3 ways to use Osano Vendor Risk Management

  • by Matt Davis
  • · posted on February 3, 2023
  • · 5 min read
3 ways to use Osano Vendor Risk Management

No person is an island, and neither are businesses. Every business relies on a small galaxy of vendors to accelerate its development process, improve its service delivery, manage human resources, scope deals, track candidates, and more.

Managing those vendors is a tall order. Fortunately, Osano’s Vendor Risk Management solution can help with the privacy aspects of this task. Read on to find out more about vendor risk management in general, examples of vendor risk management, and how Osano can help. 

What is the discipline of vendor risk management?

Gartner defines vendor management as the “discipline that enables organizations to control costs, drive service excellence, and mitigate risks to gain increased value from their vendors throughout the deal life cycle.” To zoom in even closer, we might consider the subfield of third-party risk management, which deals with minimizing the risk that a vendor relationship could adversely affect a company’s data, finances, operations, reputation, and so on.

How does Osano’s Vendor Risk Management solution fit into these definitions? Using Osano, privacy and procurement professionals can minimize and manage the privacy risks that arise from using vendors. Vendor and third-party risk management involve a spectrum of tasks, some of which require human expertise and some of which require a dedicated tool. When it comes to assessing the privacy aspect of vendor management, a dedicated tool is sorely needed.

For those new to privacy, having a systematized tool that formalizes the vendor assessment process is essential. But even experienced privacy professionals who are well-versed in managing their vendors’ privacy risk can benefit from a vendor privacy management tool like Osano. Here’s why.

Read our introductory guide and take your first steps towards better protecting  your organization from the fines, penalties, and bad press that come with  privacy law violations.

The core pain of managing vendor privacy risk

Whether you’re a privacy professional or have added privacy to your job responsibilities, the core pain of vendor risk management remains the same: being perceived as a blocker in the organization rather than an enabler.

The development team says they need this tool; sales promises they could close more deals if they had access to this one platform; operations knows they could be more efficient if they could get everybody off of legacy systems and onto better alternatives. The different teams at your organization have all landed on which solutions are best for their problems, but you need to review the data privacy implications first.

The pace of the review process alone can ruffle some feathers, but there’s also the complication of what your review finds. The critical development tool, revenue-generating sales platform, hyper-efficient new operations ecosystem? Maybe they all create data privacy risks that threaten to expose your customers’ personal information in a leak and are just asking for unwanted attention from your local privacy regulators. Even when privacy concerns are considered early on in the review process, there’s certain to be some friction when a solution checks every box but fails miserably on data privacy.

To a certain extent, these issues result from assessing vendors in a manual fashion. Privacy professionals that take their time to assess vendors for privacy risk wind up creating an even greater sense of disappointment if the organization’s top pick is disqualified. They might feel compelled to rush this process along, which makes it more likely that they’ll miss something and introduce undue privacy risk. When you’re working through a multitude of spreadsheets and email chains, speed and accuracy will always be left wanting.

Here’s how Osano's Vendor Risk Management flips this on its head by increasing the speed and efficacy of privacy reviews.

3 vendor risk management example tasks that frustrate privacy professionals

Osano’s global team of legal privacy experts is continually monitoring the privacy landscape and evaluating over 14,000 vendors. Assisted with machine learning technology and a 163-item ontology, the team generates a single number that scores a vendor’s privacy risk. 

When you use Osano Vendor Risk Management, you gain access to a vendor’s privacy score, granular insights into the factors contributing to that score, and a suite of features that support further vendor assessments. Through these capabilities, here are three vendor risk management examples of how you can improve how your organization evaluates vendors for privacy.

1. Develop a shortlist of vendors

When privacy professionals work with their line-of-business buyers early on, they’re able to direct the team toward the solutions that are acceptable from a data privacy perspective. You might start with an entire category’s worth of vendors—using Osano, you can build a shortlist consisting only of those vendors who excel from a data privacy perspective. Since privacy can be a go or no-go factor during a vendor evaluation, using it to filter for vendors first before diving into other considerations just makes sense.

2. Accelerate the vendor assessment process

Submitting vendor questionnaires can be a frustrating process for everybody involved. For privacy professionals, vendor questionnaires are an essential method to identify whether and how personal information will be managed within that vendor relationship—so it’s more than a little annoying if it takes weeks or months to get a response.

For vendors, the issue is reversed; they can be overwhelmed by the number of more or less identical questionnaires they need to complete, many of which aren’t even for organizations that will become customers.

Using Osano's Vendor Risk Management, privacy professionals can gain many of the answers they’re looking for. When a vendor scores poorly in a given area, privacy professionals can tailor their questionnaires to drill down into those problem areas. This way, privacy professionals get answers faster, and vendors have fewer repetitive questions to respond to.

3. Distribute ongoing assessments from a centralized location

Privacy is a perpetually evolving field, both in terms of the regulatory landscape as well as the internal data processing activities taking place within your organization and vendor ecosystem. It’s essential for privacy professionals to intermittently monitor their vendors as their privacy and data processing practices change.

If you’re taking a manual approach to vendor monitoring, you’ll struggle to: 

  • Properly version spreadsheets and other documents.
  • Keep track of which vendors have or have not responded or which vendors you have or have not contacted.
  • Properly store vendor assessments in a centralized location.


Using Osano for vendor assessments directly addresses each of these limitations. Osano features vendor assessment templates you can use for your questionnaires, emails your vendors once you’re ready to send out your assessment, keeps track of who has responded to which questions, and stores all of these responses in the same secure, centralized location where your other compliance information lives. The result is a sustainable, scalable vendor management process for the long term.

Escape the spreadsheet jungle

The most effective privacy professionals are able to ensure that their vendors don’t introduce undue compliance risk and do so without introducing undue friction into their procurement process. This is pretty difficult when your only tools for assessing vendors for privacy risk are spreadsheets and email, especially in the examples mentioned above.

Schedule a demo of Osano today and discover how to be an enabler for your organization.

New call-to-action

Matt Davis

About The Author · Matt Davis

Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.