1

Project Report on

MARKET ANALYSIS OF VENDOR RISK

MANAGEMENT TOOLS
2023
PROJECT REPORT BY: Lav Kumar Jha

UNDER THE GUIDANCE OF: Rosan Thomas

VENDOR RISK MANAGEMENT

Global Market Research

• The Market is valued at USD 8.25 billion.
• Expected to reach USD 19.19 billion in the next five years.
• The market is expected to register a CAGR of 17.60% over the forecasted period of 2023-2035.
• The market is fairly consolidated with a few large and medium-sized players accounting for most
of the market revenue share.
• One of the key drivers for market revenue growth is Increasing numbers of third-party vendors
in small and large organizations.
• 37.1% of the global market revenue was accounted for by North America as of 2022.
• The growth is due to high-level expertise in the cloud deployment of vendor risk management.
• Asia Pacific is also anticipated to be the fastest growing region in the vendor.
• The market faces some of the challenges in the Vendors risk management tools like lack of
standardization in VRM solutions, Excessive cost of Implementing and maintaining VRM
Software.

____________________________________________________________________________________

2023
 2

Global Vendor Risk Management Market Regional Synopsis

❖ North America
➢ The market share in VRM in North America is projected to be the largest with share of
about ~32% by end of 2035.
➢ The BFSI Sector is expected to see higher demand for VRM solutions.
➢ The revenue growth in this region is expected to be supported by the increasing need to
monitor and analyze the performance of the suppliers.
❖ European Market
➢ The European vendor risk management market is estimated to be the second largest,
registering a significant share by the end of 2035.
➢ The growth of the market can be attributed majorly to the growing trend towards
adopting risk management solutions within financial institutions, especially in countries
such as the United Kingdom and Germany.
➢ The increasing reliance of different organizations on third-party vendors and the
adoption of advanced technologies in this region, are also anticipated to boost the
market.
❖ Asia Pacific Market
➢ Asia Pacific, amongst the market in all the other regions, is projected to hold most of the
share by the end of 2035.
➢ The growth of the market can be attributed majorly to the growing demand for third-
party vendors within small and large organizations, increased emphasis on digitalization,
and rapid industrial development.

_____________________________________________________________________________________

Market Description on VRM Tools

Vendors in this segment is providing more automation tools through;

• Machine learning and NLP

• A focus on environmental, social and governance (ESG) demands.
• Financial Risk-particularly in an inflationary environment.

❑ Industry Standard Security Assesment Methodologies

➢ SANS (System Administration, Networking and security Institute)
▪ A shortlist of controls developed by security experts based on practice that are
known to be effective in reducing cyber risk.
➢ NIST (National Institute of standard Technology)
▪ Framework for improving critical infrastructure cybersecurity combines a variety
of cybersecurity standards and best practice together in one document.
➢ SHARED ASSESMENT
▪ It is basically an organization that develops assesment questionnaires for use by
its members. The members of this organization work together to create and
share third-party risk management guides the organization is using.

2023
 3

➢ ISO/IEC 2700
▪ The International organization for standardization is an international standard
setting body composed of representatives from various national standards
organizations.

_____________________________________________________________________________________

Typical Challenges Faced by companies in this segment

❖ Adherence to Exit Strategy

➢ Consistent application of exit process and strategy when third party or services is
terminated.
❖ Third Party Inventory
➢ Maintaining a consolidated inventory of third parties across business units and
functions.
❖ Due Diligence Process
➢ Conducting adequate due diligence on third parties with higher inherent risk.
➢ Conducting a due diligence process that is integrated with overall third-party life cycle.

_____________________________________________________________________________________

Challenges with evolving the third-party Relationship

S.n Associated Risks Descriptions Supplier Relationship
o Timeline
1. Strategic Risk Risk of inappropriate outsourcing decisions 0-3 years
2. Reputation RiskRisk of negative public opinion due to suppliers due 0-5 years
to suppliers that do not meet the service
expectations of the bank’s customers.
3. Compliance/Leg Supplier’s services are inconsistent with the law and Over the period.
al Risk bank’s policies.
4. Transaction/ ➢ Engagement with the key personal ➢ 0-3 years
Operational ➢ SLA/Metrics ➢ 1-3 years
Risk ➢ 4 party suppliers
th
➢ 3-5 years
➢ Decreasing service level ➢ 5-Later Year
5. Financial ➢ Improper Evaluation Criteria ➢ 0-1 year
Stability Risk ➢ Supplier’s inability to generate profit or to ➢ 3-5 years
maintain necessary output.
6. Integrity of data Inaccuracy of automated information and associated Over the period
management information system.
7. Confidentiality Intentional or inadvertent disclosure of information Over the period
of Information to unauthorized individuals.
8. Business Risk associated with ineffectiveness of suppliers; From 1 years
Continuity Risk business continuity programs; risk of inadequate onwards
contingency planning by the bank.
9. Contractual Risk Risk that supplier's contract may be incomplete or Initial phase
inadequate
_____________________________________________________________________________________

2023
 4

USA Market Research

❖ A recent study found out that 61% of US companies said they had experienced a data breach
caused by one of these third-party providers.
❖ According to EY study, 72% of companies in USA use industry standard questionnaires or have
built their own by using standard as a baseline. According to EY these are the best practice to
use as a starting point for the high-level item in the questionnaires.
❖ The Third-Party Risk Management market in the U.S. was at US$2 Billion in the year 2022. Which
is expected to grow at a CAGR of 11.4% in the period of 2023-2030.
❖ US companies' analysis present in this excel: VRM Market Analysis

Indian Market Research

❖ Regulators Governments and Industry association have issued new guidelines for
suppliers/Third Party/Outsourcing to identify monitor and report risks.
❖ Regulatory Evolution
➢ 2000 & 2001
▪ IT Act: Initiation of regulators information technology-2000
▪ IRDA: Third Party Administration health services.
➢ 2008
▪ Information technology Amendment Act. 2008
➢ 2011
▪ Sebi Guidelines on outsourcing of activities by Intermediaries
➢ 2013
▪ TRAI: Issues new guidelines on outsourcing especially in VAS.
▪ RBI: Guidelines on managing Risk and Code of conduct in outsourcing of
financial services by banks.
▪ ISO/BSI: ISO 27001:2013 released with a dedicated domain focusing on supplier
risk management.
▪ Companies Act, 2013: It refers to Board responsibilities for third party
management.
❖ RBI Guidelines on Third-Party Management
➢ https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12486&Mode=0#APP2
➢ RBI also gave guidelines on managing rise and code of conduct in outsourcing of
financial services by banks in 2006 and 2015.
❖ Nearly 2/3rd of the Indian companies aspires to adopt a more integrated and holistic TPRM
approach.
❖ 73% of organizations have a moderate to high dependency on cloud service providers.

