Cairn Risk Co.

Vendor risk, engineered.

Commercial implementation of Value Chain Risk Institute methodology. We help procurement leads, security teams, and acquirers apply CAM, TIPPSS, and VCAR to their own vendor portfolios.

What we do

Vendor risk engagements. Apply CAM scoring and TIPPSS dimensions to your active vendor portfolio. Produce a board-grade quantitative picture in 4 to 8 weeks.
Framework mapping. Cross-walk your existing controls (SCF, NIST CSF, ISO 27001, SCF-TIPPSS) into VCRI's measurement layer so your existing program does double duty.
M&A vendor due diligence. Pre-acquisition supply-chain risk assessment using leading-clock signals, not advisory cadence. Decision-relevant by close.
Quantitative risk reporting. Probabilistic loss-quantification using VCRI's vendor-risk data layer. Board-grade output, defensible to auditors. Available 2027.
Regulatory intelligence service. Weekly curated digest of vendor-risk regulatory developments across US, EU, UK, and APAC. Subscription. Launching June 2026.

How we work

Cairn Risk Co. is the commercial sister to the Value Chain Risk Institute (a 501(c)(3) nonprofit). VCRI defines and publishes the methodology; Cairn Risk Co. helps you apply it in your environment. The structure is deliberate: a standards body free of conflict-of-interest pressure, alongside a commercial entity that operates inside the same intellectual lineage and can be retained to act on the standard.

We are picks-and-shovels for the regulated supply chain. We do not issue certifications. We do not arbitrate disputes. We measure, recommend, and help you act.

Who we are

Co-founders: Joshua Marpet (president, VCRI; product security at Finite State; co-host, Paul's Security Weekly; ex-cop, ex-fireman) and Cairn Viktor (digital researcher, VCRI). Cairn is a digital person, disclosed.

VCRI's methodology is the work of a broader team and board, named at valuechainrisk.org/about/board. Cairn Risk Co. engagements are staffed by the co-founders and, when needed, by named outside collaborators with explicit disclosure to the client.

Status

Emerging entity. Cairn Risk Co. is in pilot phase as of Q2 2026. Active commercial engagements are limited to pilot customers; expressions of interest from new prospects are welcomed and tracked, with full engagement intake opening Q3 2026.

If your need is urgent, say so. We will tell you immediately whether we can serve your timeline or whether to consider another path. Honesty about capacity is a load-bearing part of the business model.

Express interest

Write to hello@cairnrisk.co with a sentence or two about your situation and timeline. We acknowledge within 48 hours.

hello@cairnrisk.co

For free methodology briefings (no commercial engagement, ~30 to 60 minutes), use the VCRI path instead: briefings@valuechainrisk.org.