The Third-Party Risk Management (TPRM) module in Venvera enables your organisation to assess and monitor the cybersecurity posture of your ICT service providers through structured questionnaire campaigns. This article covers the regulatory background, walks through the full TPRM workflow, documents every form field, and explains the scoring and review process.
Regulatory Context
DORA Chapter V — ICT Third-Party Risk
The Digital Operational Resilience Act (DORA) dedicates an entire chapter to managing ICT third-party risk. Key obligations include:
- Maintaining a Register of Information (RoI) for all ICT service arrangements.
- Conducting due diligence before engaging ICT third-party service providers.
- Including specific contractual provisions in ICT outsourcing agreements.
- Monitoring provider performance and risk on an ongoing basis.
- Reporting critical providers to supervisory authorities.
NIS2 Art. 21(2)(d) — Supply Chain Security
NIS2 requires essential and important entities to implement supply chain security measures, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. This extends to:
- Assessing the overall security level of each supplier.
- Considering vulnerabilities specific to each supplier.
- Evaluating the quality of products and cybersecurity practices of suppliers.
TPRM Dashboard
Navigate to TPRM in the sidebar. The dashboard shows four summary stat cards and a table of all campaigns:
| Stat Card | Description |
|---|---|
| Total Campaigns | All questionnaire campaigns created to date |
| Pending | Campaigns in draft, pending, or sent status (waiting for vendor) |
| In Progress | Campaigns where the vendor has opened or started the questionnaire |
| Completed | Campaigns where the vendor has submitted all responses |
The campaigns table displays columns for Provider, Contact (name and email), Template, Status, Score, Sent Date, and Actions (view / delete).
Full TPRM Workflow
Click Send Questionnaire on the TPRM dashboard. This opens the send form where you select the provider, template, and vendor contact details.
After submission, Venvera generates a unique vendor portal link and a 6-digit access code. Copy the link and code and send them to the vendor contact (e.g., via email). The link is time-limited and requires the access code for authentication.
The vendor opens the link, enters the access code, and answers each question in the template. Questions may be yes/no or free-text, grouped by category. Once all questions are answered, the vendor submits the questionnaire.
Navigate to the campaign detail page to view the vendor's answers grouped by category. Yes/no answers are displayed with green checkmarks or red X icons. Free-text answers are shown in full.
Venvera auto-calculates a percentage score based on the vendor's responses. Review the calculated score and, if needed, override the risk rating in the Internal Review section.
Add reviewer notes documenting your assessment, optionally override the risk rating, and click Save Review. The review is saved as part of the campaign record for audit purposes.
Send Questionnaire Form
The send form is divided into two sections: Questionnaire Details and Vendor Contact.
Questionnaire Details
| Field | Type | Badge | Description |
|---|---|---|---|
| ICT Provider | Select | Required | Dropdown of all registered ICT providers. If empty, you must first add a provider in the RoI → ICT Providers section. |
| Questionnaire Template | Select | Required | Dropdown of available templates. Each template shows the number of questions in parentheses (e.g., "DORA Due Diligence (42 questions)"). The template description appears below the dropdown when selected. |
Vendor Contact
| Field | Type | Badge | Description |
|---|---|---|---|
| Contact Name | Text | Required | The name of the person at the vendor who will complete the questionnaire. |
| Contact Email | Required | The email address of the vendor contact. Used for reference purposes. |
Vendor Portal
When a campaign is created, Venvera generates two credentials for the vendor:
| Credential | Description |
|---|---|
| Vendor Questionnaire Link | A unique, secure URL (e.g., https://app.venvera.com/vendor/q/[token]) that the vendor uses to access the questionnaire. The link is time-limited and does not require the vendor to create an account. |
| Access Code | A 6-digit alphanumeric code that the vendor must enter to open the questionnaire. This provides a second layer of verification. Send the code via a separate channel (e.g., email if the link was shared via a messaging platform). |
Campaign Detail Page
Click the eye icon or "View" button on any campaign to open its detail page. The page has a two-column layout:
Left Column
- Header — provider name, status badge, risk rating badge (if scored), and percentage score.
