ProcessUnity Third-Party
Risk Management Glossary

AI-Based Control Validation

AI-Based Control Validation uses artificial intelligence to test, verify, and evaluate vendor security and compliance controls. This accelerates due diligence and enhances accuracy.

ProcessUnity’s Evidence Evaluator utilizes AI to analyze documents, such as SOC 2 reports and policies, thereby significantly reducing manual review hours.

AI in Third-Party Risk Management (AI in TPRM)

Third-Party Risk Management AI refers to the use of artificial intelligence and machine learning to automate, accelerate, and enhance key steps within the TPRM lifecycle. It is used to analyze vendor responses, validate controls, detect anomalies, summarize evidence, prioritize risks, and identify patterns that may be missed through manual review. AI in TPRM helps teams reduce assessment bottlenecks, improve accuracy, and focus on higher-risk vendors rather than repetitive administrative tasks.

APRA CPS 230

APRA CPS 230 is an operational risk management standard issued by the Australian Prudential Regulation Authority (APRA) that strengthens requirements for operational resilience, business continuity, and third-party risk oversight. CPS 230 requires regulated entities to identify and manage operational risks, assess and monitor material service providers, maintain documented business continuity plans and resilience thresholds, and ensure outsourcing arrangements do not introduce unacceptable levels of risk. The standard places significant emphasis on understanding the full operational value chain and ensuring that disruptions can be prevented, detected, and managed effectively.

ProcessUnity helps organizations meet CPS 230 requirements by centralizing operational risk, third-party risk, and business continuity data; enabling consistent assessments; and supporting monitoring and reporting across the operational value chain.

Assessment Autofill

Assessment Autofill automatically populates vendor questionnaires using previously validated data, certifications, or responses.

Assessment Autofill leverages existing third-party documentation and evidence to automatically populate questionnaire responses, significantly reducing the time and burden required for completion.

Assessment Exchange

An Assessment Exchange is a shared ecosystem where organizations access validated third-party assessment data, curated vendor profiles and third-party risk ratings.

ProcessUnity’s Global Risk Exchange enables customers to reuse high-quality, validated assessments, thereby eliminating redundancy and reducing review cycles.

Assessment Library

An Assessment Library is a centralized collection of standardized questionnaires, templates, and assessment frameworks used to evaluate vendors during the third-party risk management (TPRM) process.

ProcessUnity Global Risk Exchange is the world’s largest database of third-party risk assessments and curated risk profiles. It holds an Assessment library of more than 18,000 attested assessments.

Automated Risk Scoring

Automated Risk Scoring uses algorithms to calculate vendor risk levels based on inherent risk, questionnaire responses, and monitoring data.

ProcessUnity automatically updates scores as new evidence or intelligence becomes available, ensuring real-time insights.

Continuous Monitoring

Continuous Monitoring provides real-time visibility into a vendor’s cybersecurity, compliance, and operational posture.

ProcessUnity integrates external intelligence and automated alerts to help teams identify and respond to emerging vendor threats faster.

Control Assessment

A Control Assessment evaluates whether a vendor’s controls are designed and operating effectively.

ProcessUnity automates control evaluation and maps responses to frameworks, helping teams identify gaps and prioritize remediation.

Critical Vendor

A Critical Vendor is a third party whose failure would significantly disrupt operations or regulatory compliance.

ProcessUnity enables automated risk tiering and enhanced workflows to ensure high-risk vendors receive heightened scrutiny.

Digital Operational Resilience Act (DORA)

DORA is a European Union regulation that establishes uniform requirements for how financial institutions manage operational resilience, cybersecurity, and third-party ICT risk. It requires organizations to strengthen their security controls, test operational resilience, report incidents, manage ICT suppliers, and ensure that critical third-party providers meet defined oversight standards.

ProcessUnity accelerates DORA compliance by centralizing vendor and ICT service provider data, standardizing assessments, and automating the collection and preparation of information required for the Register of Information. The platform helps identify critical or important functions (CIFs), monitor

Due Diligence Automation

Due Diligence Automation replaces manual assessments and evidence collection with automated processes, reducing time and human error.

ProcessUnity automates vendor intake, questionnaire distribution, scoring, and review, dramatically accelerating due diligence.

Due Diligence Backlog

A Due Diligence Backlog occurs when teams cannot complete vendor assessments fast enough, delaying onboarding and increasing risk.