_____________________________________________________________________________________
Market Research/ Analysis of TPRM
❖ TPRM RISK Addressing

2023
 5

➢ Despite the increase in awareness and focus for TPRM, many organizations don’t have
the formal mechanism to assess or prioritize TPRM Risk in the extended enterprise and
don’t trust available internal/external data.
➢ Growing awareness about TPRM is a consistent feature across industry segments. It is
highest in Energy Resources & Industries followed by Financial Services but
comparatively lower in Govt. & Public sector
➢ ASSESMENTS
▪ Most of the industries believe they have a low level of organizational capacity at
present, resulting in an ad hoc approach to assessing and prioritizing TPRM
dimensions.
▪ Few believe that assesment and prioritization of TPRM risk dimension is based
on judgmental evaluation using expert input or other mechanism rather than
forward quantitative process.
▪ Very few companies have established quantitative scoring methods to assess
risk dimensions.
➢ TPRM related data is augmented by two factors mainly first the unavailability of data
and second the lack of awareness of what data should be relied on and how to translate
it into actionable intelligence.
❖ Managing Third-Party Resilience
➢ Organization recognizes the need to improve supply chain resilience; this need is
particularly strong in relation to their critical third parties and lower tier third party
ecosystem (I.e., beyond those with direct contractual relationships).
➢ Organizations from EMEA region claim that resilience and business continuity
management is a strength in their organization compared to America & APAC.
➢ On periodic reviews of third-party business continuity plans, they addressed the need to
“Scenario stress test” existing third-party relationship and their business continuity
plans. This helps to ascertain the points at which this tolerance threshold is broken.
➢ To better understand the ecosystem of material third party relationships, 34% apply
technology solutions, 35% use tools to monitor resilience and trend in real time.
➢ 73% have moderate/high level of dependence on CSPs. That expected to increase to
88% requiring them to consider third party provider resilience even more seriously.
❖ Despite the projection for more comprehensive end-to-end managed service solutions in the
future most organizations usually outsource specific aspects of their TPRM models.

_____________________________________________________________________________________

MARKET RESEARCH ANALYTICS

❖ THIRD PARTY RISK MANAGEMENT TODAY

➢ Third-party risk management is becoming more and more important, and many
businesses around the world are starting departments to make it better. It is becoming
increasingly regarded as a crucial investment that businesses must make to safeguard
themselves from financial, regulatory, and reputational risk.
➢ Supplier risk management is growing and becoming increasingly structured, especially
considering regulations that stem from three major and active countries: US (FCPA),
France (Sapin II) and the UK (UKBA)

2023
 6

❖ TPRM Challenges and Approaches

➢ Company Profile
▪ Can we verify and enhance the supplier's information, including ownership
information?
➢ Financial and Operating Performance
▪ What does a supplier’s financial health predict about their near-term
performance?
➢ Resilience
▪ Which are the critical suppliers being at risk of deteriorating performance for
quality, cost, and delivery times?
➢ Regulatory and Compliance
▪ What is a supplier’s risk-level for key compliance areas?
➢ Reputational
▪ What significant risks are created for the company by supplier scandals or
misdeeds?
➢ ESG and Sustainability
▪ How do a company’s important suppliers score on ESG?
➢ Cybersecurity
▪ What is the cybersecurity risk of my key suppliers?
❖ There is fragmentation of TPRM subcategories across firms, making it hard to collaborate and
focus efforts to tackle issues. As a result, companies are increasingly trying to centralize
operations.
❖ To stay ahead of risks and investing in TPRM pays, helps companies to gain a competitive
advantage.
❖ Across the world major companies are in the process of developing departments to improve
TPRM to meet financial, regulatory, and reputational risks.
❖ The market component segment for TPRM is divided into service & selections.
❖ The solutions segment dominated the market with a revenue share of around 58% in 2022. The
vertical segment is divided into BFSI, healthcare & life sciences, retail & consumer goods, energy
& utilities, IT & telecom, government & defense, manufacturing, and others.
❖ Over the forecast period, the BFSI or banking, financial services, and insurance segment are
expected to grow at the fastest CAGR of 20.24%.
❖ The deployment mode segment is divided into cloud and on-premises. The cloud segment
dominated the market with a market share of around 56% in 2022.
❖ Previous Year (2022) analysis on TPRM Industry
➢ 41 percent of companies experienced an impactful third-party breach in the last 12
months but rely on overlapping tools and manual processes which slows incident
response.
➢ The majority of companies (71 percent) report that the top concern regarding the usage
of third parties is a data breach or other security incident due to poor vendor security
practices. However manual methods still persist, with a large percentage of companies
using spreadsheets and an increasing percentage using news feeds to learn about
breaches. The good news is that companies not monitoring for third-party breaches
dropped from 12 percent to 4 percent.

2023
 7

➢ In the news report most of the company stated that third party data breaches and
security incidents were top drivers behind increased involvement in third party risk
management.
➢ Nearly half of companies continue to use spreadsheets. According to the report a
‘disappointing trend’ continues in 2023 as a growing number of organizations (48 %) are
using spreadsheets to assess third parties. This percentage is up from 2022 and 2021,
where 45 percent and 42 percent of companies, respectively, said they were using
spreadsheets.
➢ There is a huge gap between tracking and remediating risks across the lifecycle – and on
average 20 percent of companies are doing nothing. Not surprisingly, the offboarding
and termination stage of the third-party relationship lifecycle sees the lowest
percentage of companies tracking (47 percent) and remediating (38 percent) risks, and
the highest percentage of companies doing nothing at all (39 percent)

_____________________________________________________________________________________

MARKET DYNAMICS

Organization Priorities for TPRM according to different Functional Areas

 8

Key barriers to alignment of third-party risk management

Region wise CAGR for the period of 2023-2035

2023
 9

RISK ANALYSIS

Risk related parameters

2023
 10

GLOBAL ECONOMIC IMPACT

• Despite inflation and fearing recession, business across the globe is expected to do better in
2023.
• In 2023, market players might incur losses due to huge gap in currency translation followed by
contracting revenues, shrinking profit margins & cost pressure on logistics and supply chain.
• The interest rates in the U.S. may be less sensitive in 2023 as compared to 2022; sigh of relief for
businesses.
• Spiked spending in the European and major Asia economics including, India, China & Japan to
showcase less impact on the global demand.

