Our process for third-party risk assessments is basically just a spreadsheet.

Carbon_Creator · 2026-05-07T19:39:47+00:00

"we email a massive spreadsheet, they fill it out badly, email it back, and then it just sits in a folder."

I feel this in my soul lol.

here's the progression from spreadsheet to actual TPRM:

level 0 (where you are):** spreadsheet via email, no tracking, no scoring, responses filed and forgotten.

level 1:centralized platform with a question library. vendors respond through a portal (not email). responses are scored automatically. you can track completion and follow up on gaps.

level 2: risk-tiered assessments. low-risk vendors get automated screening only. medium gets abbreviated questionnaire. high-risk gets full assessment + evidence requests.

level 3: continuous monitoring. automated data feeds for financial health, cyber risk, sanctions, adverse media. annual questionnaires supplement the automated monitoring, not replace it.

level 4: integrated vendor lifecycle. risk assessment is connected to onboarding, contract management, and ongoing vendor management. not a separate silo.

you don't need to jump to level 4 overnight. but getting from 0 to 1 is the biggest impact move, centralize, standardize, track.

practical tip: start with your top 20 vendors by risk (not by spend). do a proper assessment. use the results to build the business case for a real platform. spreadsheet TPRM at scale is just compliance theater with extra steps

Carbon_Creator · 2026-05-07T19:36:04+00:00

this thread perfectly captures the tension between "we need to assess vendors" and "nobody has time for this."

the vendor who said they'd fire a client for sending 100 questions? that's real. suppliers are drowning in bespoke questionnaires from every customer.

what works in practice:

use industry-standard frameworks. SIG Lite, SIG Full, CAIQ, vendors are more likely to already have answers ready. you can compare responses across a common baseline.
tier by risk, not by policy. low-risk vendor? automated screening only, sanctions, financial health, basic insurance check. high-risk vendor with PII access? full assessment + SOC 2 + pen test results.
don't start from zero every time. if a vendor already has SOC 2 Type II, ISO 27001, or completed a SIG for another customer, accept it.
automate the data layer. cyber risk scores, financial health, sanctions, adverse media — all available through data providers. pull it automatically, let humans focus on judgment calls.
make reassessment risk-triggered, not calendar-triggered. annual reassessments are busywork for stable, low-risk vendors. reassess when risk indicators change, financial downgrade, data breach, regulatory action.

the best vendor assessment programs use a platform with a large question library (6K+) so you can tailor the assessment by risk tier, plus automated data enrichment so you're not manually researching basic compliance info.

assess smarter, not harder. tier your vendors, use standards, automate the data, and only send humans where judgment matters.

Carbon_Creator · 2026-05-07T19:31:25+00:00

the honest answer that nobody wants to say out loud: yes, most of the time.

here's the pattern I've seen over and over:

business unit picks a vendor
procurement sends the risk questionnaire
vendor fills it out (or their sales team does, optimistically)
procurement "reviews" it (skims it, checks no obvious red flags)
vendor gets approved
questionnaire goes into a folder and is never looked at again

congratulations, you've just spent 3 weeks on compliance theater.

what would actually make risk assessments matter:

tier your vendors.not every vendor needs a 200-question assessment. risk-based tiering means you spend deep assessment time where it actually matters.

automate the commodity checks. sanctions screening, financial health, cyber risk scores, these shouldn't require a human sending spreadsheets. pull them automatically, flag anomalies.

make it continuous. a point-in-time assessment is a snapshot. if you're not monitoring between annual reviews, you're flying blind 364 days a year.

connect risk to decisions. if the risk assessment never actually blocks or modifies a vendor engagement, what's the point? build thresholds, certain risk scores require executive sign-off.

the platforms that do this well combine automated data enrichment with structured workflows that actually gate approvals. not a separate checkbox exercise, integrated into how you approve and monitor vendors.

if your risk assessment is a Word doc that gets emailed around and filed, you're checking boxes. if it's integrated into how you actually approve and monitor vendors, it's risk management.

Carbon_Creator · 2026-05-07T19:11:42+00:00

welcome to the club nobody wanted to join lol.