ProcessUnity reduces due diligence backlogs by automating workflows and leveraging assessment data in the Global Risk Exchange to skip unnecessary questionnaires.

Evidence Evaluator

Evidence Evaluator is the AI-powered technology used to analyze, verify, and interpret vendor evidence in the ProcessUnity platform. It is used for automated control validation to streamline the assessment process.

ProcessUnity’s Evidence Evaluator automates document review, identifies control gaps, and accelerates validation at scale.

Evidence Review

Evidence Review is the process of verifying vendor documentation, such as SOC reports, ISO certifications, policies, procedures and more.

ProcessUnity centralizes and automates evidence collection and review, improving accuracy and reducing manual effort.

Exchange Data Model

An Exchange Data Model structures how assessment data is standardized and shared across organizations.

ProcessUnity’s Global Risk Exchange uses a standardized data model to ensure consistent, reusable, high-quality vendor assessment information.

Fourth-Party Risk

Fourth-Party Risk refers to risks originating from your vendors’ vendors.

ProcessUnity provides visibility into downstream dependencies through inherent risk evaluations and insights from the Global Risk Exchange.

Framework (ISO 27001, NIST, SOC 2)

A Framework is a structured set of guidelines, best practices, and control requirements used to help organizations identify, assess, manage, and monitor risk. In third-party risk management, frameworks provide a standardized approach for evaluating vendor security, compliance, and operational practices. Common examples include ISO 27001, NIST CSF, SOC 2, and regulatory frameworks such as DORA or GDPR. Using recognized frameworks ensures assessments are consistent, comparable, and aligned with industry expectations.

ProcessUnity maps questionnaires and controls directly to these frameworks, simplifying evaluation and reporting.

GDPR Compliance

GDPR Compliance ensures that a vendor meets data protection and privacy requirements for the personal data of EU citizens.

ProcessUnity helps organizations assess vendor privacy practices and track GDPR-related risk and documentation.

German Supply Chain Act (LkSG)

LkSG requires companies to assess and manage human rights and environmental risks across their supply chain.

ProcessUnity simplifies German Supply Chain Act compliance by automating due diligence procedures, streamlining risk assessments and centralizing supplier information.

Global Risk Exchange

The Global Risk Exchange is a shared assessment network that provides verified, reusable third-party risk data, eliminating the need to send duplicate questionnaires to vendors. It centralizes attested security, compliance, and operational information, allowing organizations to accelerate due diligence and reduce vendor fatigue.

ProcessUnity’s Global Risk Exchange is the industry’s largest repository of third-party risk data, offering more than 18,000 validated assessments and 370,000 vendor profiles to significantly reduce manual workload and provide access to hard-to-reach vendors that rarely complete questionnaires.

Governance, Risk & Compliance (GRC)

Governance, Risk and Compliance (GRC) is a framework that helps organizations operate responsibly, manage risks proactively, and maintain regulatory compliance. It brings together three core areas: Governance (how decisions are made and managed), Risk Management (how risks are identified and mitigated), and Compliance (how laws, standards, and internal policies are followed). Together, GRC strengthens oversight, reduces operational surprises, and builds trust with customers and regulators.

ProcessUnity enhances GRC programs by automating Third-Party Risk Management workflows, centralizing vendor risk data, and standardizing evaluations across the organization. Our clients can expand their use of our platform to incorporate other GRC subj

High-Risk Vendor

A High-Risk Vendor is a third party whose products, services, data access, or operational dependencies pose a significant level of potential impact to the organization. These vendors often handle sensitive information, support critical business processes, integrate deeply with internal systems, or present elevated cybersecurity, compliance, financial, or operational risks. Due to their heightened exposure, high-risk vendors require more thorough due diligence, increased monitoring, and stricter contractual and control requirements.

ProcessUnity helps organizations identify and manage high-risk vendors through automated inherent risk scoring, standardized assessments, continuous monitoring, and centralized risk reporting, ensuring that high-impact vendors receive the appropriate level of scrutiny throughout the TPRM lifecycle.

Inherent Risk

Inherent Risk is the level of risk a vendor presents before any controls, safeguards, or mitigation measures are applied. It reflects the natural exposure associated with the vendor’s services, data access, operational impact, geographic footprint, and regulatory requirements. Inherent risk determines how deeply a vendor should be assessed, which questionnaires to use, and how frequently monitoring should occur. A strong inherent risk process ensures that high-impact vendors receive the appropriate level of scrutiny from the start.