_____________________________________________________________________________________

CURRENT NEWS RELATED TO TPRM

• IBM recently signed an agreement with Siam Commercial Bank, a Thailand based service
providers to improve the security of countless digital transaction on its platform and to provide
better services to its customers.
• Third Party Risk Management Process emerged as ideally suited platform to enhance due
diligence throughout the M&A process.
o https://www.corporatecomplianceinsights.com/wp-
content/uploads/2020/04/SA_BP_UsingTPRMInMA.pdf

_____________________________________________________________________________________

COMPETITOR ANALYSIS

Probable Competitors of Crossbow labs in terms of Extensively in the field of Vendors Risk Management
Software

2023
 11

1. Process Unity Vendor Risk Management 9. Logic gate

2. OneTrust Vendor Risk management 10. Prevalent
3. Service Now 11. Logic Manager
4. Archer Vendor Risk Management 12. Coupa
5. Diligient 13. UpGuard
6. Aravo 14. RiskRecon
7. Metric Stream 15. Surecloud
8. NAVEX 16. ServiceNow

____________________________________________________________________________________

PROCESS UNITY
• Automates vendor onboarding due diligence and ongoing monitoring.
• The price of the Software starts from $ 15000.
• Questions are asked or framed based on the vendor’s previous response.
• They target specific Risk domain expertise like cyber security ratings, Financial Hub score in the
final dashboard.
• Clients can customize and build their own dashboard as required.

❖ Software Features Include

➢ Complete Data Model: Key elements of data model include Third parties, Third parties
Request, Third Party services, service reviews, agreements, questionnaires, and third-
party issues.
➢ Prescriptive Workflows: Capture new service requests, automatically calculate inherent
risk, perform due diligence, and manage issues and agreements.
➢ Industry Standard Questionnaires: Automated questionnaires featuring SIGTM core and
SIG Lite from shared assessments.
➢ Built in Calculations and Scoring: Built in calculations, ratings, scoring and other logic
critical to Inherent Risk, Automated Scoping, Assesment Review ratings, residual risk,
save time and remove subjectivity.
➢ Comprehensive vendor Portal: Provide Secure Online environment to complete
questionnaires, provides response and comments and attach supporting
documentation.
➢ Interactive Dashboard & Response: giving visibility into ongoing risk assessments
program, the status of remediation activity and vendor ratings.
❖ Market Research
➢ It has a strong current offering and is one of the leaders in the vendors Risk
Management market or if we compare based on Third party risk Management
platforms.
➢ With a strong market strategy, Process unity has a significant market presence, slightly
low compared to OneTrust, Archer has the highest market presence in this segment.
➢ This is their primary product and most of the revenue is based on this software and
apart from this they provide cybersecurity risk management software.

2023
 12

➢ They have 130 employees and got a total funding of 24.88 million dollars.
❖ Market Strategy
➢ Process Unity’s market strategy includes key partnerships with managed service
providers for assesment as a service and assurance service on third parties.
➢ The vendor hopes to target the midmarket with a bundled pricing model with built-in
services and cyber security ratings.
❖ Some Important Notes and Observations
➢ Process Unity has strong native capability, appealing mostly to FinServ and healthcare.
➢ In 2021 acquisition by Marlin Equity Partners mentions some changes and enabled
“hands free automation” that puts in a position to make major inroads.
➢ Helps to overcome people and data fatigue associated with TPRM with nine-module
SaaS Platform.
➢ The above average cost of implementation services has historically limited
ProcessUnity’s appeal to financial services, healthcare, and big tech firms.
➢ ProcessUnity demonstrates product maturity with scoring that allows decimals,
controls-based scoping, and support for multiple risk domains such as financial,
geographic concentration, and physical security.
➢ The vendor portal supports dialogue between customers and third-party vendors, and
vendors can delegate to internal resources at the assessment, section, or question level.
➢ Reference customers appreciate the ability to automate existing processes without
compromising to fit system limitations but hope for better report visualization and a
multiselect drop-down option for questionnaires for prioritization on the product
roadmap.

Webpage Link: https://www.processunity.com/

You Tube Video link for the Product

ProcessUnity VRM: Vendor Risk Management Software Overview

Process Unity Third-Party Risk Management Dashboard

2023
 13

_____________________________________________________________________________________

SERVICE NOW VENDOR RISK MANAGEMENT

• It includes a custom pricing; the range can vary between $30,000-$60,000.
• Two licensing options exist based on the number of vendors assessed over a year
• ServiceNow intends to increase investments in automation through expanded enterprise use
cases and AI/ML capabilities.
❖ Software Features
➢ A single database and self- service portal for third-party product information eliminates
the need for spreadsheets.
➢ The software automates issues generation, design remediation plans and chat in real-
time to resolve issues fast.
➢ It frames a parent-child relationship chart to appropriately represent and assess
subsidiaries.
➢ It calculates risk scores throughout the hierarchy for an up-to-date, top-down, and
bottom-up view of risk.
➢ The software provides the assesment of each engagement based on areas of bankruptcy
delivery & Security.
➢ Improves the security for the third-party contacts while seamlessly authenticating into
supplier portal.
➢ Integrate with other applications in the GRC Portfolio for an extended enterprise view of
risk.
➢ Manage third-party performance and risk in one destination with vendor manager
workspace integration.
 14

