Vendor Risk Assessment Scorecard
Evaluate third-party vendor risk with weighted scorecard. Enter values for instant results with step-by-step formulas.
Worked Examples
Example 1: SaaS CRM Vendor Assessment
Problem: Evaluating a cloud CRM vendor that will store customer contact data (confidential). Contract value: $50K/year. Medium dependency.
Solution: Assessment Scores:\nFinancial Stability: 80/100 (established vendor, good financials)\nSecurity Posture: 75/100 (SOC 2 Type II, but no pen test shared)\nCompliance: 85/100 (GDPR compliant, DPA signed)\nOperational: 70/100 (99.9% SLA, DR plan exists)\nData Handling: 80/100 (clear retention, deletion processes)\nContractual: 65/100 (standard terms, limited liability)\n\nWeighted Score (confidential data weights):\n80ร0.15 + 75ร0.25 + 85ร0.20 + 70ร0.15 + 80ร0.20 + 65ร0.05\n= 12 + 18.75 + 17 + 10.5 + 16 + 3.25 = 77.5\n\nDependency Adjustment (medium = 1.0x):\nAdjusted Score: 77.5\n\nRisk Tier: Medium Risk\n\nGaps Identified:\n- Security: Request pen test results\n- Contract: Negotiate higher liability cap\n\nRecommendation: Proceed with conditions
Result: 77.5 score | Medium Risk | Proceed with pen test review + contract negotiation
Example 2: Critical Infrastructure Provider
Problem: Assessing a cloud hosting provider for production systems. Handles restricted data. Critical dependency. $500K annual contract.
Solution: Assessment Scores:\nFinancial: 90 (major provider, strong balance sheet)\nSecurity: 85 (SOC 2, ISO 27001, pen tests, bug bounty)\nCompliance: 80 (FedRAMP, HIPAA, PCI)\nOperational: 90 (99.99% SLA, geo-redundant)\nData Handling: 75 (encryption at rest/transit, but complex DPA)\nContractual: 55 (standard cloud terms, limited recourse)\n\nWeighted Score (restricted data):\n90ร0.10 + 85ร0.30 + 80ร0.25 + 90ร0.10 + 75ร0.20 + 55ร0.05\n= 9 + 25.5 + 20 + 9 + 15 + 2.75 = 81.25\n\nDependency Adjustment (critical = 1.5x):\n81.25 / 1.5 = 54.2\n\nRisk Tier: Medium-High Risk โ ๏ธ\n\nCritical vendor but acceptable risk\n\nRequired Actions:\n1. Negotiate enterprise agreement (better terms)\n2. Implement multi-region deployment\n3. Establish exit strategy/alternative provider\n4. Quarterly security reviews\n5
Result: 54.2 adjusted score | Medium-High Risk | Accept with enhanced controls
Example 3: New Startup Vendor Evaluation
Problem: Innovative AI startup offers compelling tool. 2 years old, 50 employees. Would process internal data. $25K contract.
Solution: Assessment Scores:\nFinancial: 45 (startup, Series A, burn rate concerns)\nSecurity: 60 (basic practices, no SOC 2 yet)\nCompliance: 40 (limited certifications, GDPR claim unverified)\nOperational: 50 (single cloud region, limited DR)\nData Handling: 55 (policies exist but immature)\nContractual: 70 (flexible, willing to customize)\n\nWeighted Score (internal data):\n45ร0.15 + 60ร0.20 + 40ร0.15 + 50ร0.20 + 55ร0.15 + 70ร0.15\n= 6.75 + 12 + 6 + 10 + 8.25 + 10.5 = 53.5\n\nDependency (low = 0.8x adjustment):\n53.5 / 0.8 = 66.9\n\nRisk Tier: Medium Risk\n\nBut startup factors add concern:\n- Financial runway: verify 18+ months\n- SOC 2 Type I in progress?\n- References from similar customers?\n\nMitigation Options:\n1. Escrow source code\n2. Limit to non-critical use case\n3. 90-day pilot with
Result: 66.9 score | Medium Risk | Pilot with controls, not for sensitive data
Frequently Asked Questions
What is vendor risk assessment?
Vendor risk assessment evaluates the potential risks of engaging with third-party suppliers. It examines financial stability, security practices, compliance, operational resilience, and contractual terms to determine if a vendor relationship is acceptable and what controls are needed.
Why is vendor risk management important?
Third-party breaches cause 60%+ of data incidents. Regulatory requirements (GDPR, SOX, HIPAA) hold you responsible for vendor actions. Financial failures of critical vendors can disrupt your business. Proper assessment prevents costly incidents and compliance failures.
What is vendor tiering?
Vendor tiering categorizes suppliers by risk level to allocate assessment resources efficiently. Critical vendors (high impact, access to sensitive data) get intensive due diligence. Low-risk vendors get streamlined assessments. Most organizations use 3-4 tiers.
What if a vendor doesn't meet our standards?
Options include: negotiate remediation with timeline, implement compensating controls, reduce scope of engagement, require additional insurance, add enhanced monitoring, or decline the relationship. Document risk acceptance if proceeding with gaps.
How do I handle vendor concentration risk?
Concentration risk occurs when one vendor is too critical. Mitigation includes: identifying backup vendors, negotiating source code escrow, maintaining documentation to switch providers, and ensuring contractual protections for transition scenarios.
What's the difference between inherent and residual risk?
Inherent risk is the raw risk before controls. Residual risk remains after applying mitigations. Assessment should evaluate both: how risky is the vendor inherently, and what controls reduce that risk to acceptable levels?