Your compliance dashboard is quietly ignoring your vendors

Here is a scene that plays out in most companies. Procurement onboards a new vendor. Security sends over a questionnaire — a 100-row spreadsheet, or a SIG, or a CAIQ. The vendor fills it in. It comes back. Someone skims it, nods, drops it in a shared drive folder named "Vendor Security" that nobody will ever open again, and marks the ticket done.

That assessment is now dead. It captured a single moment, answered a single time, and from that point forward it has zero connection to your live security posture. Your compliance dashboard — the one the CISO checks, the one that says 94% — has no idea that vendor exists, let alone that the SOC 2 report they attached expired two months ago.

The traditional vendor-assessment lifecycle is a graveyard

1. Send the questionnaire (email attachment or a portal that emails a link).
2. Chase the vendor for three weeks.
3. Receive the responses.
4. Skim them; maybe flag one or two answers.
5. File the document.
6. Never look at it again until an auditor asks "how do you manage third-party risk?" and you go digging.

Every step treats the assessment as an event to be completed, not a signal to be tracked. The output is a static document, and static documents do not appear on dashboards, do not expire, and do not raise their hand when something changes.

Why your dashboard does not know

Compliance dashboards are built around your controls — your access reviews, your encryption, your incident response. Vendor risk lives in a different universe: it is about someone else's controls, captured in a format your dashboard was never designed to read. So three disconnects open up:

• The assessment is never scored into anything. A pile of free-text answers is not a number, and dashboards speak in numbers. The risk the assessment revealed simply never enters your posture.
• Nothing tracks expiry. A vendor's SOC 2 report covers a period that ends. Their certifications lapse. Their answers go stale. A filed PDF has no concept of "this is now out of date."
• It is not linked to your risk register. The assessment found that a critical vendor stores your customer data unencrypted at rest — and that finding lives in a spreadsheet cell, not as a tracked, owned, treated risk.

The risk this actually hides

This is not a tidiness complaint. Third-party breaches are one of the most common ways companies get hurt, and the early warning is almost always sitting in an assessment nobody re-read. The lapsed certification. The "we plan to encrypt that next quarter." The sub-processor the vendor quietly added six months after you assessed them. Each one is a signal that existed, was captured, and then went dark because the process had no way to keep it alive.

What "properly tracked" looks like

Vendor risk is continuous, so it has to be treated like every other continuous control — surfaced, scored, owned, and re-checked. Properly tracked, a vendor assessment:

• Produces a score, not just a stack of answers — so it can feed your risk posture and be compared across vendors.
• Links to your risk register, so a concerning answer becomes a tracked, owned, treated risk with a remediation path — not a cell in a dead spreadsheet.
• Surfaces on the dashboard alongside your own controls, so third-party exposure is part of the posture you actually look at.
• Carries expiry and re-assessment dates, so a lapsed certification or an overdue re-review raises its hand automatically.

What Raize Orion does differently

Vendor assessments in Raize Orion are not a document you file. They are a first-class object in the same system that runs the rest of your compliance programme.

• Assessments are delivered through a scope-bounded, token-gated link (CAIQ-Lite, SIG-Lite, or a basic security questionnaire) — the vendor completes it in the browser, no account, no email-attachment ping-pong.
• Responses are scored, so each vendor carries a comparable risk number rather than an unread wall of text.
• Concerning answers flow into the vendor risk register, where they become tracked, owned risks with treatment plans — connected to the same risk model as everything else.
• Vendor risk surfaces on the live compliance view rather than dying in a folder, so third-party exposure is part of the posture you monitor.
• Re-assessment reminders fire automatically, so an expiring certification or an overdue review is raised before it becomes the gap in an incident post-mortem.

The principle underneath it is simple: a vendor assessment is not a form you complete, it is a risk signal you maintain. Treat it like a living control and your dashboard finally tells the truth about your whole attack surface — not just the part you own.