Documentation menu

DOCUMENTATION

Vendor risk

Third-party risk runs in two directions, and EquanimGRC handles both: assessing the vendors you depend on, and answering the security questionnaires your customers send you. The same questionnaire engine and the same store of answers serve both sides.

Vendor inventory and risk tiers

Each vendor is a record you track over time, carrying a risk tier — low, medium, high, or critical. The tier is not a guess: when you assess a vendor, EquanimGRC scores their questionnaire answers into a 0–100 risk score, derives the tier from that score, and produces findings and recommendations alongside it. As newer assessments come in, the vendor's tier updates, so your inventory reflects current standing rather than a one-time intake.

Security questionnaires

Questionnaires are built from reusable question modules — blocks of questions you assemble into the assessment you want, rather than rewriting the same controls for every vendor. Modules can be tied to the frameworks they map to, so the questions you ask line up with the controls you care about. You can also import an existing questionnaire from CSV when a counterparty sends you their own format.

Answering inbound questionnaires

When a customer sends you a security questionnaire, EquanimGRC drafts answers from what you have already said. Answer suggestions retrieve your most relevant prior answers — matched by meaning, over a vector index of your answer history — and propose a response you edit and confirm. Answer search lets you find how you have answered a question before, across every questionnaire you have completed. The work compounds: each answered questionnaire makes the next one faster.

Evidence behind answers

An answer can cite the evidence that backs it, so a claim on a questionnaire points to the same artifact you would show an auditor. The proof is consistent whether the audience is a customer doing diligence or an assessor doing an audit.

From answers to risk

Completed questionnaires feed the risk assessment: the answers a vendor gives are what the scoring reads to produce their score, tier, and recommendations. Tracking which questionnaires are outstanding versus completed keeps the assessment honest about how much you actually know about a given vendor.

For the agent-facing side — letting a machine agent read and help complete questionnaires over MCP — see Questionnaires.