❖ Market Research
➢ They have 65% of their client base in North America, 25% in Central Europe and 10% in
Asia pacific.
➢ It targets existing ServiceNow cloud platform customers as well as midmarket
commercials to very large businesses.
➢ It currently serves the following primary markets: retail, manufacturing, banking and
investment services, communications and media, and healthcare providers
➢ The current offering strengths are flexible risk scoring and correlation capability, and
robust workflow.
❖ Some Important Notes and Observations
➢ ServiceNow continues to make headway due to its ability to connect the third-party risk
process with other business functions while garnering executive support and C-suite
visibility.
➢ Platform has a FedRAMP high-impact-level designation, a common data model, and
supports on-prem deployment for federal customers.
➢ The vendor has made some big strategic moves including a robust app store featuring
600-plus integrations and an aggressive product release schedule.
➢ The commercial model that has an annual minimum with additional fees for content,
analytics, and partner-led implementation makes ServiceNow cost-prohibitive for many.
➢ According to reference customers, the highly customizable vendor portal needs to be
more intuitive, upgrading to new versions invariably creates permissions issues, and
admins with developer skills are required for some of the complex configuration.
➢ ServiceNow remains a good fit for firms not bound by budget and those where TPRM is
part of a broader strategy with ServiceNow’s other products.

Website Link: https://www.servicenow.com/products/vendor-risk-management.html

Product Demo Video: Vendor Risk Overview Demo

2023
 15

_____________________________________________________________________________________

ONETRUST VENDOR MANAGEMENT TOOL

• This tool is pre-populated with the CSA CAIQ framework, self assesment attestation capabilities
using the CSA GDPR code of conduct and built-in CSA Common Controls Matrix (CCM).
• Provides vendor assesment up to 50 vendors.
• They also have their own vendor database.
• They provide other services tools as well like; Third-party Due Diligence, Third-Party Risk
Exchange, Enterprise Policy management, Supplier Sustainability and Responsibility Software.
• It also offers a ‘Trust Profile’ which enables vendors to centralize security, privacy, and
compliance documentation in a shareable, customer ready format.
• Flexible Pricing, the range is between $6000-$18,000.

❖ Software Features
➢ Fourth-party supply chain management to auto-detect and auto-assess sub-processors
that are used by the vendors.
➢ Built-in standardized assessment frameworks in multiple languages from Cloud Security
Alliance (CSA CAIQ), VSA, Share Assessments SIG and SIG-Lite, Google VSAQ, as well as
ability to tailor and create custom assessments
➢ Contract and Data Processor Agreement (DPA) management to track and report on key
contractual clauses such as data breach notification terms
➢ It monitors third-party risk over time and triggers reassessments when changes occur in
that period.

2023
 16

➢ The Frameworks used by this software are mainly CSA CCM, CAUQ & GDPR CoC.
❖ Market Research
➢ It is also placed as Leaders in the field of Third-Party Risk Management by Gartner
Report along with Service now and Process Unity.
➢ One Trust dominates 35.5% of the market share of data privacy management software.
➢ The goal of OneTrust is to bring siloed third-party risk management together to make it
easier to share data in areas like ethics, ESG, privacy, security, and resilience.
➢ OneTrust has three pricing models for different sized clients with specific pricing for
clients with fewer than 1,000 staff, and it has different support tiers.
❖ Some Important Notes and Observations
➢ The company differentiates itself with broad jump-start features and infosec vendor
exchange.
➢ Since expanding from privacy to third-party risk in 2018, this vendor has built the largest
third-party risk exchange, raised $920 million in funding, and boasts 2,000-plus
customers.
➢ The Company managed to do this with ambitious growth strategy, a freemium offer for
third party vendors to claim and build their profile and a clear vision to “make Trust a
competitive advantage” they even rebranded its platform as “Trust Management
Cloud.”
➢ OneTrust decided to support the SIG questionnaire only natively within the vendor
exchange, which leaves the door open for competitors offering variety of content.
➢ Recent innovations such as the autocomplete and advanced cell detection using natural
language processing (NLP) pull data from third parties’ completed questionnaires to
respond to new ones, and a confidence score shows the sufficiency of the response.
➢ OneTrust focuses a vast majority of its features on compliance and lags behind others in
risk mitigation and corrective action and risk scoring and analytics.
➢ Reference customers stated the desire to see more native integrations with commonly
used systems and continuous monitoring of third parties.
➢ OneTrust is best for customers replacing spreadsheets and those seeking to leverage the
third-party risk exchange.

Website Link: https://www.onetrust.com/forms/csa-vrm/

Product Demo Video: Using OneTrust for Vendor Risk Management

2023
 17

_____________________________________________________________________________________

ARCHER VENDOR RISK MANAGEMENT TOOL

• Questionnaires are factored into a determination of the residual risk of each third-party
engagement across several risk categories (compliance/litigation, financial, information security,
reputation, resiliency, strategic, sustainability, and fourth party risk).
• Archer provides few other tools as well, but the majority of the market share depends on
vendor risk management tool, other tools are; ESG management, Resilience Management, Risk
Quantification, Enterprise & Operational Risk Management.

❖ Software Features
➢ Capture and store supplemental documents such as SSAE-16s, financial statements, and
PCI assessments, and monitor when refreshed documents are due
➢ Capture declared critical fourth party relationships and understand the quality of
governance of the third party applies to their own third-party relationships.
➢ The software views assessments from all vendors in a single dashboard using vendor
portal.
➢ Self-Service provisioning of third-party accounts reporting on overall third-party risk
profiles, individual problems and remediations.
➢ It can evaluate the resilience of third parties across the five resilience pillars which are
Cyber, IT, Facilities, People, Suppliers.
❖ Market Research
➢ Archer has the biggest market presence among all the competitors listed above.

