for contracts). The Assessment Contacts feature is the questionnaire-recipient half of vendor management; the rest lives elsewhere.

Before you start

Have these in hand before sending an external assessment:

The Assessments Extra activated with the Assessment Contacts sub-menu visible. (See Running a Self-Assessment for activation specifics.)
The relevant permissions: Allow Access to "Assessments" Menu for base access, Able to Add Assessment Contacts to create new external recipients, Able to Edit Assessment Contacts to update them, Able to Send Questionnaires to send. The contact-management permissions are separate from the send permission so a junior team member can maintain the contact list without the authority to actually send vendors a questionnaire. (See Permission Reference.)
A questionnaire template appropriate for vendor scope. The standard public templates (Vendor Security Assessment Questionnaire, Cloud Security Alliance CAIQ, Standardized Information Gathering questionnaire) are good starting points; build your own if you have specific vendor categories that need targeted questions.
Confirmed vendor email addresses. A typo'd email means the questionnaire goes nowhere and you discover the silence three weeks later. Verify the address against the vendor's contract or against an existing email thread before adding.
An internal owner for each vendor. The Assessment Contact's Manager field is a SimpleRisk user picker; the manager is the internal coordinator who chases the vendor when responses are late and reviews the responses when they arrive.
A read on the vendor's security maturity. A small SaaS vendor without a security team will need a different questionnaire than a major cloud provider with their own GRC department. Long questionnaires sent to under-resourced vendors don't get answered; short questionnaires sent to mature vendors are insufficient. Right-size the questionnaire to the vendor.

Step-by-step

1. Add the vendor as an Assessment Contact

Sidebar: Assessments → Assessment Contacts opens /assessments/contacts.php. Click Add a New Assessment Contact to open the contact form. The fields:

Name — the contact person's name. Required.
Email — the contact's email address. Required, and unique across the contacts table — the same email can't be added twice. The token mechanism uses the email as the recipient identifier.
Company — the vendor company name. Optional but recommended; surfaces on the questionnaire-results page so reviewers know who they're reading.
Phone — optional. Useful for the chase-them-down step when responses are overdue.
Manager — single-user picker. The internal SimpleRisk user responsible for this vendor relationship. Drives notifications when the contact's questionnaire status changes.
Details — free-text field for any additional context (vendor scope, contract reference, notes).

Click save. The contact lands in assessment_contacts and becomes available as a recipient on any new questionnaire.

2. Build (or pick) the questionnaire template

Sidebar: Assessments → Questionnaire Templates opens the template manager. Either create a new template (questions you've authored or imported) or open an existing template you'll send to this vendor. The full template-build mechanics are documented in Running a Self-Assessment; the vendor-specific considerations:

Open with framing. Vendors filling out questionnaires need context about why you're asking. The questionnaire's User Instructions field opens the questionnaire with whatever you put there; one paragraph explaining the audit driver, the deadline, and what happens with the responses sets a much better tone than a blank form does.
Match the vendor's vocabulary. A vendor whose stack is AWS will read "compute instances" naturally; the same vendor will trip on "VMs in your data center" if that doesn't reflect their reality. Use vendor-shape language; the responses are higher-quality.
Map the questions you care about to your controls. Use the per-question control-mapping feature (see Control Assessments and Evidence Collection) so the responses produce per-control evidence on your side. The mapping doesn't change anything the vendor sees; it's the bookkeeping that makes the responses useful for your compliance posture.

3. Create the questionnaire and pair it with the contacts

Sidebar: Assessments → Questionnaires opens the questionnaire list. Click Add to open the questionnaire form. Fill in the Settings card (Name, Team, Owner, User Instructions, Email Instructions) per Running a Self-Assessment. The vendor-specific notes:

Name the questionnaire for the vendor and the cycle. "Q3 2026 Vendor Security Assessment — Acme Corp" is more navigable than "Vendor Assessment 23." The name appears in the email subject as Risk Assessment Questionnaire -, so the vendor sees it too.
Email Instructions are the email body. Use them to explain the assessment's context, the deadline, and the consequence of not responding (contract review, alternate-vendor consideration). Generic emails get ignored; specific ones get answered.
Set the reminder cadence. Notify assessment contacts every [N] days until completed drives the automated reminders. A 7-day cadence is reasonable for high-priority assessments; a 14-day cadence for routine ones. Without reminders, the vendor's response rate drops sharply.
Decide on the schedule. Schedule and send this assessment every [N] days controls the recurring-send behavior. For annual vendor recertification, set this to 365; for higher-priority vendors with a tighter cadence, set it lower. Recurring assessments pre-populate from the prior round so the vendor only confirms or updates.

In the Templates card, pair the questionnaire template with the assessment contact(s). The pairing is many-to-many — one questionnaire can mix multiple template/contact pairings (the legal-vendor template to the legal contacts, the engineering-vendor template to the engineering contacts, all on the same send schedule).

4. Send the questionnaire

The questionnaire form has two save buttons at the top right: Save (saves as draft, doesn't send) and Save & Send (saves and immediately fires the email send). Save & Send is gated by Able to Send Questionnaires.

When Save & Send runs:

The Extra generates a unique 40-character token per recipient.
A row is written to questionnaire_tracking with contact_type='assessment' (distinguishing external contacts from internal users), the token, the questionnaire ID, the contact ID, and a sent_at timestamp.
An email is sent to each contact's address with the subject Risk Assessment Questionnaire - and the body containing the Email Instructions plus the recipient's personalized link to /assessments/questionnaire.index.php?token=.
The token has a configurable lifespan controlled by ASSESSMENT_MINUTES_VALID (default 720 minutes / 12 hours, but typically configured much higher for vendor assessments where responses might take days).

The recipient clicks the link and lands on the questionnaire form. No SimpleRisk login is required; the token is what authenticates the response. They answer at their own pace; auto-save (controlled by ASSESSMENT_AUTOSAVE and ASSESSMENT_AUTOSAVE_INTERVAL) persists partial responses on a timer so a closed browser tab doesn't lose work.

5. Track responses and chase the laggards

Sidebar: Assessments → Questionnaire Results opens /assessments/questionnaire_results.php. Each questionnaire-recipient pairing shows up as a row with Questionnaire Name, Date Sent, Questionnaire Status (Pending / In Progress / Completed), Completion Date, Approval Status, Last Comment, plus the contact's company and name.

The status column is the chase signal. A vendor whose questionnaire has been Pending for two weeks past the reminder cadence isn't going to respond without an out-of-band nudge. The contact's Manager field tells you which internal owner should make the call.

For programs running many vendor assessments, the Risk Analysis sub-menu (Assessments → Risk Analysis) provides aggregate stats per questionnaire — useful for "show me overall vendor-assessment posture this quarter" reporting.

6. Review and approve responses

When a vendor submits, their response moves to the results page. Open the response to see every question, the vendor's answer, and any score the response carries. The reviewer's choices:

Approve finalizes the response. If the questionnaire is configured to bypass pending risks, generated risks flow into the standard risk register at this point. Otherwise the responses sit in the Pending Risks queue for a separate review.
Reject sends the response back, optionally with a comment explaining what to revisit. The reject comment is optional; sometimes the reason is captured in the audit trail later.

For vendor responses, the most common approval pattern is "review the response, approve it, then walk the resulting pending risks separately." The two-step approach lets the response review stay focused on whether the answers make sense, with the risk-management decisions handled in their own discipline.

7. Track the vendor across cycles

For ongoing vendor relationships, the recurring-send setting handles the cadence (annual recertification at 365 days, semi-annual at 180, etc.). Each new round pre-populates from the prior round so the vendor only confirms or updates the changed answers. Year-over-year comparison happens through the response history — open a contact's prior questionnaire results to see what changed.

For vendor offboarding (the vendor relationship is ending), there's no "delete this contact" cascade — the contact's questionnaire history stays in the database for audit purposes. Mark the contact's Details field with the offboarding date so future viewers know not to send new questionnaires; the historical responses stay intact.

Common pitfalls

A handful of patterns recur with vendor assessments specifically.

One-size-fits-all questionnaire. A 100-question questionnaire designed to cover every conceivable vendor category produces a low response rate from small vendors and a "we already covered this in our SOC 2" deflection from major ones. Maintain at least two or three vendor templates: a short one for low-risk vendors, a longer one for high-risk ones, and possibly a critical-vendor variant with the deepest questions. Send the right template based on vendor tier.
No vendor-tier system. SimpleRisk doesn't ship a vendor classification natively. Programs sometimes operate without one and end up sending the same questionnaire to a payments-processing vendor and a stationery supplier. Either build a tier classification via the Customization Extra (a per-contact field for Tier 1/2/3) or maintain the tiering in your contracts/procurement system and pick the right questionnaire template based on what's there.
Sending without context. A blank email arriving from "SimpleRisk" with a link to a questionnaire and no human framing sets off the vendor's "phishing or legitimate?" filter. Send a personal email first (from a real human at your organization, to the real human at the vendor) explaining what's coming. The automated questionnaire email then arrives as expected rather than as suspicious.
No reminder cadence. A questionnaire sent without Notify assessment contacts every [N] days until completed depends entirely on the vendor remembering to come back to it. Most vendors won't. Set the cadence on every external assessment that matters; 7 days is a reasonable starting point.
Treating Assessment Contacts as the vendor management system. The contacts feature stores the basics needed to send a questionnaire. It doesn't track contracts, doesn't track financial relationships, doesn't auto-renew due dates beyond the questionnaire schedule. Treat it as the assessment side of vendor management; pair it with whatever your organization uses for the procurement and contract sides.
Not setting the Manager field. Without an internal manager assigned to a vendor contact, no one is accountable for the vendor's response status. The questionnaire sits Pending and nobody notices. Always assign a manager; that's the human who will (eventually) make the call to the vendor.
Token expiry catching vendors mid-response. The default ASSESSMENT_MINUTES_VALID of 720 minutes (12 hours) is too short for vendor responses, which routinely take days. Bump the setting to something more like 14400 (10 days) or 30240 (21 days) for vendor-facing programs; the token validation check otherwise locks vendors out of in-progress responses they were going to come back to.
Acting on the response without confirming the vendor's identity. The questionnaire is tokenized but the token doesn't authenticate the human filling it out — only the email. A questionnaire sent to a generic vendor address (security@vendor.com) might be answered by anyone on that mailing list. For high-stakes assessments, the response is a first cut; confirm critical answers in a follow-up call with a named contact before treating the answers as authoritative.
Ignoring the Risk Analysis sub-menu. Programs running many vendor assessments rarely look at the Risk Analysis page, treating each assessment as its own thing. The aggregate view is what shows the trends (vendor-assessment posture quarter-over-quarter, the pattern of which question categories drive the most pending risks) that drive program improvements; it's worth a monthly look.