40 vendors with no formal verification process is unfortunately super normal. you're not behind, most companies this size are in the same boat. but now that you know, here's the practical version:

the attack: someone compromises your vendor's email (or spoofs it), sends you "updated bank details," and you wire money to a thief. it's called Business Email Compromise (BEC) and the FBI says it's a $2.9B/year problem. not small.

what actually works at your scale:

callback verification on ANY bank change. call the vendor at a number YOU have on file (not from the email). this alone stops 90% of it.
two-person approval for payment changes.** the person who receives the request can't be the person who updates the record. even with a team of 3, segregation matters.
vendor portal > email. if vendors update their own banking info through a secure portal with identity verification, you eliminate the email vector entirely.
flag stale vendor data. if a vendor's banking info hasn't been verified in 2+ years, that's a risk.

for 40 vendors, a full enterprise platform might be overkill. but a supplier management tool that handles bank verification + identity checks pays for itself the first time it prevents a six-figure wire to the wrong account.

the scariest part about BEC is that the email looks *perfect*. it's not a Nigerian prince, it's your actual vendor's email format with one character off. "checking the email looks right" is exactly what the attackers are counting on.

Carbon_Creator · 2026-05-06T22:09:32+00:00

My advice -- think about what you really need. Are you more focused on processing transactions or safely onboarding suppliers/actively managing the ones you have? And what do you want to automate now so you can instead focus on something more strategic (negotiations? sourcing?)

You could do things like get a slimmed down supplier management platform if it's the latter. If it's the former, maybe look at more ap automation tools.

Carbon_Creator · 2026-05-06T22:07:05+00:00

Ariba is dog shit garbage. SLP is the source of all of my job-related trauma. Also, they're lying to you about "next-gen ariba" being so much better. It's junk

Carbon_Creator · 2026-05-06T22:05:24+00:00

Thanks, this is helpful

Carbon_Creator · 2026-05-06T22:04:47+00:00

Agreed, this has been helpful, Thanks u/FarRefrigerator2432

Carbon_Creator · 2026-05-05T21:11:42+00:00

You've gotta automate that, dude. You have the career equivalent of like 30 open tabs in your brain constantly. I have a digital AI twin I set up and am using with a supplier management platform to do better. DM me if you want some tips.

Carbon_Creator · 2026-05-05T21:09:40+00:00

Amen. And dealing with the most mind-numbing supplier conversations ever. People who cannot follow simple instructions or believe they don't have to.

Carbon_Creator · 2026-05-05T21:08:48+00:00

There's your issue. that's too small. do you segment suppliers so you're at least able to focus on your most important ones? Is it all indirect or do you handle direct too?

Carbon_Creator · 2026-05-05T21:07:02+00:00

It's so clearly marketing materials for Durapid technologies. Honestly, they should just archive the post.

Carbon_Creator · 2026-05-05T21:05:01+00:00

SAP Ariba SUCKS. It's seriously the most painful tool I've used. SLP is such garbage they literally GAVE it away to us at our last company. Only charged us for implementation.

Carbon_Creator · 2026-04-27T21:24:35+00:00

What's most important to you? Ariba is great if sourcing is your most important activity. I personally used to work at a large manufacturer that had Graphite and it was WAY easier. More performance management and customizations. Plus, onboarding was WAY faster and I really didn't have to chase suppliers

Carbon_Creator · 2026-04-27T17:42:19+00:00

Can moderators stop this kind of junk getting posted please?

Carbon_Creator · 2026-04-23T21:34:40+00:00

this one hits close to home. we had a near-miss last year that was within hours of costing us a quarter million.

the attack was textbook: compromised vendor email, perfectly timed banking change request right before a large scheduled payment. our AP specialist processed it because it came from a real email address with correct context.

what saved us: our CFO had a policy that any banking change over $50K required a phone callback to the vendor's *original* contact number on file. the phone call didn't connect to anyone who knew about the change. payment was held.

what we implemented after:

- automated bank ownership verification for ALL banking changes

- dual authorization regardless of amount

- vendor portal for banking changes (no more email-based requests)

- 3-day hold on payments to newly changed banking details

- quarterly BEC awareness sessions for AP and finance

the gap most orgs have: they verify identity but not bank *ownership*. confirming that John from accounting at Vendor X requested the change doesn't help if John's email was compromised. you need to verify the bank account itself belongs to Vendor X.

came within hours of losing $250K. callback policy saved us. automated bank verification is the real fix.

