π€ Third-Party Risk Management MVP¶
Scope: MVP feature for customers to track their vendor compliance Status: Simplified vendor registry for board reporting Target Users: Companies with boards who need vendor oversight Not: Complex vendor assessment workflows
Customer Need¶
Boards ask: "What third parties have access to our data?" Compliance asks: "Do our critical vendors have appropriate security?" Auditors ask: "Show evidence of vendor due diligence"
MVP Answer: Simple vendor registry with key compliance indicators
Core MVP Features¶
1. Vendor Registry¶
interface Vendor {
id: string
name: string
category: 'critical' | 'important' | 'standard'
services: string[] // ["Payment Processing", "Cloud Hosting"]
dataAccess: 'full' | 'limited' | 'none'
compliance: {
soc2: boolean
iso27001: boolean
pciDss: boolean
customCompliance: string[]
}
contracts: {
startDate: Date
renewalDate: Date
dataProcessingAgreement: boolean
}
lastReviewDate: Date
nextReviewDate: Date
owner: string // Who manages this relationship
}
2. Simple Assessment Workflow¶
Quarterly Vendor Review:
1. System alerts owner 30 days before review due
2. Owner updates vendor information
3. Owner uploads latest certificates
4. Mark review complete
5. Auto-included in board report
No complex scoring - just track and report
3. Board-Ready View¶
βββββββββββββββββββββββββββββββββββββββββββββββ
β Critical Vendor Summary β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β Total Vendors: 23 β
β Critical: 5 (all reviewed β) β
β Compliance Coverage: 87% β
β β
β Key Risks: β
β β’ PaymentCo - SOC2 expires in 30 days β
β β’ CloudVendor - No DPA on file β
β β
β [Download Full Registry] β
βββββββββββββββββββββββββββββββββββββββββββββββ
Database Schema¶
CREATE TABLE vendors (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name TEXT NOT NULL,
category TEXT CHECK (category IN ('critical', 'important', 'standard')),
services TEXT[],
data_access TEXT CHECK (data_access IN ('full', 'limited', 'none')),
-- Compliance flags
has_soc2 BOOLEAN DEFAULT false,
has_iso27001 BOOLEAN DEFAULT false,
has_pci_dss BOOLEAN DEFAULT false,
other_compliance TEXT[],
-- Contract info
contract_start DATE,
contract_renewal DATE,
has_dpa BOOLEAN DEFAULT false,
-- Review tracking
last_review DATE,
next_review DATE,
review_owner_id UUID REFERENCES users(id),
-- Metadata
tenant_id UUID NOT NULL,
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE TABLE vendor_documents (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
vendor_id UUID REFERENCES vendors(id),
document_type TEXT, -- 'soc2', 'contract', 'dpa', 'insurance'
document_name TEXT,
file_url TEXT,
valid_from DATE,
valid_until DATE,
uploaded_by UUID REFERENCES users(id),
tenant_id UUID NOT NULL,
uploaded_at TIMESTAMPTZ DEFAULT NOW()
);
-- Simple review log
CREATE TABLE vendor_reviews (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
vendor_id UUID REFERENCES vendors(id),
reviewed_by UUID REFERENCES users(id),
review_notes TEXT,
compliance_confirmed BOOLEAN DEFAULT true,
issues_found TEXT[],
tenant_id UUID NOT NULL,
reviewed_at TIMESTAMPTZ DEFAULT NOW()
);
UI Components¶
Vendor List View¶
<script>
let filter = 'all'; // all, critical, overdue
let vendors = [];
$: filteredVendors = filterVendors(vendors, filter);
$: criticalCount = vendors.filter(v => v.category === 'critical').length;
$: overdueCount = vendors.filter(v => isOverdue(v.nextReviewDate)).length;
</script>
<div class="vendor-dashboard">
<div class="stats-row">
<StatCard
title="Critical Vendors"
value={criticalCount}
status={overdueCount > 0 ? 'warning' : 'good'}
/>
</div>
<VendorTable
{filteredVendors}
on:review={handleReview}
on:upload={handleDocumentUpload}
/>
</div>
Quick Add Vendor¶
// Minimal fields to get started
const quickAddVendor = {
name: 'Required',
category: 'Required - determines review frequency',
services: 'Required - what do they do',
dataAccess: 'Required - for risk assessment',
// Everything else can be added later
compliance: 'Add during first review',
documents: 'Upload when available',
contracts: 'Track if needed',
}
Automation & Alerts¶
Review Reminders¶
Critical Vendors: Review every 90 days
Important Vendors: Review every 180 days
Standard Vendors: Review annually
Alerts:
- 30 days before review due β Email owner
- 7 days before β Email + WhatsApp
- Overdue β Daily alerts + escalate to manager
Certificate Expiry Tracking¶
// Daily cron job
for (const doc of expiringDocuments) {
if (doc.validUntil < 30.daysFromNow()) {
notify(doc.vendor.owner, {
title: `${doc.vendor.name} ${doc.type} expiring`,
daysUntil: daysUntil(doc.validUntil),
action: 'Request updated certificate'
});
}
}
Board Reporting Integration¶
Auto-Generated Sections¶
## Third-Party Risk Summary
### Overview
- Total Vendors: {{total}}
- Critical Vendors: {{critical}} ({{criticalReviewed}} reviewed this quarter)
- Compliance Coverage: {{percentWithCompliance}}%
### Key Vendor Risks
{{#each risks}}
- **{{vendor}}**: {{issue}} (Due: {{dueDate}})
{{/each}}
### Vendor Additions This Quarter
{{#each newVendors}}
- {{name}} ({{category}}): {{services}}
{{/each}}
What We're NOT Building (MVP)¶
- Risk scoring algorithms
- Automated vendor assessments
- Integration with vendor APIs
- Complex approval workflows
- Vendor performance tracking
- Spend analysis
- Contract lifecycle management
- Multi-tier vendor relationships
Success Metrics¶
For Customers¶
- Time to add vendor: < 2 minutes
- Time to complete review: < 5 minutes
- Board report includes vendor section: Yes
- Critical vendors reviewed on time: > 90%
For GetCimple¶
- Feature used by: > 80% of customers
- Vendors tracked per customer: 10-50
- Support tickets about vendors: < 5/month
Implementation Priority¶
- Week 1: Basic vendor CRUD + categories
- Week 2: Document upload + expiry tracking
- Week 3: Review workflow + reminders
- Week 4: Board report integration
- Week 5: Dashboard + analytics
Future Enhancements (Post-MVP)¶
- Vendor risk scoring
- Automated certificate validation
- Integration with vendor portals
- Benchmarking against industry
- Vendor incident tracking
- Fourth-party visibility
Related Documents: