Vendor risk management at 40 employees, without a GRC tool

Every growing firm hits the vendor risk management conversation at roughly the same size. A customer security questionnaire arrives asking about third-party risk. An auditor mentions vendor oversight during SOC 2 prep. A cyber insurance renewal form asks for a vendor inventory. The firm realizes it has 60 or 80 SaaS tools and no documented process for evaluating any of them.

The typical next step is a demo of a GRC platform (Vanta, Drata, Secureframe, OneTrust, LogicGate). The platform is capable but expensive, and at 40 employees it is usually overbuilt for the real need. The firm signs up, uses 20 percent of the features, pays the full license and still does not have a working program.

What most firms this size actually need is a well-maintained spreadsheet, a tiered review cadence and a documented escalation path. The spreadsheet is not the point. The discipline around it is. Here is the working model.

The starting question

Before building a program, answer the question that drives the effort: what is the VRM program actually for.

Three common drivers:

• Compliance requirement. A regulator, a framework (SOC 2, NIST CSF, HIPAA) or a customer contract requires documented vendor oversight.
• Incident prevention. Reducing the probability that a vendor compromise propagates to the firm.
• Insurance requirement. Cyber insurance carriers increasingly ask for vendor inventory and tiered review evidence.

The driver shapes the program depth. A compliance-driven program needs more documentation. An incident-prevention program focuses on critical vendors. An insurance-driven program needs specific evidence artifacts at renewal time.

Most firms have overlapping drivers. A working program serves all three.

The inventory, the first 30 days

The foundation. Before any review process, the firm needs to know which vendors exist and which handle material data.

What goes in the spreadsheet (or the GRC tool if the firm already has one):

• Vendor name
• Primary contact (account manager or billing)
• Service description (one sentence)
• Data sensitivity (public, internal, confidential, regulated)
• Business function (finance, HR, sales, IT, etc.)
• Contract owner internally
• Renewal date
• Annual spend
• Tier (see next section)
• Last review date
• Next review date
• Notes (open items, known gaps)

Populating the inventory is usually the longest part of the initial effort. Expense reports, corporate credit card statements, IT provisioning records and the SSO application directory all hold pieces of the puzzle. The first pass usually surfaces 2x to 3x the vendors the firm thought it had.

Estimated effort for initial inventory: 20 to 40 hours of focused work for a 40 to 100-employee firm, usually spread across IT and finance.

The tiering model

Not every vendor deserves the same level of oversight. Tiering matches review effort to risk.

A practical three-tier model.

Tier 1, critical

Vendors that access, process or store material nonpublic information, or whose outage would materially disrupt operations.

Examples: payroll processor, primary CRM, email/collaboration platform, cloud infrastructure provider, managed services provider.

Review cadence: annually, with SOC 2 report collection and review.

Review artifacts expected:

• Current SOC 2 Type II report (or equivalent)
• Data processing agreement signed
• Breach notification obligations documented
• Insurance certificate showing cyber coverage
• Contract with data protection provisions

Tier 2, material

Vendors that handle some nonpublic data or are integrated with other systems, but whose outage would not cause material disruption.

Examples: marketing automation, analytics tools, document management, specialized line-of-business applications.

Review cadence: every 24 months, with a lighter questionnaire.

Review artifacts expected:

• Security overview or SOC 2 report if available (accept vendor’s standard documentation)
• Contract with reasonable data protection provisions
• Risk acceptance for any known gaps

Tier 3, incidental

Vendors that handle no material data and have minimal integration.

Examples: design tools used for public marketing, utility SaaS, expense reporting for non-financial staff.

Review cadence: at contract renewal, minimal review.

Review artifacts expected:

• None formal, just a sanity check that the vendor still exists and the business function is still needed

Most mid-market firms find their vendor population breaks down roughly: 10-15% Tier 1, 30-40% Tier 2, 45-60% Tier 3. The tiering itself forces useful conversations about which vendors really matter.

The review process

What actually happens when a vendor is reviewed.

Tier 1 annual review

A 30 to 90-minute exercise per vendor:

• Pull the current SOC 2 report from the vendor’s trust center
• Read the opinion letter, the system description and any exceptions noted
• Verify the report is Type II and covers the scoping period relevant to the firm
• Confirm insurance coverage is current
• Review any breach notifications received in the past year
• Document the review outcome: renew, flag for renegotiation, replace

For 8 to 12 Tier 1 vendors typical at a 100-employee firm, this is 1 to 2 weeks of focused VRM time per year, spread across the calendar.

Tier 2 review

A 15 to 30-minute exercise per vendor on the 24-month cycle:

• Request the vendor’s security overview (one-pager or questionnaire response)
• Quick read for material concerns
• Verify contract is current and includes data protection provisions
• Document any gaps as risk acceptances

Tier 3 review

At renewal, a 5-minute check:

• Is the business function still needed
• Is the vendor still operating normally
• Any known incidents

New vendor intake

Every new vendor goes through a light intake before signing:

• What data will this vendor handle
• What tier does that put them in
• If Tier 1 or 2, what due diligence is required before signing
• Who is the contract owner

The intake process is where most small firms initially fall short. A tool or vendor gets signed without VRM review, and the first audit catches it. A 10-minute intake step prevents this.

Where a spreadsheet is enough and where it isn’t

A maintained spreadsheet works well up to roughly 100 to 200 vendors, assuming:

• One person owns it (usually IT or a fractional compliance role)
• Reviews happen on schedule
• Evidence artifacts are filed in a known location (shared drive, document management system)
• New-vendor intake is enforced

A spreadsheet stops working when:

• Vendor count exceeds 200
• Multiple people are adding vendors without coordination
• Customer questionnaires or auditors want machine-readable evidence
• SOC 2 audit cycle requires fresh evidence collection each year and the manual gathering becomes the bottleneck

At that point, moving to a GRC platform (Vanta, Drata, Secureframe) is justified. Until then, the discipline matters more than the tooling.

Common failure modes

• The inventory exists but isn’t maintained. Built once during a compliance push, never refreshed. Becomes stale within 12 months.
• Everything is Tier 1. The firm doesn’t want to be caught under-tiering so everything gets the critical label. Review effort balloons, nothing gets done well.
• Reviews are calendar-driven without substance. The annual review consists of a note saying “still using them.” The next audit catches the absence of real review.
• Nobody owns it. Responsibility sits between IT, finance, legal and operations without a named owner. Reviews don’t happen.
• Vendor evidence is scattered. SOC 2 reports in one person’s email, DPAs in legal’s filing cabinet, questionnaire responses in sales’ CRM. Assembly for audit is weeks of work.

Each failure mode is addressable with operational discipline. None require a GRC platform to solve.

Where we fit

Atticus Rowan helps mid-market firms stand up vendor risk management programs at the appropriate scale. For firms under 200 employees, the engagement usually includes an initial inventory pass, tiering design, review cadence setup, evidence library structure and a quarterly check-in to keep the discipline intact.

The goal is a program that passes a customer audit in under a week, feeds the cyber insurance renewal cleanly and gives the executive team a credible answer to “what do we do about vendor risk.”

If your firm needs vendor risk management evidence for an upcoming SOC 2 audit, customer questionnaire or cyber insurance renewal, schedule a discovery call. We can scope what the program needs to look like at your scale and get the initial inventory built quickly.