Although S2Vendor is designed for small and large organizations alike, there are certain configurations that will better serve a large, complex enterprise.

Large organizations often have multiple parties vested in the outcome of vendor risk management. These parties might include a CISO, director, compliance team, legal department, purchasing, etc. This permission was created to give these parties read-only access to the information housed in S2Vendor without letting them make any risk decisions. Notably, this permission does not require a paid license.

Turn on this permission in the User Settings. Users with this permission can navigate throughout S2Vendor while restricted to read-only status. There are select exceptions to the read-only status. Mainly, that users with this permission can use filter/sorts on the list pages, export data, and download attachments.

In large organizations, vendor risk management responsibilities are often shared by a team of risk managers. The division of responsibilities might be based on any number of things such as business unit, geographical location, specialty area, etc. In the situation where certain risk managers need to be assigned to only certain vendors, their access can be restricted.

Inside the vendor profile, access can be restricted on an individual basis or based on the business unit assigned. See section below on Business Units. If the access is restricted to specific risk managers, only those risk managers will see that vendor in the list. Additionally, only those risk managers will receive notifications pertaining to that vendor.

There is no reason to restrict access if all risk managers oversee the same vendors.

Reference the purpose of "Restrict Access".

From inside the Business Unit settings, risk managers can be assigned to specific business units. If the vendor is assigned to this business unit, all of the risk managers in that business unit will see the vendor in the list and receive notifications pertaining to that vendor. This is another way of organizing restricted access.

There is no reason to assign risk managers to any business unit if there is no need to restrict access.

Assuming there is a team of risk managers running the program,

the supervisor permission was created to provide oversight.

Risk managers with this additional permission can see all vendors in the list and will receive all notifications pertaining to all vendors in the program. In this way, they have total visibility into all the risk decisions being made by their team of risk managers.

The vendor list is intended to provide critical information at-a-glance on the vendors in your program. While there are a slew of filter options available, two specific filters are useful for narrowing the vendor list by

Apply the filter to find vendors associated with either a certain business unit or risk manager.

Configure the SMTP settings to send system emails through your company's server(s). This extra step enables email delivery to be tracked, and ensures that the emails will be treated more credibly upon arrival to your internal users and vendors.

The SMTP Settings will require the following information.

Once this information has been added, there is a TEST button that will send a test email to confirm delivery.
​

Many large organizations make use of single sign-on (SSO) to simplify the login process for their users. For the administrator, SSO can help us with user-activity management and user-account oversight.

SecurityStudio is currently integrated with Okta and has been approved by Microsoft Azure to be included in their gallery. See SAML Settings to run through the checklist of required inputs.

The Message Settings inside S2Vendor provide total visibility into system-generated messages. Given the fully automated nature of S2Vendor, organizations need a place to review what gets sent out and when. Within the settings, the administrator is able to review the default language and replace it with language that better suits their business' needs.

The Message Settings have a full listing of all system emails sent by S2Vendor. For each email type, the following information is provided.

The administrator will be able to assign replies to a specific registered user and edit the language used in the subject line and body of the email. This includes a library of data placeholders that can be pulled in.

Once the customized email template is ready, it can be published. There is also a reset option in case the administrator needs to revert back to the default template.