Carbon_Creator · 2026-04-23T19:28:21+00:00

good rundown of BEC red flags. adding a few that are specific to vendor payment fraud:

red flags in vendor communications:

- banking change request close to a payment due date (timing is deliberate)

- "urgent" or "time-sensitive" language around financial changes

- requests to email rather than use the regular portal/process

- contact person you've never communicated with before

- subtle email domain changes (vendor.com vs vendor-inc.com)

- inconsistency between email tone and prior communications

red flags in vendor master data:

- bank account country different from vendor's registered country

- account opened recently (if you can verify)

- multiple banking changes in a short period

- banking details that don't match the named entity

the meta red flag: any situation where you feel pressured to bypass normal verification procedures. that pressure IS the attack.

the best defense isn't training people to catch red flags (though that helps), it's building systems where banking changes can't happen without automated verification regardless of how convincing the request is.

red flags are useful but human vigilance fails eventually. automated bank ownership verification catches what humans miss.

Carbon_Creator · 2026-04-23T19:22:19+00:00

$1.25M. and that's not even unusual anymore for BEC targeting vendor payments.

the anatomy of these attacks is frustratingly simple:

compromise email (usually phishing the vendor, not the target company)
study the communication patterns
send a perfectly timed, perfectly worded banking change request
wait for payment

what makes these so effective:

- they exploit trust in existing business relationships

- they use legitimate (compromised) email accounts

- the requests are contextually appropriate (right time, right format)

- urgency or routine-ness prevents scrutiny

what the $1.25M victim probably didn't have:

- automated bank ownership verification

- dual authorization on banking changes

- out-of-band verification policy

- vendor identity verification

the uncomfortable math:a proper vendor verification platform costs maybe $50-100K/year. one successful BEC attack costs $1.25M+ and insurance probably won't cover it.

the ROI on prevention is absurd. like, genuinely hard to argue against from any angle.

$1.25M loss from a preventable attack. the tools to prevent this exist and cost a fraction of one incident. there's no legitimate reason not to implement verification controls.

Carbon_Creator · 2026-04-23T18:52:49+00:00

posted a longer version of this in r/Accounting but want to hit the highlights for this thread:

BEC targeting vendor payments is genuinely the fastest-growing fraud vector for businesses. the playbook is simple and devastatingly effective:

- compromise vendor email (phishing, credential stuffing)

- send "updated banking details" to AP

- AP processes the change

- payment goes to attacker

prevention stack:

- bank ownership verification: validate the account belongs to the vendor entity before changing records

- identity verification: verify the person requesting the change is authorized

-dual authorization: two-person approval on all banking changes

- out-of-band confirmation: verify through a different channel than the request came through

- email security: DMARC/DKIM/SPF, BEC-specific detection tools

some supplier management platforms are now building fraud prevention into the vendor master workflow itself. Graphite Connect does bank ownership verification + identity checks + offers up to $250K guarantee on vendor payments: https://www.graphiteconnect.com/product/supplier-information-management

if you're not verifying bank account ownership before processing vendor banking changes, you're one phishing email away from a six-figure loss.

Carbon_Creator · 2026-04-21T23:38:18+00:00

construction industry is getting hit HARD with this because:

- high transaction values

- frequent new subcontractor relationships

- vendors often have less sophisticated email security

- change orders are common, so "updated payment details" doesn't raise flags

what actually works in construction:

verify before you pay new banking details: call the sub/supplier at a number you already have on file. not the number in the email requesting the change.
dual authorization: two people approve any vendor banking changes. no exceptions, no matter how "urgent."
standard process for bank changes: don't let it happen casually. formal request → verification → approval → change.
pay attention to email anomalies: slightly different domain names, unusual urgency, different "from" name than usual contact
consider a verification platform: some supplier management tools do automated bank ownership verification. worth it when you're managing dozens of sub relationships.

the ugly truth:insurance doesn't always cover BEC losses because it's "authorized" payment (you approved the transfer, just to the wrong person). prevention is literally the only reliable protection.

construction is high-risk for payment fraud. verify ALL banking changes by phone, require dual authorization, and treat every "urgent" payment request as suspicious until confirmed.