- Vendor Questionnaire Link — shown for campaigns that are not yet completed or expired. Includes a "Copy Link" button.
- Questionnaire Responses — displayed once the vendor completes the questionnaire. Responses are grouped by category. Each question shows the question text and the vendor's answer (yes/no with icons, or free-text).
- Internal Review — a section for your team to document the assessment. Includes Reviewer Notes (textarea), Risk Rating Override (select: Low, Medium, High, Critical, or "Use calculated rating"), and a Save Review button.
Right Column
- Campaign Details — template name, contact name and email, sent date, opened date, completed date, token expiry date, and access code.
- Risk Score — large percentage display with the colour-coded risk rating badge (green for low, amber for medium, orange for high, red for critical).
- Metadata — created date, last updated date, and campaign ID.
Risk Scoring
Venvera automatically calculates a risk score based on the vendor's questionnaire responses:
- Yes/No questions: "Yes" typically scores positively, "No" scores negatively (depending on the question context as defined in the template).
- The percentage score represents how well the vendor's responses align with expected security practices.
The percentage maps to a risk rating:
| Score Range | Rating | Colour |
|---|---|---|
| 75–100% | Low Risk | Green |
| 50–74% | Medium Risk | Blue/Amber |
| 25–49% | High Risk | Amber |
| 0–24% | Critical Risk | Red |
If the auto-calculated rating does not reflect the true risk (e.g., a vendor scores high but you know they had a recent breach), use the Risk Rating Override in the Internal Review section to manually set the rating.
Campaign Statuses
| Status | Badge | Meaning |
|---|---|---|
| Draft | Grey | Campaign created but not yet finalised |
| Sent | Purple | Questionnaire link generated and shared with the vendor |
| In Progress | Amber | Vendor has opened the link and started answering |
| Completed | Green | Vendor has submitted all responses; ready for review |
| Expired | Red | The token expired before the vendor completed the questionnaire |
| Cancelled | Grey | Campaign was manually cancelled or deleted |
Pending Assessments
On the Send Questionnaire page, a Pending Assessments section lists all campaigns with "Sent" or "In Progress" status. Each entry shows:
- Provider name and status badge (Sent or In Progress)
- Template name used for the questionnaire
- Contact name and email of the vendor respondent
- Sent date with timestamp
- Access code displayed for quick reference
- Action buttons: View (navigates to campaign detail) and Delete
Use this section as a follow-up dashboard to check which vendors have not yet completed their questionnaire and to quickly re-share access codes if needed.
Internal Review Process
Once a vendor completes their questionnaire, the Internal Review section on the campaign detail page allows your team to document their assessment:
| Field | Type | Description |
|---|---|---|
| Reviewer Notes | Textarea | Free-text field for documenting your internal assessment of the vendor's responses. Include observations about gaps, strengths, required follow-up actions, or conditions for continued engagement. |
| Risk Rating Override | Select | Options: "Use calculated rating" (default), Low, Medium, High, Critical. Use this to manually override the auto-calculated rating when you have additional context (e.g., known breaches, industry intelligence, or compensating controls). |
Click Save Review to persist the notes and rating override. The campaign detail page reloads to reflect the updated information.
Best Practices for TPRM
- Assess all critical providers: Start with providers flagged as critical or important in your Register of Information. These carry the highest risk exposure.
- Use framework-aligned templates: Select questionnaire templates that align with your regulatory obligations (DORA, NIS2) for audit-ready evidence.
- Follow up promptly: Vendors who do not respond within 2 weeks should receive a reminder. Use the Pending Assessments section to track outstanding questionnaires.
- Document reviewer rationale: Always add Reviewer Notes explaining your risk assessment, especially when overriding the calculated rating. Auditors will want to see the reasoning.
- Reassess periodically: DORA requires ongoing monitoring of ICT third-party risk. Plan to re-assess critical providers at least annually.
- Separate link and code delivery: For security, send the questionnaire link and the access code through different communication channels.