Create as many review committees as necessary to handle your vendor management approvals.
Review committtes can be configured to automatically approve or reject a review/task once a specific # of committee members have responded.
Each member can "approve", "approve with findings" or "reject" a review. Comments can be added at the item or review level to ensure that each member can voice their opinions.
In addition to approving/rejecting, committee members can add remediation items to ensure that items are followed-up with even if review is approved.
Committees can be configured to automatically reject if a specific person/dept rejects the review. For example, if the Info Tech or Risk Management person rejects the review, it won't proceed any further.
Oftentimes, a final decision maker will have the last word, but doesn't want to be involved until the last step. Committee members can be designed the "last approver" and won't receive any committee-related emails until it's their time to approve or reject.