Myth vs. Reality: What AI, Project Glasswing, and 48,000 CVEs Actually Mean for TPCRMJoin the Webinar
Back to Glossary

Vendor Risk Management (VRM)

Vendor Risk Management (VRM) is the organizational process of identifying, assessing, monitoring, and mitigating the risks that third-party vendor relationships introduce. VRM covers financial, operational, legal, reputational, and cyber risk. As vendor relationships have become more deeply embedded in core business operations, VRM has shifted from a compliance checkbox to a continuous operational discipline. Cyber risk has emerged as the most dynamic and difficult-to-manage component of that discipline.

What does vendor risk management actually involve?

VRM is a lifecycle process, not a one-time activity. It begins before a vendor is contracted and continues until the relationship ends.

  1. Vendor identification and inventory. Understanding which vendors an organization actually uses is a prerequisite for managing their risk. Many organizations discover vendors during incidents that nobody formally onboarded: shadow procurement, departmental tool purchases, inherited vendor relationships from acquisitions. Vendor inventory management creates the authoritative list from which the rest of VRM operates.
  2. Risk assessment and tiering. Not every vendor carries equal risk. Vendor risk tiering assigns each vendor a criticality level based on the sensitivity of the data they access, the depth of their system integration, and the operational impact of a disruption or compromise. Tiering determines how much oversight each vendor receives.
  3. Due diligence and onboarding. Before a vendor is approved, due diligence establishes whether their risk profile is acceptable. This includes reviewing security certifications, conducting technical assessments of their external posture, and collecting documentation of controls. AI for TPRM: Accelerate Pre-Contract Due Diligence describes how this process is evolving with automation.
  4. Continuous monitoring. A vendor's risk posture at onboarding is not its risk posture six months later. Continuous monitoring tracks changes: new vulnerabilities, credential exposures, darkweb signals, changes in the vendor's own vendor relationships. It surfaces them for action before they become incidents.
  5. Remediation and response. When a vendor shows elevated risk, the organization needs a documented process to respond. Engage the vendor, request remediation, accept the residual risk, or exit the relationship. Without this process, monitoring produces findings that go unaddressed.
  6. Offboarding. When a vendor relationship ends, vendor offboarding ensures that access is revoked, data is returned or destroyed, and no residual exposure persists.

How does VRM differ from TPRM and TPCRM?

The terms overlap, and different organizations use them interchangeably. In practice, they describe different scopes.

  • Third-Party Risk Management (TPRM) is the broadest term. It covers the full program across all risk types (financial, legal, operational, reputational, cyber) and across all external relationships, which may include vendors, partners, contractors, and suppliers.
  • Vendor Risk Management (VRM) is narrower in scope. It focuses specifically on the vendor subset of third-party relationships, though it still typically covers multiple risk types.
  • Third-Party Cyber Risk Management (TPCRM) focuses specifically on the cybersecurity dimension of third-party risk: the technical exposure, vulnerabilities, and threat activity that vendor relationships introduce. TPCRM is the category Black Kite operates in. The Gartner® Hype Cycle™ for Cyber Risk Management, 2025 identifies Black Kite as a representative vendor in this category.

In security-focused organizations, VRM and TPRM often serve as the container for the program, while TPCRM describes the cyber-specific practice within it. The distinction matters because the tools, data sources, and expertise required for cyber risk management differ from those required for financial or operational risk management.

Where does vendor cyber risk fit within VRM?

Cyber risk has become the fastest-growing and most difficult component of VRM. Financial risk is largely addressed through contracts and credit checks. Operational risk is managed through business continuity planning and SLA frameworks. Legal risk is managed through counsel and compliance teams. Cyber risk is different because it is continuous, technical, and opaque.

A vendor's security posture is not visible from its invoices or contract terms. It requires technical assessment: examination of external signals, vulnerability data, authentication practices, encryption standards, and the vendor's own vendor relationships. It also changes continuously. A patch is not applied, a credential is leaked, a new integration creates an exposure that did not exist last month.

This is why cyber risk requires dedicated tooling within a VRM program. The third-party risk management solution Black Kite provides is purpose-built for the technical realities of vendor cyber risk. It delivers continuous monitoring, outside-in assessment, Nth-party visibility, and automated risk response workflows, rather than adapting frameworks designed for financial or operational risk.

Why does VRM fail at scale?

The most common failure mode for VRM programs is scope. The program was built for 50 vendors and now covers 500. The processes that worked, manual questionnaires, individual reviews, relationship-by-relationship assessment, do not scale. The result is a program that nominally covers a large vendor population but actually provides meaningful oversight for only a fraction of it.

A risk-based approach to vendor management addresses this by concentrating oversight on the vendors that matter most. Tier 1 vendors, those with deep system access, sensitive data, or operational criticality, receive the highest level of scrutiny. Lower-tier vendors receive proportionate attention. The goal is not equal treatment of all vendors. It is appropriate treatment based on actual risk. 

See: A Risk-Based Approach to TPRM

The second common failure mode is point-in-time thinking. Annual assessments create a snapshot of a vendor's security posture as of the assessment date. That snapshot is out of date the next day. VRM programs that rely primarily on periodic reviews miss the dynamic reality of cyber risk. Regulators reviewing those programs increasingly know it.

What do regulators expect from vendor risk management?

Regulatory expectations for VRM have tightened across industries and jurisdictions. Financial regulators, healthcare regulators, and data protection authorities now treat third-party risk management as a material component of organizational governance. It is not a best-practice addition. It is an expected baseline.

The Digital Operational Resilience Act (DORA) in the EU requires financial entities to maintain a complete register of third-party ICT service providers, assess their concentration risk, and conduct both contractual and ongoing oversight. The FTC Safeguards Rule requires financial institutions to oversee service provider security. HIPAA requires healthcare covered entities to execute Business Associate Agreements with every vendor that handles protected health information and to ensure those agreements are backed by actual security practices, not just signatures.

What regulators are looking for is evidence of a live, functioning VRM program. A policy document is not sufficient. Regulators expect documented processes, evidence of ongoing assessments, records of vendor risk findings and remediation, and demonstrable oversight of the highest-risk vendors. The vendor compliance management capability in Black Kite's platform helps organizations produce that evidence systematically rather than assembling it manually at audit time.