How a Public Research University Strengthened Vendor Compliance with SmartSuite-Powered HECVAT

^Problem

Disconnected Systems + Manual Risk Workflows Slowed Down Procurement and IT Security Reviews

A public research university faced a growing challenge in managing vendor risk assessments. With the rise of third-party software and increasingly strict cybersecurity compliance standards, the institution’s process for conducting HECVAT (Higher Education Community Vendor Assessment Tool) reviews had become a major bottleneck.

The existing workflow relied heavily on spreadsheets, static documents, and ticketing systems to track assessments and vendor responses. Information was scattered, difficult to access, and lacked consistency. The security team often struggled to locate the most current version of a HECVAT or determine the status of a review.

"Finding the most recent HECVAT submission used to mean digging through tickets."

Manual follow-ups and vendor confusion further delayed evaluations. Multiple teams tracked vendor data differently, and there was no central location to manage records, communication, and decisions. As the volume of vendor engagements continued to grow, this fragmented system became increasingly unsustainable.

Q1

‍

^Solution

An End-to-End, No-Code HECVAT Workflow Built in SmartSuite

The public research university adopted SmartSuite to unify its entire HECVAT review process—digitizing intake, review, scoring, documentation, and reporting.

The implementation team, composed of university staff and SmartSuite GRC specialists, co-developed a tailored system that included:

External vendor forms for both HECVAT Light and Full versions, equipped with conditional logic to guide accurate responses
Automated workflows to trigger notifications, track due dates, and route submissions to the appropriate reviewers
Dynamic scoring of HECVAT results based on institution-specific weighting and risk thresholds
Role-based permissions and custom views to enable secure collaboration across procurement, IT security, accessibility, and other internal teams
A centralized vendor portal to manage profiles, submissions, past assessments, contracts, and key contacts

Instead of relying on static file uploads in a legacy ticketing system, the university now manages every step—from vendor intake to internal approval—within SmartSuite’s relational, no-code platform.

Q2

‍

^Results

100% Visibility, Streamlined Workflows, and Foundation for Expansion

The new system delivered immediate value. The university replaced spreadsheets and fragmented tracking tools with a live, integrated solution that:

Reduced the time required to send, receive, and review HECVATs by over 50%
Centralized vendor risk assessments across departments, establishing a single source of truth
Enabled asynchronous collaboration through in-record comments and automated workflow triggers
Automatically generated PDFs and dashboards tailored for procurement, IT security, and audit needs
Laid the foundation to expand into broader GRC workflows, including business continuity planning, risk acceptances, NDAs, and more

According to security and IT leadership, the institution is no longer just completing risk assessments—they’re managing the entire process from start to finish.

SmartSuite and X-Analytic partner to transform how organizations manage cyber risk (read more)

How a Public Research University Strengthened Vendor Compliance with SmartSuite-Powered HECVAT

Disconnected Systems + Manual Risk Workflows Slowed Down Procurement and IT Security Reviews

An End-to-End, No-Code HECVAT Workflow Built in SmartSuite

100% Visibility, Streamlined Workflows, and Foundation for Expansion

More Customer Stories

Andex Kitchens

1

Canterbury Consulting

25%

UCLA Student Affairs

3x

Grupo AFAL

+$17,000

Waypoint Centre

4+

Enablence Technologies

5 days

MediaLab 3D Solutions

$40,000+

ITC Germany Prod

100+

Agape Christian Bar Prep

98%

Quality Counts

10+

Food Truck League

700+

Collectie Overijssel

50%

Ville de Pincourt

100s

UCLA Anderson

250+

SWAGBOX

3

F AIR

20+

Elegant Music Group

1,500+

Black Label Services

100+

Brightways

12+

CEI

100+

Progettiamo Autonomia

20+

CryoFuture

1

Office Express

100%

BrigaCare

1,000

Schock Group

200–300

Salesflow

90+

Lipps Electric

150+

PlantBasedTreaty

100%

Roadchef Projects

70%

Ratio Christi

70%+

WebPT

700+

Active3D

$100K+

So Cal Classic Car Storage

50%

Digital Atelier

3x

Gillette Children's

8

CornholeATL

60+

UPenn Dental CDE

10+