Risk Framework

Vendor Risk Assessment Template

A vendor risk assessment is a structured evaluation that scores and classifies vendors by risk level based on the type of data they access, their security posture, compliance status, and business criticality. An effective assessment template defines clear risk tiers (typically 4-5 levels), uses consistent scoring criteria across all vendors, and produces actionable outputs — not just a number, but specific findings, required mitigations, and recommended next steps.

Risk tier definitions

Tier 1 — Critical Risk: Vendor has active sanctions matches, critical security vulnerabilities, significant adverse media (breaches, regulatory actions), or fundamental business verification failures. Requires immediate escalation and remediation or vendor replacement.

Tier 2 — High Risk: Vendor has high-severity findings such as multiple security gaps, concerning adverse media, or compliance deficiencies. Requires enhanced due diligence, formal risk acceptance, and near-term remediation plan.

Tier 3 — Moderate Risk: Vendor has moderate findings — limited compliance gaps, minor security configuration issues, or incomplete but not alarming evidence. Standard monitoring and periodic reassessment.

Tier 4 — Low Risk: Vendor demonstrates strong security posture with verified compliance certifications, clean sanctions screening, and no material adverse findings. Routine monitoring only.

Tier 5 — Minimal Risk: Vendor has exemplary security posture — independently verified certifications, comprehensive security controls, clean history, and strong business fundamentals. Lightest monitoring cadence.

Scoring categories

A comprehensive vendor risk assessment should evaluate six categories:

Business & Identity (15%) — Legal entity verification, sanctions screening, corporate registration, leadership verification.

Information Security (25%) — Compliance certifications (SOC 2, ISO 27001), technical controls, vulnerability management, encryption standards.

Cyber Risk (20%) — Domain security, email authentication, network exposure, breach history, dark web exposure.

Regulatory Compliance (15%) — Industry-specific requirements (HIPAA, PCI DSS, GDPR), data handling practices, cross-border transfers.

Reputation & Media (15%) — Adverse media coverage, court filings, regulatory actions, customer complaints, data breach disclosures.

Financial Stability (10%) — Financial health indicators, SEC filings, funding status, FDIC records for financial institutions.

Building your scoring methodology

The scoring methodology should be deterministic — meaning the same evidence always produces the same tier. Avoid subjective judgment in tier assignment. Define specific rules: "Any active OFAC sanctions match = Tier 1." "Missing SOC 2 Type II with sensitive data access = deduct 15 points." "Verified FedRAMP authorization = add 10 points." This eliminates analyst bias and ensures consistency across hundreds of vendors.

Use escalation rules for critical findings that override the aggregate score. For example, a vendor might score well across most categories but have an active sanctions match — the sanctions match alone should escalate them to the highest risk tier regardless of overall score.

Assessment outputs

Each assessment should produce: a numerical risk score, a risk tier classification, a list of specific findings with severity ratings, a confidence score reflecting data completeness, recommended mitigations for each finding, and clear next steps (approve, approve with conditions, reject, escalate). The assessment should be timestamped and versioned so changes can be tracked over time. For audit purposes, all evidence should be preserved with source attribution.

See this in action

ThirdProof automates vendor risk assessment across 21 intelligence sources. Investigate any vendor in under 2 minutes — no questionnaires, no vendor cooperation required.

Try ThirdProof Free →

No credit card required

Frequently asked questions

How do you calculate a vendor risk score?+

A vendor risk score is calculated by evaluating the vendor across defined categories (security, compliance, financial stability, etc.), assigning weighted scores to each category, and applying escalation rules for critical findings. The score should be deterministic — the same evidence always produces the same result. ThirdProof uses a rule-based engine with 66 specific rules across 6 categories to produce consistent, auditable vendor risk scores.

What is a vendor risk tier?+

A vendor risk tier is a classification level (typically 1-5 or Critical/High/Moderate/Low/Minimal) that represents the overall risk a vendor poses to your organization. Tier assignment is based on the vendor's risk score and escalation rules — for example, any sanctions match automatically escalates to the highest risk tier. Tiers determine monitoring frequency, required approvals, and contractual protections.

Should vendor risk assessments be qualitative or quantitative?+

The most effective vendor risk assessments combine both approaches. Quantitative scoring provides consistency, auditability, and comparability across vendors. Qualitative analysis adds context — understanding why a finding matters for your specific use case. The scoring methodology should be quantitative and rule-based, while the narrative summary and recommendations benefit from qualitative expert analysis.

How many risk tiers should a TPRM program use?+

Most mature TPRM programs use 4 or 5 risk tiers. Fewer than 4 tiers lacks sufficient granularity to differentiate vendor risk levels. More than 5 creates unnecessary complexity without meaningful distinction between levels. Each tier should map to specific monitoring cadence, approval requirements, and contractual protections.