Inherent Risk Assessment

An Inherent Risk Assessment is the process of determining how much risk a vendor may introduce to the organization before evaluating their controls. It uses a structured set of questions to measure potential impact based on the vendor’s services, data access, and business criticality. The results guide decisions such as vendor tiering, assessment depth, and monitoring frequency.

Inherent Risk Scoring

Inherent Risk Scoring is the process of turning a vendor’s baseline level of risk into a simple numerical score before any controls are reviewed. It examines core factors such as the type of data a vendor handles, the criticality of their services, and the potential impact of a failure. It converts them into a consistent score that helps determine the level of due diligence and monitoring required for the vendor.

ProcessUnity automates inherent risk scoring and uses results to route vendors into the correct assessment workflows.

Inherent Risk Questionnaire (IRQ)

An Inherent Risk Questionnaire (IRQ) is a standardized intake tool used to determine a vendor’s baseline level of risk and business criticality before reviewing any controls. It is completed by the internal team requesting the vendor and gathers information about the vendor’s role in business operations, the data involved, and the potential impact of service failure.

ProcessUnity integrates the Inherent Risk Questionnaire into the vendor request process, enabling teams to compare internally attested IRQ responses with externally validated Exchange data. This provides an additional layer of assurance and enhances the process of tiering and prioritizing vendors.

ISO 27001

ISO 27001 is a globally recognized standard for managing information security. It outlines requirements for building and maintaining an effective Information Security Management System (ISMS), including risk assessments, control implementation, monitoring, and continuous improvement. Organizations utilize ISO 27001 to enhance data protection and demonstrate their security maturity.

ProcessUnity aligns assessments and control mapping with ISO 27001 to ensure standardized vendor evaluations.

Nth Party

An Nth Party is any organization that is further down a vendor’s supply chain, beyond their direct subcontractors. While a third party is your direct vendor and a fourth party is your vendor’s vendor, Nth parties include all additional suppliers, service providers, or dependencies that support the delivery of your vendor’s product or service. These deeper-tier relationships can introduce hidden operational, cybersecurity, and compliance risks that are often difficult to detect without structured oversight and management.

ProcessUnity provides visibility into downstream dependencies through inherent risk assessments, vendor attributes, and Global Risk Exchange intelligence, helping organizations better understand and manage downstream risk.

Nth-Party Reviews

Nth-Party Reviews evaluate the broader ecosystem of subcontractors and suppliers supporting a vendor’s service delivery. These reviews help organizations understand indirect threats and dependencies.

ProcessUnity enables structured downstream assessments through questionnaires, scoring models, and shared assessment data.

Offboarding

Offboarding is the controlled process of terminating a vendor relationship, ensuring the removal of system access, the return or destruction of data, and the closure of contractual obligations. Proper offboarding reduces residual exposure.

ProcessUnity automates vendor offboarding workflows to ensure consistency, accuracy in documentation, and secure transitions.

Onboarding Cycle Times

Onboarding Cycle Times measure how long it takes to move a vendor from initial intake to full approval and activation. This includes steps such as collecting vendor information, completing an inherent risk assessment, conducting due diligence, reviewing contracts, and obtaining necessary approvals. Shorter cycle times help the business move faster, while longer cycle times can slow down projects and create operational bottlenecks.

According to GRC 20/20 ProcessUnity reduces onboarding cycle times by 85% by automating assessments, routing approvals, and enabling the reuse of validated assessment data, helping organizations onboard vendors more quickly and consistently.

Ongoing Vendor Monitoring

Ongoing Vendor Monitoring is the continuous process of reviewing a vendor’s security, compliance, operational performance, and overall risk posture after they have been onboarded. It ensures that new issues such as cybersecurity incidents, control failures, financial instability, or regulatory changes are identified and addressed promptly. Effective ongoing monitoring reduces blind spots and helps organizations stay ahead of emerging vendor-related risks.

ProcessUnity automates ongoing vendor monitoring by integrating external risk intelligence, triggering alerts for significant changes, and scheduling periodic reviews, providing teams with real-time visibility into vendor risk throughout the entire lifecycle.

