Vendor Risk Tiering & Reassessment Scheduler
Assign each vendor a transparent, rule-based risk tier from criteria like data access, spend, and operational criticality, then auto-schedule reassessments by tier so high-risk vendors get reviewed often and low-risk ones aren't over-managed.
A private internal app that proposes a risk tier for every vendor from your own rules, lets the risk owner approve or override each one (with overrides logged), sets a reassessment cadence per tier, emails reminders as reviews come due, and exports a clean tiering + reassessment calendar CSV.
Before you start
- A vendor list with tiering attributes (data access, spend, criticality, regulatory) in a CSV or Google Sheet
- Free Supabase, Vercel, and Resend accounts
- Claude Code installed on your machine
The problem this kills
You manage dozens or hundreds of vendors, but your review capacity is fixed. So either every vendor gets the same heavy reassessment (and your critical ones drift while you re-paper a stationery supplier), or tiering lives in someone's head and a spreadsheet that nobody trusts. When an auditor asks "why is this vendor high-risk and when was it last reviewed?", the answer is a scramble.
The real failure mode is silent: a critical vendor with deep data access goes three years without a reassessment because no system was tracking the cadence. Nobody decided to skip it - it just fell through.
What you'll build
A small, private web app that turns vendor risk tiering into a transparent, repeatable routine:
- Import your vendor list from a CSV or Google Sheet.
- The tool proposes a tier - critical / high / medium / low - for each vendor from rules you define (data access, spend, operational criticality, regulatory exposure).
- The vendor-risk owner reviews each proposed tier and approves it or overrides it, with every override and the reason logged.
- A reassessment cadence is set per tier (for example, critical = annual, low = every three years).
- Resend emails the owner reminders as reassessments come due, and the dashboard flags anything overdue.
- One click exports the tiering decisions and the reassessment calendar as a clean CSV.
What's inside the Implementation Plan
The plan is a single file you paste into Claude Code. It builds the whole tool step by step, and each step ends with a ready-to-copy prompt.
It opens by interviewing you about your business - your current tiering process, the systems and spreadsheets you use, the exact field names and vendor-ID convention in your data, how many vendors you manage, your real scoring and tier rules, and your messy edge cases (shared parent companies, vendors that are both critical and low-spend, mid-year ownership changes). It reads a short tailored spec back to you and waits for your thumbs-up before building anything. You get a tool shaped around how you actually work - not a generic template.
From there it walks you through the database, the import, the rule-based tier proposal, the human approval gate, the cadence scheduler, the email reminders, and the CSV export.
The governance it includes (this is the point)
This is not a spreadsheet with extra steps. The plan bakes in the controls an auditor expects:
- Login so only your team can open the tool.
- Row-level security so each organization only ever sees its own vendors.
- A complete audit trail - who proposed, approved, or overrode each tier, and when.
- A hard human-in-the-loop gate: the AI proposes a tier from your rules, but nothing changes a cadence until the risk owner approves it. Overrides are captured with a reason.
- Duplicate guards keyed on vendor-ID so the same vendor can't be tiered twice.
Who it's for
Vendor-risk and procurement leads managing a large vendor portfolio with limited review capacity - people who need defensible, consistent tiering and a reassessment calendar that runs itself, without hiring a developer or buying a six-figure GRC platform.
You've got this - paste the first prompt and let the interview tailor the rest.