🔧 MVP Operations

Third-Party Risk (Simplest Version)

Email Questionnaire Flow

1. Create: Admin enters vendor email
2. Send: System emails unique link
3. Fill: Vendor completes web form
4. Review: Shows in vendor list
5. Decide: Approve/Deny/Request more

Web Form Fields (5 questions max)

• Company name and ABN
• Do you have cyber insurance? (Y/N)
• Last security audit date
• Data access needed (None/Read/Write)
• Contact for security issues

No automation in MVP - Manual review only

Approval Flow

Simple Binary States

Pending → Approved ✓
      ↘→ Denied ✗

UI Actions

• Approve: Changes status, adds date
• Deny: Changes status, requires reason
• Delegate: Assign to another user

Not doing: Multi-step approvals, conditions

Evidence Collection

Basic Upload

1. User clicks "Add Evidence"
2. Selects file (PDF/image only)
3. Adds description
4. Links to control/task
5. Shows as attached

Storage

• Files in Supabase bucket
• Metadata in database
• No processing or validation
• 100MB file size limit

Board Transcript Processing (Future)

Planned Approach

1. Upload meeting transcript (TXT/DOCX)
2. Extract decisions with keywords
3. Show proposed status changes
4. Human confirms each one
5. Bulk update statuses

Keywords: "approved", "accepted", "rejected", "deferred"

What We're NOT Doing

• Automated workflows
• Email notifications (except vendor)
• Complex approval chains
• Document versioning
• Integration with external systems

Operational Metrics

[To be measured]:

• Time to vendor response
• Evidence items per control
• Approval turnaround time
• Board decisions per meeting

Simple operations for simple startup.