Operational Resilience

Operational Resilience is an organization’s ability to continue delivering critical services despite disruptions caused by vendor failures, cyberattacks, or supply chain issues.

ProcessUnity strengthens operational resilience by centralizing vendor data, automating remediation, and enabling proactive monitoring.

Performance Monitoring

Performance Monitoring evaluates whether a vendor is meeting contractual, operational, and security expectations.

ProcessUnity offers dashboards, SLA tracking, and workflow automation to maintain vendor accountability and service consistency.

Pre-Contract Due Diligence

Pre-Contract Due Diligence is the evaluation performed before a vendor contract is signed to ensure the vendor meets the organization’s security, compliance, operational, and financial requirements. It typically includes reviewing the vendor’s risk profile, assessing controls, verifying relevant certifications, and confirming the vendor can meet regulatory and business obligations. Completing this step early helps prevent high-risk vendors from being onboarded and reduces the likelihood of costly changes later.

ProcessUnity streamlines pre-contract due diligence through automated workflows, inherent risk scoring, standardized questionnaires, and curated vendor profiles, enabling teams to evaluate vendors quickly and confidently before contracts are finalized.

ProcessUnity Risk Index

The ProcessUnity Risk Index is a 100-point score that provides a comprehensive view of a third party’s cybersecurity and risk posture. It combines external threat intelligence, verified internal controls, and predictive analytics to provide an accurate, continuously updated assessment of vendor risk. The score provides detailed domain-level insights and recommended actions that enable third parties to understand their exposure, enhance their controls, and establish trust with customers.

The ProcessUnity Risk Index updates every 24 hours, allowing organizations and their third parties to see the impact of remediations in near real time and maintain a current, defensible picture of cyber risk.

Residual Risk

Residual Risk is the level of risk that remains after a vendor’s controls, safeguards, or remediation actions have been applied. It reflects the true, final exposure an organization accepts when engaging a vendor, even after due diligence and mitigation efforts are complete. Residual risk is used to determine whether a vendor aligns with the organization’s risk appetite or if additional controls, compensating measures, or risk acceptance are necessary.

Risk Acceptance

Risk Acceptance is the formal decision to acknowledge and tolerate a level of risk after evaluating available controls and mitigation options.

ProcessUnity streamlines risk acceptance through automated workflows, documentation tracking, and approval processes, ensuring that accepted risks are clearly recorded and aligned with organizational policies and procedures.

Risk Appetite

Risk Appetite defines how much risk an organization is willing to tolerate while pursuing its objectives.

ProcessUnity aligns assessments, scoring, and routing rules with an organization’s stated risk appetite.

Risk Assessment Workflow

A Risk Assessment Workflow consists of the structured steps used to evaluate a vendor’s risk, including inherent risk evaluation, questionnaires, evidence review, scoring, and approvals.

ProcessUnity automates these workflows to improve consistency, speed, and documentation quality.

Risk Exposure

Risk exposure refers to the potential impact a vendor could have on an organization’s security, operations, or compliance posture.

Risk Framework

A Risk Framework is a structured model that defines how an organization identifies, measures, and manages risk. It outlines the methodology, control areas, evaluation criteria, and reporting expectations used to ensure risk is assessed consistently across vendors and internal processes. Common examples include ISO 27001, NIST CSF, SOC 2, and regulatory frameworks such as DORA or GDPR.
(See also: Framework)

Risk Mitigation Strategies

Risk Mitigation Strategies include actions such as implementing additional controls, reducing access, or remediation to lower vendor-related risks.

Risk Register

A Risk Register is a centralized repository documenting all identified risks, their severity, likelihood, and remediation status.

ProcessUnity provides a unified vendor risk register to support transparency, oversight, and reporting.

Risk Scoring

Risk Scoring uses numerical or categorical values to quantify a vendor’s risk level. It helps prioritize due diligence and monitoring efforts.

ProcessUnity updates risk scores automatically using inherent risk factors, assessment results, intelligence inputs, and monitoring data.

Security Assessment

A Security Assessment evaluates a vendor’s cybersecurity controls, policies, and practices to determine whether they can adequately protect sensitive data and systems. Assessments typically review access controls, encryption, incident response, vulnerability management, and governance processes.

ProcessUnity streamlines security assessments with standardized questionnaires, automated workflow routing, and AI-assisted evidence review.

