DataVisuals The decision governance company Request a demo

Workflow 05 — Decision Governance

Vendor & third-party risk.

Governed third-party decisions — onboarding, due diligence, incident response, and offboarding — with named owner and evidence.

Tier
Material
Primary role
Chief Risk Officer
Available in
Starter+

What goes wrong without it

Due diligence ages out

SOC 2 reports, financial reviews, and insurance certs often expire without anyone seeing the gap.

Critical vendor incidents

When a vendor has an outage or breach, response coordination is reactive instead of pre-decided.

Concentration blind spots

Multiple workflows depending on the same vendor often isn't visible until something fails.

The shared decision anatomy

Every workflow follows the same five steps. Here’s how vendor & third-party risk uses them, with the artifact captured at each step.

01 Signal
New vendor request, periodic review trigger, vendor incident, or contract renewal. Core processor renewal triggers full due-diligence refresh.
→ Vendor event record
02 Owner
Business owner for the relationship; Vendor Risk for due diligence; CRO for critical vendors. Tiering drives who has to sign off.
→ Owner + tier
03 Decision
Approve / condition / decline, with due diligence findings and risk acceptance documented.
→ Vendor decision memo
04 Action
Onboarding, monitoring cadence, or offboarding steps tracked to completion.
→ Action log
05 Outcome
Vendor performance and incidents tied back to original tier and risk acceptance.
→ Outcome record

What you’ll see

A live view of every item, its owner, its deadline, and the evidence behind its current status.

Third-party risk register — Q2 2026 Sample

Active vendors

184

Critical tier

12

Overdue DD

4

Open incidents

1

ID Vendor / event Owner Due Status
VND-302 Core processor — SOC 2 refresh L. Kowalski May 15 Overdue
INC-018 Card processor outage, 4hr L. Kowalski May 27 RCA pending
VND-298 Loan origination platform renewal P. Walsh Jul 12 DD in progress
VND-291 Marketing analytics — offboarding P. Walsh May 01 Closed

Evidence captured

Due diligence package
Tier + risk acceptance
Decision rationale
Incident response log
Periodic review history
Contract + amendments

Built for the Chief Risk Officer

Replaces the vendor inventory spreadsheet, the due-diligence shared drive, and the incident email chain. Gives the CRO one third-party record with tier, evidence, and incident history in one place.

Apex linkage

Strategic & Board Decisions inherit operational evidence from this workflow. Decisions made here flow upward to the apex layer automatically — a board-level capital, risk-appetite, or strategic-plan decision ties back to the operational record beneath it.

Feeds the apex workflow →

How to start

Per-workflow subscription is the entry point. Subscribe to the vendor & third-party risk workflow at listed price and onboard in days, not weeks. For multi-workflow scope or apex linkage, talk to us about the Risk Bundle or Enterprise tier.

Subscribe Request a demo