2023
 18

➢ It is categorized as Strong Performers who has an average current offering and good
market strategy by many of the reports.
➢ Archer's current offering strength includes a superior fourth-party risk capability that
includes discovery of fourth parties through integration with RiskRecon and support for
continuous controls monitoring through integration with Panaseer.
➢ Archer is a good fit for large teams with dedicated and certified admins, firms open to
using services to manage the platform or those already using other archer products.
➢ It focuses on medium-sized to large businesses, particularly those in sectors with greater
maturity in risk management and/or significant regulatory compliance requirements.
➢ It currently serves the following primary markets: pharmaceuticals, biotechnology and
life sciences, healthcare providers, government, information technology, and
manufacturing.
❖ Some Important Notes and Observations
➢ Archer offers TPRM “workflow with purpose” if you have its other GRC modules, which
may be categorized as weak point and we can build up a strategy/model which can have
advantage over this.
➢ With Symphony Technology Group’s acquisition of RSA Security in 2020, Archer has
emerged as an independent brand with a new CEO and a renewed focus on its GRC
roots.
➢ Archer has a differentiated vision to help customers make “decisions, not dashboards”
and views TPRM as the connective tissue between business and risk stakeholders. But
execution relies heavily on existing customers that leverage other GRC modules and the
large community of Archer certified administrators to land and expand its TPRM
product.
➢ To make headway in the TPRM market, the Archer will need to overcome being late to
SaaS — which the vendor launched in late 2019 and which currently serves only 30% of
customers — and the lack of supporting products or services that don’t come with an
additional cost.
➢ Archer will also need to attract third party risk buyers who don’t want to invest in a full
GRC suite, already have GRC platforms or had bad Archer experience previously.
➢ Despite an aggressive product roadmap, Archer still struggles with a not so good UI with
limited out-of-the box metrics and reporting.
➢ Reference Customers describes the UI as a “Clicky” and overall difficult solution to
implement and say it takes long time to fix an issue.

Website Link: https://www.archerirm.com/third-party-governance

Product demo video: Watch the demo to see how RSA Archer Suite can help you take command of
third-party risk

2023
 19

Product Snapshot

_____________________________________________________________________________________

METRICSTREAM VENDOR RISK MANAGEMENT TOOL

• They claim an 80% reduction in third party onboarding time.
• Also 50% reduction in the time and cost required to complete assessments and identify risk

2023
 20

• Enhance third-party consolidation, rationalization, and visibility across businesses, spend, and
risk exposure.
• Control third-party risk exposure and accelerate responses to risk events with risk alerts from
multiple data feeds.

❖ Software Features
➢ Leverage the intuitive portal to search for third-party profile information, including
products or services provided, financial details, ongoing assessments, contracts, location
issues, certifications, due diligence status, risk rating, and associated business units.
➢ AI-powered risk score recommendations, real time visibility into exceptions in SOC2 and
SOC3 reports by third parties.
➢ Pre-defined questionnaires to assess third-party risks around finance, sustainability,
compliance, legal, IT, anti-bribery, corruption, and business continuity areas.
➢ Conduct ad-hoc assessments based on risk intelligence from external sources, incidents,
performance failures, or business insights.
➢ Automatically validate third-party information and identify “red flags” based on globally
sourced content around cybersecurity, finance, sustainability, regulations, disaster and
hazard, corruption, reputation, sanction lists, Politically Exposed Persons (PEPs), Special
Interest Persons (SIPs), state-owned enterprises, and adverse media listings.
➢ Leverage the NLP based Chatbot to view status updates and follow-up actions. Leverage
AI/ML to quickly identify issues based on relation and recommend issue classification.
➢ Manage risk incidents and losses across multiple organizations in compliance with
regulations such as the Basel Accords
❖ Market Research
➢ According to 6sense reports 0.25% market share MetricStream has in the governance,
Risk, and compliance category.
➢ MetricStream has more customers in United Kingdom, USA and India.
➢ MetricStream is good for firms looking to leverage the product’s native capabilities or
those with the budget and resources to support customization.
❖ Some Important Notes and Observations
➢ MetricStream wants customers to embrace and thrive on risk and approaches TPRM as
a building block for enterprise risk management. But the vendor’s product strategy
focuses on innovation and building “cool” features that are out of sync for 60% to 70%
of TPRM customers who are at a low stage of maturity by MetricStream’s own model.
➢ The vendor goes to market with industry-specific, role-based messaging and notable
partnerships but will need to ramp up native content and integration with threat
intelligence tools to successfully execute on expansion into Asia Pacific.
➢ MetricStream’s scores are better than average with high marks for advanced analytics
such as an AI-powered recommendation engine that classifies issues by category and
recommends remediation and a built-in collaboration capability including a chat feature.
However, the product is not easily configurable and requires customers to license
external content.

2023
 21

➢ Reference customers reveal that they use only the out-of-the-box reporting and
artifacts history to avoid the extra cost and want to see more and better integration
options.

Website Link: https://www.metricstream.com/products/third-party-management.htm

Product Demo Video: Third Party Risk Product Overview

Product Snapshot

2023
 22

_____________________________________________________________________________________

DILIGENT STREAMLINES TPRM

• It maintains a centralized data library for all the vendors for holistic Risk management.
• This tool quickly imports or integrates with security, financial and firmographic intelligence
providers to reduce manual administration.
• This company provides other software as well like Modern Governance Platforms.
• The servicing markets includes United Kingdom, USA, Canada, India (office in Bangalore), UAE,
Germany, Brazil, France and few more countries as well.

❖ Software features
➢ It tracks essential third-party data in the center location, including audit findings from
data in a certain location including audit findings from site visits, real time financial data
feeds and service level agreements.
➢ Automate collaboration across all departments connecting data from existing tools to
develop insights.
➢ Compares risk presented by all vendors in an easy-to-use matrix.
➢ It also prioritizes remediation of areas of concern and reduces the potential of costly
security breaches or non-compliance parties.
➢ This tool provides customizable reporting to provide leadership teams with insights they
need to make critical business decisions.
❖ Market Research
➢ 64% of the diligent customers are from United states.