Shared Assessment Data

Shared Assessment Data refers to validated third-party risk information that multiple organizations can use to accelerate due diligence and avoid repetitive questionnaires.

ProcessUnity’s Global Risk Exchange offers over 18,000 attested assessments that can be reused across customers, thereby reducing vendor fatigue and shortening assessment cycles.

Shared Assessment Questionnaire

A Shared Assessment Questionnaire is a standardized set of security and risk questions that vendors can complete once and share with multiple customers. The most common is the Standardized Information Gathering (SIG) questionnaire, which comes in comprehensive (SIG Core) and streamlined (SIG Lite) versions.

ProcessUnity’s Shared Assessments Connector enables organizations to import any version of the SIG questionnaire directly into the platform with a single click. This automation eliminates manual data entry and reduces errors, especially when managing assessments for many third parties. Users can leverage pre-built SIG content, customize it with business- or regulation-specific questions, and efficiently distribute, collect, and validate responses all within a centralized, auditable workflow.

Shared Assessments

Shared Assessments is an industry consortium that develops standardized third-party risk questionnaires, tools, and frameworks, such as the SIG (Standardized Information Gathering Questionnaire) and SCA (Standardized Control Assessment), to promote consistent evaluation practices.

ProcessUnity integrates Shared Assessments content directly into its platform, enabling organizations to efficiently import, distribute, and manage standardized questionnaires and frameworks. By aligning workflows with Shared Assessments standards, ProcessUnity streamlines third-party risk assessments, reduces manual effort, and ensures consistency and compliance across vendor evaluations.

SIG Core

SIG Core is the standard version of the Shared Assessments Standardized Information Gathering (SIG) Questionnaire used to evaluate a vendor’s cybersecurity, privacy, and operational risk controls. It provides a comprehensive set of questions across multiple risk domains, including IT security, data protection, business continuity, and compliance, to help organizations assess a vendor’s overall risk posture in a consistent, industry-aligned way. SIG Core is more detailed than SIG Lite and is typically used for vendors with higher inherent risk.

ProcessUnity supports SIG Core by enabling organizations to issue, collect, evaluate, and reuse SIG questionnaires within a centralized assessment workflow, reducing manual effort and improving consistency across vendor reviews.

SIG Lite

SIG Lite is a shorter version of the Standardized Information Gathering (SIG) Questionnaire, designed to evaluate low-risk or non-critical vendors. It focuses on essential controls and reduces vendor burden.

ProcessUnity automates SIG Lite distribution, review, and scoring within the TPRM platform.

SLA Monitoring

SLA Monitoring tracks whether a vendor meets the service levels defined in the contract, including uptime, response times, resolution targets, and support requirements.

ProcessUnity enables SLA tracking through performance dashboards, real-time alerts, and built-in reports, helping organizations monitor vendor performance, identify issues quickly, and ensure service commitments are met.

Supplier Risk Management

Supplier Risk Management is the process of identifying, assessing, and monitoring risks within an organization’s supply chain, including operational, financial, cybersecurity, compliance, and ethical risks. It helps ensure that suppliers can deliver goods or services reliably without disrupting operations or introducing unacceptable levels of exposure. Effective supplier risk management improves supply chain resilience and supports regulatory and ESG obligations.

ProcessUnity centralizes supplier risk data, automates assessments, and provides real-time dashboards, making it easier to identify, monitor, and mitigate supply chain risks.
(See also: third-party risk management (TPRM) or vendor risk management (VRM), depending on the organization’s terminology and focus)

Supply Chain Risk

Supply Chain Risk refers to vulnerabilities that arise from third-party and Nth-party dependencies involved in delivering goods or services.

ProcessUnity helps organizations assess and monitor risks across complex supplier networks through inherent risk scoring and predictive risk scoring, both of which are available in the Global Risk Exchange.

Third-Party Cyber Risk Management

Third-party cyber risk management is the process of evaluating and monitoring the cybersecurity practices of vendors to ensure they can protect your data and systems. It focuses on areas such as access controls, encryption, vulnerability management, and incident response to mitigate the risk of cyber threats originating from third parties.

ProcessUnity supports this by automating cyber risk assessments, integrating external threat intelligence and cyber rating services, enabling continuous monitoring, and providing AI-driven risk scoring through its ProcessUnity Risk Index. It also offers dashboards for compliance reporting and connects with enterprise systems for streamlined workflows.

