Vendor Management

Vendor registry

The Vendor Registry consolidates your entire ICT supplier portfolio: legal identity verified from national registries, sanctions screening across five lists (EU, OFAC, UN, PEP, BIG InfoMonitor), and beneficial ownership confirmed via CRBR.

Every vendor is classified at intake — DORA criticality, NIS2 sector, data location, Register of Information flag. That classification drives the depth of every subsequent assessment.

  • Legal and UBO verification from external registries
  • Sanctions screening: EU, OFAC, UN, PEP, BIG InfoMonitor
  • DORA criticality and NIS2 sector classification
  • Automated Register of Information flagging
  • Full data provenance and analyst sign-off
BCMLogic Next vendor registry
BCMLOgic Next vendor assessment summary screen

Vendor assessment

Each assessment pulls data from outside vendor self-reporting and closes with compliance artifacts your auditor can work with.

  • Formal — legal standing, sanctions, UBO
  • Financial — revenue trend, EBITDA, liquidity, debt
  • Cybersecurity — continuous external scanning via RiskRecon: vulnerabilities, SSL/TLS, CVE status
  • ESG — environmental and social profile mapped to CSRD requirements
  • Contracts — DORA Art. 28/30 checklist across active agreements, automatic gap flagging
  • Documents — AI-assisted review of policies, certifications, BCP, insurance mapped to DORA, ISO 27001, NIS2, KNF guidelines

AI proposes a score at each step. Your analyst reviews, overrides if needed, and documents the rationale. Every override is logged.

ICT supply chain analysis

The ICT Supply Chain Explorer maps sub-processor relationships declared in contracts and cross-references them against your vendor inventory — surfacing undisclosed dependencies and concentration risk across the portfolio.

The Register of Information is generated continuously in EBA-compliant format as assessments are completed or vendors are reclassified.

Between assessment cycles, RiskRecon monitors the security posture of your vendor portfolio in the background. Changes in attack surface, certificate expiry, or DNS configuration trigger alerts — no manual review required.

  • Sub-processor mapping beyond tier-1
  • Concentration risk identification across the portfolio
  • Register of Information in EBA format, continuously updated
  • Continuous security monitoring between assessment cycles
  • Automatic alerts on vendor security posture changes
  • Risk propagation to ERM
BCMLogic Next what-if supply chain assessment