2023
 23

➢ 53% of the Diligent clients are from Mid-Sized Companies in terms of employees and
39% are small in terms of Revenue.
➢ Of all the companies that this company serve 9% are in Financial Services and 15% are in
mining and metal services. --Sources: Data Bridge Market research
➢ Financial services, manufacturing, the government, healthcare, and technology are
among its primary industries of interest to midsize and enterprise customers.
➢ It currently serves the following primary markets: insurance, manufacturing, banking
and investment services, the government, including education, healthcare providers,
including pharmaceuticals, biotechnology, and the life sciences, and high technology
❖ Some Important Notes and Observation
➢ This tool was formerly known by the company name Galvanize.
➢ This vendor based in Vancouver; Canada was acquired in April 2021 by Diligent.
➢ HighBond remains the vendor’s primary platform, but the product’s capability for TPRM
has undergone changes.
➢ Diligent HighBond is an enterprise governance software platform that is developed by
Diligent. This platform by the Diligent can be used under Audit management,
Compliance Management, Entreprise Risk Management, Continous monitoring, Third
Party Risk management, ESG Program.
➢ Diligent has made the decision to discontinue the highly configurable and complex
TPRM solution it purchased from Rsam in 2019 and instead launch a simpler, pre-
installed version with improved reporting and visualization but no support for even the
most fundamental configuration modifications.
➢ Diligent has included some Rsam capabilities in future HighBond releases as part of its
roadmap, but the overall impact on TPRM has been minimal. This is beneficial for
startups, but it is discouraging for established users and more seasoned buyers.
➢ HighBond has powerful risk analytics, and the native Storyboards is one of the best
visualizations in the market.
➢ HighBond does not support custom questionnaires or the ability to easily edit
preconfigured workflow. The standard scoring model can only be modified at the
scripting level by professional users with a licensed access level.
➢ Reference Clients revel that capacities and modules are not completely intergrated
inside the stage.

Website Link: https://www.diligent.com/en-gb/third-party-risk-management/

Product Demo Video: Did not got the exact product video but got a video where it explains it's one of
the software similar to VRM tools, Galvanize Demo ControlsBond - part 1

2023
 24

Product Snapshots

2023
 25

_____________________________________________________________________________________

ARAVO THIRD PARTY MANAGEMENT TOOL

• Aravo uses workflow driven management and is built on the SaaS platform.
• Aravo is the only provider to compliment due diligence with procurement-oriented process that
includes out –of-the box application to streamline onboarding and contracting.
• It centralized all vendor information into an environment that allows for real time reporting of
data in clear, digestible formats.
• Configuration of the Aravo platform is conducted via point and click rather than coding even for
very complex problems.
• The architecture of this platform supports a high degree of extensibility, allowing organization to
easily move from one product tier to the next or add additional use case.
• Their service markets include the USA and UK. They have a development Center in Ahmedabad,
India.

❖ Software Features
➢ Every action in Aravo is time- and role-stamped with visualized audit trails across all
workflows and full reporting capabilities.
➢ Scopeable assessments, conditional logic and support for multiple respondents.
➢ Business impact assessments, performance management, request for
proposal/information (RFP/RFI)/sourcing activity, and for third-party feedback.
➢ Authorized users can change and create new workflows with simple, visual, drag-and-
drop configuration.
➢ Aravo’s Evaluate scoring engine calculates and aggregates risk scores for a
comprehensive view of the third-party relationship and can drill down to the individual
questions that comprise the scores.

2023
 26

➢ Aravo includes dozens of pre-configured role-based dashboards and reports, with

content ranging from third-party compliance to operational metrics to third-party status
➢ Aravo offers a flexible integration framework to support integration with any number of
business systems.
❖ Market Research
➢ Aravo received a high score for its data capabilities, which allow users to review data in
a centralized location.
➢ The workflow and automation category is particularly strong for Aravo.

-
- Aravo has also demonstrated its capabilities for addressing a broad range of 3PRM-relevant
tasks, typically through dedicated, specialized modules, further contributing to its high scores
for market penetration and business model.
- Aravo has also demonstrated a lot of thought leadership in the 3PRM field by providing research
and discussion on a consistent basis through white papers, events, and webinars.

Some Important Notes and Observations

- Aravo's efforts in TPRM are being diluted by its category expansion journey, which shifts its
strategic focus and roadmap to business resilience and other adjacent areas.
- Aravo, also known as TPRM specialist, targets buyers from procurement, security, GRC, and
operations with a multitenant SaaS platform and solutions packaged in three tiers (express,
standard, and advanced) aligned to customer maturity.

2023
 27

- Aravo has a strong customer community, supports self-paced e-learning, and provides an
innovation exchange where customers can vote in support of or against new product features.
- It struggles to deliver additional value-add that doesn’t require additional cost or rely on
partnerships with consulting firms. Conversely, the five-tier pricing model is based on revenue
or assets under management for an annual subscription.
- Its vendor portal replicates the branding of its customers, allows users to submit ideas for
improvement and innovation, and integrates with ticketing systems to automatically generate
tickets whenever vendors report an issue or incident.
- Clients recognized convenience for business clients, absence of adaptability, and difficulties with
new product rollout as regions needing improvement.

Website Link: https://aravo.com/

Documents/Reports: Chartis-GRC-VA-report-2021_g_ARAVO.pdf

Product Demo Video with Webinar: Product demo video is within this webinar. Time starts 33.36;

Aravo: Cybersecurity & Vendor Risk: From Predictive Insight to Action

_____________________________________________________________________________________

LOGIC GATE THIRD PARTY RISK MANAGEMENT SOFTWARE

- Platform name: Risk Cloud
- No code app builder and prebuilt templates.

Software Features

2023
 28

- Its features include adding users with specific roles and access levels, modifying data structure,
modifying workflows, changing screen layout formats, and add notification.
- It automates repetitive vendor onboarding and reassessments by leveraging tools that the
company has already used like Jira, Slack, and Microsoft 365.
- It helps the company to add even more context by aggregating third-party risk intelligence from
Black Kite or Security Scorecard and due diligence data from providers like Vital4 alongside the
assessment findings.
- Automatically send assessments and questionnaires to any third party based on custom logic,
then invite vendors to access and complete questionnaires inside Risk Cloud with secure, one-
time passcodes.

Market Research

- According to g2.com Logic gate has 50% of the market segment in Enterprise and 41% in the
Mid-Market segment.
- The most valued features by users for this platform have been API, reporting analytics, third
party integration, activity dashboard, Reporting & Statistics.
- It’s a GRC platform that’s good in most of the thing but it lacks differentiation.
- The pricing model is transparent, with five packages ranging from basic to professional, and
bundles the number of modules, users, success plan, and core integrations for a set price.

Some Important Notes and Observations

- This vendor's vision to elevate risk and compliance to a strategic advantage is supported by
Graph database, risk cloud exchange.
- Continuous monitoring, risk contextualization, and prioritization features are prioritized in the
robust roadmap; Additionally, the vendor's pricing strategy is one of the clearest and most
straightforward.
- The vision of LogicGate is largely predicated on finding solutions to problems and offers little
insight into the market's future.
- The in-house content development team, the capacity to consume financial impact scores
through its integration with Black Kite, and the adaptability of questionnaire customization are
LogicGate's strengths.
- LogicGate lags in more sophisticated functionality such as performance analysis, multilevel
assessment, and its predominant focus on infosec.
- Reference customers echo the need for maturity — especially in reports and analytics — and
want to see better version control of workflows and audit trails. They also request more
integration options, active directory integration, and autofill functionality among enhancements
to prioritize.
- Lean teams with few FTEs who don't mind sacrificing platform configurability and control will
find LogicGate to be a good fit.

Website Link: https://www.logicgate.com/solutions/third-party-risk-management/

Product Demo Video: Third-Party Risk Management with LogicGate Risk Cloud®️

2023
 29

_____________________________________________________________________________________

PREVALENT THIRD-PARTY RISK MANAGEMENT SOFTWARE

- It Eliminate silos between internal teams and streamline vendor collaboration with unified
assessment and monitoring.
- Speed remediation with built-in playbooks and guidance backed by expert managed services
and customer success teams.
- 12 months subscription pricing for the tool is $349 on AWS marketplace.

Software Features

- It adds automation and intelligence to RFx Process.

- This tool also builds a single source of risk profiles, intake process, contracting & Onboarding
workflows.
- It validates results with continuous cyber, operational, reputational & financial intelligence.
- Measures the supplier effectiveness with KPI, KRI & SLA analysis.
- This tool has a library of 10,000+ completed vendor risk reports.
- It Automates assessment with 200+ standards-based templates for infosec, ESG, ABAC, supply
chain resilience, data privacy and more.
- This tool has 500k+ sources for external cyber, operational, and financial monitoring.
- Uses Machine learning and AI for reporting and analytics.

Market Research

2023
 30

- Prevalent anticipates that organizations will look to outsource more, use more data sources, and
gain better insight into the life of third-party relationships as the complexity and scope of third-
party risk programs grow.
- It focuses on large SMBs and global businesses that fall under North American and EMEA
regulatory programs.
- Organizations that are reducing supply chain security threats, do not have a program, or are
replacing manual efforts are additional targets for this company.
- It currently serves the following primary markets: insurance, manufacturing, pharmaceuticals,
biotechnology and life sciences, banking and investment services, and healthcare providers.
- Prevalent’s pricing model is structured by tiers based on the number of vendors and on three
service options: self-service (risk workflow management), managed service (outsourcing) and
network (risk exchange).

Some Important Notes and Observations

- Prevalent recognizes that TPRM requires more time and resources than most firms have
available and so goes to market with a software-plus-managed-services model.
- While Prevalent targets similar buyers as its competitors, its services-forward message
resonates best when prospects have had bad experiences using other TPRM solutions or failed
to get the other vendor products off the ground during implementation.
- There are three licensing options for the multitenant SaaS platform: self-service of just the
software solution; managed services, where the vendor manages the TPRM lifecycle with its
resources; or network services, which includes the solution plus Prevalent’s exchange network
of completed questionnaires.
- Prevalent has an intuitive vendor portal with date and time localization that supports
communication and collaboration between customers and third-party vendors and upload of
previous survey responses from Excel or a preconfigured response library.
- The connector marketplace streamlines integration, and Prevalent supports a rich content
library integration that can be cross mapped against multiple regulations/frameworks.
- However, the scoring is basic, and questionnaire customizations or changes to reporting or
visualization is limited at best.
- Reference customers (taken from customer’s reviews) describe the UI as clunky and workflow as
rigid.

Website Link: https://www.prevalent.net/use-cases/third-party-risk-management/

Product Demo Video: https://vimeo.com/438339775 or Go to this webpage to view the product demo
video: https://www.prevalent.net/content-library/prevalent-third-party-marketplace-overview/

PREVALENT Dashboard for third party risk management

2023
 31

_____________________________________________________________________________________

IMPORTANT OBSERVATION ABOUT OTHER COMPETITORS

❖ NAVEX TPRM
➢ It wants to bring confidence to risk management by bridging organizational and data
silos.
➢ The NAVEX IRM platform, formerly known as Lockpath, is a multitenant SaaS GRC
platform with a TPRM module that has a common UI but separate codebase than the
vendor’s ethics and compliance and ESG platforms.

2023
 32

➢ NAVEX targets first-time TPRM buyers at highly regulated industries with its highly
configurable platform but offers limited out-of-the-box capabilities and little
prescriptive guidance for beginners.
➢ Reference customers appreciate the ability to scale and agility to modify areas to meet
changing requirements, they also highlighted limitations such as questionnaires can only
be assigned to one email address and lack of offline questionnaire completion
capability.
❖ COUPA TPRM
➢ Market Research
▪ Coupa’s vision is to have all critical information about IT suppliers in the context
of spend-related transactions providing the ability to onboard or update
supplier information from various sources and trigger additional activities for
visibility and control.
▪ The main markets it currently serves are: banking and investment services,
including insurance, pharmaceuticals (including biotechnology and life sciences),
retail, manufacturing, and high tech.
▪ AI-based recommendations on how to shift spend to a recommended alternate
provider.
▪ Coupa is a subscription model with a range of packages based on the number of
users and suppliers.
▪ Coupa has an implementation model that is partner-led and supported by
Coupa.
➢ Notes and Observations
▪ Coupa has not fully integrated the Hiperos platform with its Business Spend
Management (BSM) platform in the three years since it acquired the third-party
risk market.
▪ Coupa also offers procurement, payment, and contracting products, which are
ideal for integrating spend and contract-related risks with third-party risk.
▪ This vision is attractive in theory, but it offers a homogeneous partner
ecosystem and has fewer nonfinancial risk management capabilities than others
in this evaluation.
▪ The combination of platform rigidity, hefty price tag, and recent changes in the
product team, that customers have given their review, has adversely affected
the product roadmap.
▪ Additionally, its limited success in attracting TPRM buyers in security and risk
versus procurement is explained by a value proposition based on synergies
among its entire product line.
▪ As a differentiator, Coupa offers publicly supported benchmark data and
insights on supplier risk, performance, and spend.
▪ An engaged community, FedRAMP "moderate-impact" authorization, and the
capacity to integrate with its own products, such as CLM, as well as payment
systems that can support third-party risk processes, are some of the company's
strengths.

