VendrIQ — third-party risk management system
VendrIQ is a TPRM solution for every vendor in your portfolio — ICT providers, legal firms, consultants, FM providers, and beyond. It transforms spreadsheet-heavy vendor risk management into a controlled and auditable environment. Every decision — vendor approval, risk tier, contract change — is recorded with a named owner, a timestamp, and a documented basis.
EU-based infrastructure
Member of ECSO
ISO 27001 certified
DORA, NIS2, and internal governance requirements each add scope. Without a system built for it, the work lands on people — and the documentation is the first thing that slips.
Eighteen months later, during a supervisory review, no one can reconstruct who approved it, what documents were checked, or whether they were current.
With multiple owners and no structured process, risk assessments vary depending on who ran them and when. There is no documented methodology to point to when a regulator asks how you classify ICT risk.
The 90-day notice window passes unnoticed. No alert, no review, no renegotiation. The vendor remains on contract terms that were never reviewed.
Board approval requires due diligence, and most teams do carry it out. The problem is the documentation is scattered — emails, attachments, meeting notes. When a supervisory review asks for the evidence trail, it takes weeks to reconstruct.
Who approved, when, what documents were current, what the questionnaire showed — timestamped and linked to the vendor record. Producible on demand, not reconstructed after the fact.
Same questionnaire structure every time. Responses recorded. Risk tier assigned with the reviewer's name and the date — documented at the time of assessment, not reconstructed.
Notice periods, renewal dates, and SLA review windows tracked and alerted before they pass. The record of what was agreed exists independently of who currently manages the relationship.
The questionnaire, submitted documents, and approval decision are all recorded before the contract is signed. If Article 28(4) is ever tested, the evidence exists — and it predates the contract.
Need help structuring your TPRM programme? VendrIQ is available as software, managed support, or a hybrid — see the managed service option.
Preparing for a supervisory review. Onboarding a new ICT provider. Reconstructing an approval trail. The three modules below are where that work is done and where the records are produced.
1
Collect documentation, route approvals, and bring vendors into your inventory through structured questionnaires. Configurable per vendor type and compliance framework.
Records produced
Vendor profile, submitted documents, approval trail, questionnaire responses — all linked to the vendor record.
2
Assign risk tiers based on questionnaire responses and submitted documentation. Track certifications, identify concentration risk across the portfolio, and re-assess on a defined schedule.
Records produced
Risk tier per vendor, certification status, concentration risk report, assessment history with named reviewers.
3
Maintain a contract register with renewal and notice period alerts. Track SLA commitments, payment terms, and exit provisions. Every change is recorded with a named owner.
Records produced
Contract register, renewal calendar, SLA log, full change history — audit-ready on demand.
4
VendrIQ is built on Copla Registry. ICT and EBA outsourcing register data, along with FCA PS26/2 registers, populate directly from vendor records — no re-entry. Incident classification and reporting workflows are included.
Records produced
DORA ICT Register, EBA Outsourcing register, incident reports — structured on EBA taxonomy rules, ready for supervisory use.
The detail behind each module — what it tracks, what it records, and what it produces for audit, compliance review, and regulatory use.
VendrIQ structures the intake process per vendor type and compliance framework. Pre-built questionnaire templates cover ISO 27001, SOC 2, DORA operational resilience testing requirements, and penetration test result collection — configurable per vendor type or built from scratch. A cloud infrastructure provider and a two-person legal firm don't get the same 80 questions. Every response is recorded against the vendor profile.
Show more
Every risk tier assignment is recorded with the questionnaire responses that produced it, the date, and the reviewer's name. The basis for each decision is documented at the time it is made, not reconstructed afterwards. VendrIQ tracks certifications against expiry dates and sends email alerts before they lapse. It surfaces re-assessment triggers and flags sub-processor changes — so the tier reflects the current state of the vendor, not the state at onboarding. Concentration risk is tracked across the full portfolio: if a disproportionate share of critical functions runs through a single provider, VendrIQ surfaces it. Risk domains can be weighted to reflect your organisation's priorities.
Show more
Contracts are stored in a central register with key dates extracted — renewal windows, notice periods, SLA review dates, exit provisions. VendrIQ sends email alerts before deadlines pass and records every change against the contract with a named owner. The contract record is usable by anyone on the team, not just the person who negotiated it.
Show more
The same questionnaire framework that runs pre-contract due diligence also drives scheduled re-assessments and incident follow-ups. Responses are time-stamped, linked to the vendor record, and reviewable by auditors at any point.
DORA compliance
DORA Chapter V requires EU financial entities to maintain documented processes for ICT third-party risk — covering pre-contract assessment, ongoing monitoring, and contractual controls. VendrIQ structures those processes and produces the records that supervisory review requires — mapped to what DORA actually asks for, not just labelled as compliant.
Not subject to DORA? DORA applies to EU financial entities and their critical ICT providers. Non-financial organisations may have third-party risk obligations under NIS2 or internal governance requirements. The onboarding, risk, and contract management capabilities apply regardless of regulatory status.
1
VendrIQ structures vendor records around the relational model the RoI requires — providers linked to services, services linked to contracts, contracts linked to functions. The data model matches the register, not a spreadsheet approximation of it.
2
Vendors are assessed against function criticality as part of the intake process. The classification is recorded against the vendor and contract record — supporting DORA's requirement to assess and document ICT third-party risk by function.
3
The onboarding workflow runs before vendor approval. Every questionnaire response, submitted document, and approval decision is timestamped and linked to the vendor record — producing the Article 28(4) evidence trail before the contract is signed.
4
Certifications are tracked against expiry dates. Risk tiers are re-assessed on a defined schedule. Changes to sub-processors and service scope are recorded — giving visibility into the dependency chain your critical vendor relies on. The register reflects the current state of the vendor relationship, not the state at onboarding.
5
When a critical vendor reports an incident, VendrIQ captures it and triggers notifications to the relevant internal stakeholders. Incident records are linked to the vendor and contract record, feeding directly into Copla Registry for RTS-compliant incident reporting where required.
6
Article 30 requires specific contractual provisions — SLA definitions, audit rights, exit provisions, data portability. VendrIQ tracks these against each contract and surfaces alerts when provisions are approaching review or expiry.
7
Vendor records in VendrIQ feed directly into Copla Registry — ICT arrangements, EBA outsourcing register, and incident reports are populated from the same data. If you use both, you enter information once.
We offer a managed service — Copla operates VendrIQ on your behalf. We handle the intake process, run risk assessments, track certifications, manage the contract register, and produce monthly written reports. Your team retains all decisions: vendor selection, risk treatment, contract negotiation, and regulatory interpretation.
All risk assessments produced through the managed service are advisory. They are based on questionnaire responses and submitted documentation. We do not independently audit or verify certifications.
Managed TPRM — what's included
GRC platforms cover a broad range of compliance activities. VendrIQ is scoped specifically to third-party and vendor risk — onboarding, risk assessment, contract management, and the compliance outputs that follow from those. It is built on Copla Registry, so DORA ICT Register and EBA Outsourcing data populates directly from vendor records without re-entry.
Compliance teams define requirements and make decisions. VendrIQ handles the documentation, tracking, and reminders — so the record is maintained without manual effort, and the team's time goes to judgment, not administration.
Every action in VendrIQ is recorded with a timestamp and the identity of the user who took it. Approval decisions include the questionnaire responses and documents that were current at the time. Risk tier changes include the basis for the change. The trail is not editable after the fact — it reflects what was known and decided at each point, not a retrospective account.
Yes. The operational problems — undocumented approvals, inconsistent risk assessments, missed contract renewals — exist in any organisation that relies on third-party services. DORA creates a legal obligation for financial entities, but the same discipline applies wherever vendor risk is unmanaged. Non-financial organisations may also have relevant obligations under NIS2.
Your vendor data, risk assessments, and contract records are yours. On termination, we provide a full data export within 30 days. Copla is based in Lithuania — EU jurisdiction, EU infrastructure. Standard GDPR Article 28 data processing terms and sub-processor disclosure apply from the start of the engagement.
Pricing is per entity. The exact figure depends on the size of your vendor portfolio and the scope of your implementation. There are no fixed published tiers — pricing is discussed on the call and confirmed before any commitment.
If you need to demonstrate to a regulator, an auditor, or your own management that vendor approvals followed a documented process — that’s the conversation.
We’ll tell you honestly whether what we do maps to your situation. If it doesn’t, we’ll say so.
No commitment required. Pricing discussed on the demo.
