Third party risk review

Reviewing risks from third parties (vendors) that you depend on involves going through information that is often not amenable to traditional automation.

1. AI Agents can analyze vendors’ answers to your questionnaires, their compliance certifications, their security policies, whitepapers, product documentation, news, along with structured data available about your vendors, to surface up what matters in your context, and to provide a holistic risk summary.

2. AI Agents can provide automated risk scoring and assessments.

3. Vendors’ security status, security incidents, news are evolving continuously. Compliance certifications expire, and new certifications are added. With AI Agents it is now possible to evaluate your vendor on an ongoing basis rather than just once every year.

Yes this is another great use case for AI Agents. Each vendor uses their own style when responding to your questionnaires. Some write detailed answers, some write compact answers referencing other answers, some use their own terminology. Even for humans who review these questionnaires regularly, it can take hours to review the answers, and to extract the risks in the context of your business. AI Agents can reduce this to minutes.

This depends on the nature of the discrepancy.

1. The vendor may not have answered your question fully. In this case you need to send follow-up questions to the vendor, review their follow-up answers. This is another thing that AI Agents can automate, in addition to the initial review.

2. The discrepancy may surface up an underlying misunderstanding about the vendor’s capabilities. In this case as the GRC analyst, you will typically follow up with your own business team that depends on the vendor.

Yes AI Agents can send and receive emails. They can send new questions or ask the vendor to respond again to the original questionnaire with clarifications. They can then review the new responses and factor that into the holistic risk assessment for the vendor.