2023
 33

▪ Reference customers claim that there is a lot of room for improvement,

including difficulties consuming real-time data from sources that the vendor
does not support, inadequate user training materials, and a lack of workflow
visualization.
▪ Coupa is ideal for organizations that have prior experience with the vendor or
those that prioritize publicly supported supplier benchmarking data over other
product functionality.

❖ LOGIC MANAGER TPRM SOFTWARE

➢ Market Research
▪ It targets midmarket organizations in a variety of industries in North America,
Western Europe, Australia/New Zealand, and parts of Asia.
▪ The main markets it currently serves are banking and investment services,
insurance, healthcare providers, high tech, and utilities.
▪ The zero-code Integration Hub enables customers to connect with the most
common third parties necessary for managing vendor risk.
▪ For uncapped users, vendors, and integrations, LogicManager offers a flat
pricing model based on the selected Solution Packages, such as vendor due
diligence or vendor risk assessment. There is also a fixed fee for ongoing
advisory services.
➢ Important Notes and Observations
▪ LogicManager is changing its business model from a GRC platform that covers it
all to TPRM that is based on what customers need.
▪ Its no-cost support model remains unique in the market. This approach makes it
more attractive for targeted TPRM use cases such as due diligence or vendor
onboarding, but the lack of product differentiation will be a challenge in the
overall TPRM market where buyers are placing a premium on product
innovation.
▪ Except for the new AI-driven contract analyzer, LogicManager’s Current offering,
and planned enhancement for TPRM lag behind the market,
▪ The Product does a good Job of supporting in TPRM lifecycle and has on par
workflow and risk scoring.
▪ Improved dashboard customization and improved end-users report
development are cited by references customers as areas that require immediate
attention.

____________________________________________________________________________________

RISK MANAGEMENT WORKFLOW

2023
 34

OBSERVATION AND POINT OF VIEW

➢ Organizations are realizing that high quality internal and external data is key to managing the
third-party risk related to their extended enterprise.
➢ An end-to-end view of all relevant third-party relationships is clearly perquisite to identify these
data related needs.
➢ Managing supply chain and other networks across business functions will get even more
complicated as organizations increase their dependence on growing network of third parties to
fuel growth.
➢ The expansion of the scope of relevant relationship (particularly beyond those directly
contracted) is reducing confidence in the third-party inventory. This will continue to pose a
significant and growing challenge for business trying to generate objective assessments and
reporting across third party relationships.
➢ The more progressive organization will aim to graduate from ad hoc and subjective assessments
into a more insight driven, formalized quantitative process. These could be supported by, from
example, risk-scoring based on reliable data (I.e., from trusted sources).
➢ Complex and more severe events (such as the pandemic or the Russia Ukraine war) are forcing
organization to be more agile in their response to unfamiliar or challenging situations.
➢ This requires investment in technology solutions to better understand the ecosystem of material
third-party relationships. That includes the locations from where they operate, supported by
further tools to monitor resilience and trends in real time, such as risk intelligence and adverse
media monitoring.
➢ From Organizations point of view, they need to invest further in coverage of risk domain that
impact resilience, including cyber, geopolitical and concentration. That would include

2023
 35

developing, maintaining and stress-testing comprehensive continuity and exit strategies and
plans for materials (critical) third party arrangements.
➢ For the Financial services sector regulation with an explicit focus on operational resilience is
forcing organizations to identify third parties that underpin important business services (IBS) to
establish plans that keep disruptions within agree tolerance levels. The use of technology will be
a critical component in this regard to predict and address such what-if scenarios with a more
integrated and holistic approach and reiterated in respondent's priorities.
➢ Identify systemically important third parties and drive consistent resilience standards through
sectoral or geography communities, rather than doing so individually.
➢ Integrated & Holistic third-party management
o Expanding the focus, moving from the narrow spotlight on cost savings to thinking more
broadly about profitable growth delivered with the customer centric approach.
o Become more proactive, passive demand forecasting is no longer enough and seek to
actively improve the supply response.
o Easier for organizations to better understand which segments, distributions channels,
price points, product differentiation, selling propositions and value chain configurations
such as linkages between activities and process that occur within and outside the
company.
➢ Organization is rapidly replacing traditional fixed term, fixed scope partnerships (often
associated with sunk cost) with more flexible consumption and unit or volume-based constructs
that the managed services platforms provide.
➢ Organizations continue to strictly focus on cost reduction, also looking for self-funding models
where savings achieved via external expertise.

SUGGESTIONS

1. Payment Integration
a. In our software we can include and integrated with the payment’s application, so
that clients can automatically stop the vendor payments in the case of elevated risk.
2. Packages Identification
a. We can include a column in the software which can identify the packages that the
company is using and what can be risk associated with it. Like for e.g., logy a supply
chain related package used by the vendors/company mostly, our software can
assess them and analyze any risk associated with that.
3. Pitching Point for Indian Market
a. Basically, for the Indian market we can explain it to our clients that our tool is going
to asses your vendors that weather they are RBI, SEBI & Government rules. For this
we can especially target the banks and financial services because they need to
compliance with all the guidelines of the country.
4. Target for Marketing
a. If we build our software in this year, our target would be to sponsors or give a
presentation on the 7th Third Party Risk Management Survey, May 2024, with the
helps of this we can increase our outreach, also could promote ourselves as

2023
 36

company with diverse portfolio and Strong Clients trust we are entering in Third-
Party Risk Management.
5. Additional Assessments
a. In our tool we can feature more assessment like 4th party risk assessment,
geographical Security, can provide the analysis of ethical risk, geopolitical risk as
well, peer to peer group distribution over ratings.
6. Machine Learning for Scoring
a. We can implement machine learning algorithms to analyze the historical vendor
data and identify the patterns that correlate with high-risk vendors. Machine
learning tool can predict the pattern based on the assessment that we are doing,
and can show them in charts.
7. It would be a plus point for our tool if we integrate with the cybersecurity ratings, financial
health score and external expert content, because company are shifting towards cloud-
based services for that they might be considering about the cybersecurity.

2023