Vendor Management Glossary

  • March 6, 2019
  • Quantivate

Effective vendor management is a significant undertaking. From due diligence and contract reviews to performance tracking and ongoing monitoring, maintaining reliable third-party relationships requires a structured framework for vendor management. Review some of the key steps of a successful program with this list of common vendor management terms and concepts.


Vendor Management Terms


The verification of the identity of an individual, system, machine, or any other unique entity


The process of allowing access to specific areas of a system based on the role and needs of the user

CISSP Review:

Certified Information Systems Security Professional review of the SOC report


The process of determining how important (or critical) the vendor is to the organization; drives the level of due diligence required

CPA Review:

Certified Public Accountant review of the vendor’s financial statements

Due Diligence:

The process of investigating a new or existing vendor; includes gathering important information about the vendor (e.g., financials, processes, procedures, SOC reports, and other data), performing risk assessments, and implementing a process for assessing vendors before signing contracts

Evergreen Contract:

An agreement between two parties where the contract is automatically renewed at the end of the term

Fourth Party:

A vendor’s third party or service provider


Processes and structures implemented to communicate, manage, and monitor organizational activities


The influence and effect of a risk

Key Control:

A primary control that is essential for a business process; typically takes place during the process it applies to


The probability of a risk occurring

Mitigation Actions:

The necessary steps, or action items, to reduce the likelihood and/or impact of a potential risk


A potential event or action that would have an adverse effect on the organization

Secondary Control:

An important control that typically takes place after the process it applies to (i.e., reporting or ongoing monitoring)

SOC Reports:

System and organization controls reporting; provides assurance that the information a vendor processes remains private and confidential

Tertiary Control:

A non-essential control that can still be applied effectively to a business process

Vendor Owner:

The individual in an organization who is responsible for the vendor (typically a primary user)

Looking for a better way to manage your vendor relationships?

Explore Quantivate Vendor Management Software, designed to streamline your vendor management activities, uniting due diligence, risk assessment, contract and performance reviews, and more in a single platform.

We also offer Vendor Management Services to help get your third-party risk management off to a strong start. Learn more about how a Quantivate consultant can assist your organization with due diligence or contract reviews.

Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: