Brangus ITBrangus IT
Compliance

Third-Party Risk Management Without the Spreadsheet Graveyard

Most vendor risk programs collapse under their own questionnaire volume. Here's a tiered approach that actually gets maintained past the first audit cycle.

Brangus IT GRC Advisory March 3, 2026 6 min read
Back to all articles

Vendor risk management programs almost universally start the same way: a security questionnaire sent to every vendor, regardless of the data they touch or access they have, tracked in a spreadsheet that's accurate for exactly one audit cycle before falling hopelessly out of date.

The fix is tiering vendors by actual risk exposure before any questionnaire goes out. Tier 1 vendors — those with access to sensitive data, production systems, or your customers' data — warrant a full security review including SOC 2 report analysis, questionnaire, and for critical vendors, contractual security requirements. Tier 2 vendors with limited data access get a lighter-weight questionnaire. Tier 3 — vendors with no data access at all, like a facilities contractor — need only basic business verification, not a security review.

This tiering alone typically cuts questionnaire volume by 60-70% for a mid-sized organization, which is what makes the program sustainable rather than something that gets attempted once before an audit and abandoned. We also recommend building vendor risk review into procurement workflow directly — security review as a required step before contract signature, not an afterthought discovered during the next audit cycle.

Finally, treat the vendor risk register as a living artifact with scheduled reassessment dates tied to risk tier — annually for Tier 1, every two years for Tier 2 — rather than a one-time exercise. The organizations we see maintain compliance most efficiently are the ones where vendor risk review is a standing calendar item, not a fire drill.

Do not wait for an attacker to show you where your weaknesses are.

Talk to a Brangus IT security engineer about a tailored assessment for your environment — no obligation, no generic sales pitch.