Skip to main content

Use casesVendor decisions

Vendor decisions you cannot justify.

Third-party and vendor approvals are made every day. When asked to justify them later, most organisations cannot produce a verifiable Decision Receipt.

MeshQu changes that.

Signals

Vendor profile
Risk assessment
Controls evidence
Contract terms
Approver actor

Decision

Vendor decision at execution

Approve · Reject · Accept risk

Proof

Decision Receipt

Verified

01The moment

A vendor is approved.

A supplier is onboarded. A risk assessment is completed. A control is waived.

A decision is made: Approve, Reject, or Accept risk.

Vendor onboarding

Acme Cloud Services Ltd.

Tier
Tier 1 · Critical
Region
EU / UK
Posture
Material gaps Residual risk
ApproveRejectAccept risk

02The failure

You are asked to justify it later.

Why was this vendor approved? What risks were identified? Why were they accepted? Who signed it off?

The answer is reconstructed from risk assessments, onboarding systems, documents, and email approvals. It takes time. It's incomplete. It doesn't hold up under scrutiny.

Reconstructing the approval…

  • Pull risk assessment40 min
  • Find SOC + DPA versions30 min
  • Locate exception sign-off60+ min
  • Recover email thread45 min
  • Build justification90+ min

That's not proof.

03The reason

It was never captured at execution time.

Third-party risk systems track vendors and store documents — they don't capture the decision itself as verifiable evidence. No Decision Receipt is produced.

The approval happens. The proof doesn't.

Signals received

Logs written

The gap

No verifiable proof captured

04The shift

Risk decisions should produce proof.

Not documentation. Not scattered evidence. Not reconstructed timelines.

A vendor decision should leave behind a verifiable record at the moment it is made.

Signals received

Logs written

Decision + Proof

At execution

05At execution

Captured as it happens.

Most risk systems record decisions after they are made.

MeshQu captures them at execution time.

After the fact is audit. At execution is control.

VECOAP

MeshQu Decision Layer

Decision Receipt

Verified

06The receipt

Every vendor decision produces a receipt.

A Decision Receipt contains the vendor details, the risk signals, the policy applied, the controls evaluated, the outcome, and the actor.

Signed. Verifiable. Replayable. No reconstruction required.

Decision ReceiptVendor ApprovalDR-K7M9-2P4Q
Verified
Decision
Approved by Risk Committee
Policy
Third-party risk — Tier 1, v7
Evidence
3 attestations, 2 documents
Integrity
sha256:0xdead…beef

07A new layer

It works with what you already use.

Vendor onboarding systems. Risk assessment tools. Document repositories. Approval workflows. MeshQu doesn't replace them.

Your systems manage vendors. MeshQu proves the decision.

Onboarding
Risk
Docs
Workflow
MeshQu
— receipt
decisionaccept-risk
policyTPRM-v3.4
actorrisk-cmt
sealverified ◎

08Consistency

Human or system. Same proof.

Automated tiering. Manual assessment. Committee approval. Exception handling. Every decision produces the same receipt.

A risk attestation submitted through a form produces the identical signed receipt as an automated check. A signed form is a signed receipt. Same shape. Same proof.

Automated assessment

Tier + signals

Manual review

Risk team

Committee approval

With dissent noted

Same receipt, every time.

09The result

You can answer immediately.

The receipt resolves in seconds — what happened, why, under which policy, with what inputs, and who accepted the residual risk. Verifiable.

Asked

Why was this vendor approved?

RCP-01H7M12B7G6V0DR VerifiedResolved in 2.4 seconds
Does this replace our vendor risk or GRC system?
No. MeshQu captures the decision your vendor-risk and GRC systems already produce.

10Close

You already make these decisions.

The question is — can you justify them under scrutiny?

Decision AssuranceCapture every decision. Prove every time.
Book a demo