Third-Party Data

Third-Party Data refers to any information, assessment results, or performance metrics gathered from or about external vendors.

ProcessUnity centralizes all third-party data within its platform, enriches it with validated assessments from the Global Risk Exchange, and incorporates continuous monitoring inputs from external intelligence sources. This creates a single source of truth for vendor risk profiles, supporting automated workflows for analysis and reporting.

Third-Party Risk Assessment

A Third-Party Risk Assessment is the structured process of evaluating the risks a vendor may introduce to an organization across cybersecurity, privacy, compliance, financial, operational, and reputational domains. It typically includes reviewing inherent risk, collecting and validating evidence, analyzing controls, identifying gaps, assigning a risk score or rating, and determining necessary remediation actions. The assessment helps organizations determine whether a vendor meets their internal requirements and what level of oversight is necessary.

ProcessUnity automates assessment assignment, review, scoring, and documentation.

Third-Party Risk Exchange

A Third-Party Risk Exchange is a shared network where organizations can access validated vendor assessment data, eliminating the need to request new questionnaires.

ProcessUnity’s Global Risk Exchange is the largest third-party risk exchange, with over 18,000 attested assessments and 370,000 vendor profiles.

Third-Party Risk Management

Third-Party Risk Management (TPRM) is the structured process organizations use to identify, assess, monitor, and mitigate risks associated with vendors, suppliers, and other external partners. It ensures that third parties meet security, compliance, operational, and business requirements throughout the entire vendor lifecycle.

ProcessUnity offers a Third-Party Risk Management platform that helps streamline processes across onboarding, due diligence, monitoring, scoring, and reporting.

Third-Party Risk Management Lifecycle

The Third-Party Risk Management (TPRM) Lifecycle is the end-to-end process organizations use to manage third parties, suppliers, and business partners in a structured and transparent way. It begins during vendor sourcing and selection, continues through onboarding, due diligence, and ongoing monitoring, and concludes with termination and offboarding. The TPRM lifecycle ensures that risks are identified, evaluated, managed, and tracked throughout the entire duration of the vendor relationship.
Also known as Vendor Risk Management Lifecycle.

Third-Party Risk Management (TPRM) Platform

A TPRM Platform is a software solution that centralizes and automates all activities involved in Third-Party Risk Management, including vendor onboarding, inherent risk assessments, due diligence, evidence review, ongoing monitoring, remediation tracking, and reporting. It provides a single system of record for managing vendor data, streamlining workflows, improving visibility, and ensuring consistent evaluation across the entire vendor lifecycle.

The ProcessUnity TPRM Platform automates the entire third-party risk lifecycle, featuring standardized assessments, AI-assisted control reviews, assessment reuse, dynamic scoring, and continuous monitoring, providing organizations with complete, real-time visibility into vendor risk.

Threat & Vulnerability Response (TVR)

Threat & Vulnerability Response refers to the processes used to identify, prioritize, and remediate vulnerabilities or threats affecting an organization or its third parties.

ProcessUnity’s Threat & Vulnerability Response capabilities help organizations detect emerging risks and coordinate timely remediation actions.

Threat Response

Threat Response is the coordinated action taken to investigate, contain, and resolve a confirmed or suspected threat.

ProcessUnity provides structured workflows and automated notifications to support more efficient vendor-related threat response.

Validated Assessment

A Validated Assessment is a vendor assessment that has been reviewed, attested, and approved as accurate and complete, typically aligned with recognized frameworks.

ProcessUnity’s Global Risk Exchange includes thousands of validated assessments that organizations can rely on to accelerate due diligence.

Vendor Criticality

Vendor criticality measures the importance of a vendor to business operations or regulatory compliance. Highly critical vendors require more thorough due diligence and ongoing monitoring.

ProcessUnity automates criticality scoring to determine appropriate assessment and monitoring levels.

Vendor Due Diligence

Vendor Due Diligence is the process of evaluating a vendor’s security, compliance, and operational posture before and during the relationship.

ProcessUnity streamlines due diligence with automated workflows, standardized questionnaires, and centralized evidence review.

Vendor Fatigue

Vendor Fatigue occurs when vendors receive repetitive or excessive assessment requests from multiple customers, leading to slower response times and lower data quality.