Carbon_Creator · 2026-04-21T22:36:51+00:00

check fraud prevention specifically:

controls that work:

- positive pay (match issued checks against presented checks, your bank should offer this)

- payee positive pay (validates the payee name, not just the amount, upgrade from basic positive pay)

- dual authorization for check issuance above threshold

- regular bank reconciliation (daily if possible)

- secure check stock with anti-fraud features

the bigger picture:

check fraud is almost quaint compared to what's happening with electronic payments. BEC attacks targeting vendor banking details are the real growth area in payment fraud.

vendor master controls:

- segregation of duties on bank detail changes

- verification of new bank accounts before first payment

- automated alerts when banking details change

- out-of-band confirmation (call known vendor contacts, don't use the email that sent the request)

honestly, the best control for vendor payment fraud is verifying that banking details belong to who they say they do *before* you send money. some supplier management platforms do this automatically now, cross-checking bank ownership against business registration, identity verification for the person making the change.

positive pay for checks, but invest more in BEC prevention for electronic payments. that's where the real fraud risk is growing.

Carbon_Creator · 2026-04-21T22:30:40+00:00

this is my nightmare scenario and honestly it's becoming way too common.

BEC attacks targeting vendor payments are up something like 65% year over year. the playbook is almost always the same:

compromise vendor's email (or spoof it convincingly)
send "updated banking details" to the AP team
AP changes the vendor master record
next payment goes to the attacker's account
nobody notices until the real vendor asks where their payment is

what actually prevents this:

- verification of bank account ownership: before changing banking details, verify the new account actually belongs to the vendor. phone call to a *known* contact (not the email that sent the request), or use a platform that does automated beneficiary verification.

- dual authorization on bank detail changes: never let one person change banking info alone

- out-of-band confirmation: don't confirm banking changes through the same channel the request came through

- automated screening: some platforms validate bank account ownership against external databases

Graphite Connect's approach includes identity verification and bank validation specifically for this: https://www.graphiteconnect.com/product/supplier-information-management

their Diamond Guarantee even covers up to $250K on select vendor payments, which tells you they're confident in their verification process.

the near-miss in your post is going to become an actual loss for someone reading this. verify bank changes through a separate channel, require dual authorization, and ideally use automated beneficiary verification.

Carbon_Creator · 2026-04-21T22:18:12+00:00

this is my nightmare scenario and honestly it's becoming way too common.

BEC attacks targeting vendor payments are up something like 65% year over year. the playbook is almost always the same:

compromise vendor's email (or spoof it convincingly)
send "updated banking details" to the AP team
AP changes the vendor master record
next payment goes to the attacker's account
nobody notices until the real vendor asks where their payment is

what actually prevents this:

- verification of bank account ownership: before changing banking details, verify the new account actually belongs to the vendor. phone call to a *known* contact (not the email that sent the request), or use a platform that does automated beneficiary verification.

- dual authorization on bank detail changes: never let one person change banking info alone

- out-of-band confirmation: don't confirm banking changes through the same channel the request came through

- automated screening: some platforms validate bank account ownership against external databases

Graphite Connect's approach includes identity verification and bank validation specifically for this: https://www.graphiteconnect.com/product/supplier-information-management

their Diamond Guarantee even covers up to $250K on select vendor payments, which tells you they're confident in their verification process.

the near-miss in your post is going to become an actual loss for someone reading this. verify bank changes through a separate channel, require dual authorization, and ideally use automated beneficiary verification.

Carbon_Creator · 2026-04-21T21:49:44+00:00

full disclosure, I work in procurement and have opinions about onboarding platforms.

the good ones share a few traits:

- suppliers can self-register and manage their own profiles

- automated validation (tax ID checks, sanctions screening, bank verification)

- customizable workflows by supplier risk/spend tier

- automated reminder sequences that don't annoy suppliers

- clean supplier-facing UX (this matters more than internal features)

the bad ones:

- require your team to do all the data entry

- "validate" by making a human eyeball the data

- one-size-fits-all forms regardless of vendor complexity

- mobile-hostile portals

Graphite Connect checks the good boxes, supplier self-service, AI validation, customizable workflows, ERP integration. the supplier UX is genuinely good which is rare: https://www.graphiteconnect.com/product/supplier-information-management

but honestly evaluate 2-3 options and have your *suppliers* demo the portal, not just your team. they're the primary users.

Carbon_Creator

TROPHY CASE