Vendor Monitoring Frequency

Vendor Monitoring Frequency defines how often a vendor should be reviewed or reassessed based on risk level, regulatory requirements, or internal policy.

ProcessUnity automates monitoring schedules and alerts based on vendor risk tiers.

Vendor Offboarding

Vendor Offboarding is the controlled process of terminating a vendor relationship, ensuring the proper removal of access, effective data management, and closure of associated risks.

ProcessUnity automates offboarding workflows to ensure consistency and completeness.

Vendor Onboarding

Vendor Onboarding is the process of evaluating, approving, and activating a new vendor relationship before the organization begins using their products or services. It typically includes collecting business and security information, performing an inherent risk assessment, completing due diligence, reviewing contracts, and confirming the vendor meets internal and regulatory requirements. Effective onboarding ensures vendors are properly vetted and ready for secure, compliant engagement.

ProcessUnity accelerates onboarding using automated workflows, inherent risk scoring, curated vendor profiles and vendor assessment reuse through the Global Risk Exchange.

Vendor Risk Assessment

A Vendor Risk Assessment evaluates a vendor’s controls, policies, and overall risk posture across cybersecurity, privacy, operational, financial, and compliance domains. It identifies potential vulnerabilities or gaps that could impact the organization and helps determine the level of oversight, remediation, or monitoring the vendor requires.

ProcessUnity standardizes and automates the entire vendor assessment process.

Vendor Risk Assessment Questionnaire

A Vendor Risk Assessment Questionnaire is a standardized set of questions used to evaluate a vendor’s controls and risk profile.

ProcessUnity integrates multiple frameworks and templates for streamlined questionnaire delivery.

Vendor Risk Assessment Template

A Vendor Risk Assessment Template is a pre-built structure used to evaluate vendor risks consistently across the organization.

Vendor Risk Lifecycle

The Vendor Risk Lifecycle encompasses all stages of vendor engagement from onboarding and due diligence to monitoring, remediation, and offboarding.

See also: Third-party Risk Management Lifecycle

Vendor Risk Management

Vendor Risk Management (VRM), also known as Third-Party Risk Management (TPRM), is the discipline of identifying, assessing, mitigating, and monitoring risks associated with third-party vendors.

ProcessUnity's Vendor Risk Management software helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial onboarding to ongoing due diligence and monitoring.

Vendor Risk Profile

A Vendor Risk Profile summarizes a vendor’s overall risk posture, including inherent, residual, and ongoing monitoring data.

ProcessUnity's Global Risk Exchange maintains real-time vendor risk profiles, providing comprehensive visibility into third-party security postures.

Vendor Risk Rating

A Vendor Risk Rating is a categorical or numerical score assigned to a vendor that reflects their overall risk level based on inherent risk, due diligence results, control effectiveness, and ongoing monitoring data. Ratings are typically grouped into levels such as high, medium, or low to help organizations prioritize assessment depth, monitoring frequency, and remediation efforts. A clear risk rating system ensures consistent, repeatable evaluation across all vendors.

ProcessUnity generates automated vendor risk ratings using standardized scoring models that incorporate inherent risk, assessment data, evidence quality, and continuous monitoring insights.

Vendor Risk Score

Vendor Risk Score is a numerical value that measures a vendor’s overall risk level based on inherent risk, security controls, due diligence results, and ongoing monitoring data. It provides an objective, data-driven way to evaluate and compare third-party risk, prioritize high-risk vendors, and determine the depth of assessment and monitoring required.

Vendor Tiering

Vendor Tiering groups vendors into categories—such as high, medium, or low risk based on their criticality and exposure level.

ProcessUnity automates tiering rules to ensure consistent evaluation and scoring.

Workflow

A Workflow is a defined sequence of tasks that supports a business process such as onboarding, due diligence, or remediation.

ProcessUnity automates workflows to improve efficiency, accuracy, and accountability.

Workflow Rule

A Workflow Rule determines how tasks, approvals, or notifications are triggered within a workflow based on predefined conditions.

Zero Day Attack

A Zero Day Attack exploits a previously unknown vulnerability before a patch or fix is available. These attacks can cause significant damage due to the lack of existing defenses.

ProcessUnity supports response planning and vendor monitoring workflows to help organizations quickly identify and address exposure to zero-day threats.