Install
openclaw skills install afrexai-vendor-riskVendor Risk Assessment
Evaluate and score vendors on security, financials, compliance, operations, and data handling to classify risk and manage remediation plans effectively.
Vendor Risk Assessment
Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.
Usage
Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.
Assessment Framework
1. Vendor Risk Scorecard (5 Domains, 0-100 each)
Security Posture (0-100)
- SOC 2 Type II current? (+20)
- Penetration test within 12 months? (+15)
- Incident response plan documented? (+15)
- Data encryption at rest and transit? (+15)
- MFA enforced for all access? (+10)
- Security questionnaire completed? (+10)
- Subprocessor list disclosed? (+15)
Financial Stability (0-100)
- Revenue trend (growing +25, flat +10, declining 0)
- Funding runway >18 months? (+20)
- Customer concentration <20%? (+15)
- Public financials or audited statements? (+15)
- No material litigation? (+15)
- Credit rating acceptable? (+10)
Compliance & Regulatory (0-100)
- Industry certifications current? (+20)
- GDPR/CCPA compliant? (+20)
- Data processing agreement signed? (+15)
- Regulatory audit history clean? (+15)
- Right to audit clause? (+15)
- Data residency requirements met? (+15)
Operational Dependency (0-100)
- SLA with financial penalties? (+20)
- Uptime >99.9% trailing 12 months? (+20)
- Disaster recovery tested annually? (+15)
- Single point of failure for your business? (-20)
- Migration plan documented? (+15)
- API/export capability? (+15)
- Vendor lock-in risk assessment? (+15)
Data Handling (0-100)
- Data classification documented? (+20)
- Retention/deletion policies clear? (+20)
- Breach notification <72 hours? (+20)
- Data portability guaranteed? (+15)
- AI/ML training on your data? (opt-out available +15, no opt-out -10)
- Access logging and audit trail? (+10)
2. Risk Tier Classification
| Aggregate Score | Tier | Review Cadence | Action |
|---|---|---|---|
| 400-500 | Low Risk | Annual | Standard monitoring |
| 300-399 | Moderate | Semi-annual | Remediation plan required |
| 200-299 | High Risk | Quarterly | Executive escalation, alternatives identified |
| 0-199 | Critical | Monthly | Exit plan required within 90 days |
3. Portfolio Risk View
Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: <10%)
Moderate: ___ (target: <30%)
Low risk: ___ (target: >60%)
Top 3 concentration risks:
1. [Vendor] — [function] — [% of operations dependent]
2. [Vendor] — [function] — [% of operations dependent]
3. [Vendor] — [function] — [% of operations dependent]
Annual vendor spend: $___
Spend on high/critical vendors: $___ (___%)
4. Cost of Vendor Failure
| Impact Area | Calculation |
|---|---|
| Revenue loss | Daily revenue × expected downtime days |
| Recovery cost | Migration estimate + emergency procurement |
| Compliance penalty | Regulatory fine range for data breach via vendor |
| Reputation damage | Customer churn rate × LTV × affected customers |
| Operational disruption | Staff idle cost × recovery period |
5. Quarterly Review Template
- Score changes since last review (flag any >10 point drops)
- New subprocessors added by vendor
- SLA performance vs target
- Security incidents or near-misses
- Contract renewal timeline and negotiation leverage
- Alternative vendor benchmarking
6. Red Flags (Immediate Action)
- Vendor acquired by competitor
- Key personnel departures (CISO, CTO)
- Downtime exceeding SLA 2+ months
- Regulatory action or investigation
- Refusal to complete security questionnaire
- Data breach affecting other customers
- Sudden pricing changes >20%
Industry-Specific Vendor Risks
| Industry | Critical Vendor Category | Specific Risk |
|---|---|---|
| Healthcare | EHR, billing, telehealth | HIPAA BAA gaps, PHI exposure |
| Financial Services | Core banking, payments, KYC | PCI DSS, regulatory reporting |
| Legal | Case management, ediscovery | Privilege breach, client data |
| SaaS | Infrastructure, auth, payments | Cascading outages, PII |
| Manufacturing | MES, supply chain, IoT | IP theft, production stoppage |
| Construction | Project management, safety | Compliance documentation gaps |
| Ecommerce | Payments, fulfillment, CDN | PCI, availability during peak |
| Recruitment | ATS, background check, payroll | Candidate PII, bias in AI screening |
| Real Estate | MLS, transaction mgmt, title | Wire fraud, closing delays |
| Professional Services | CRM, billing, document mgmt | Client confidentiality breach |
Get the Full Playbook
- AI Revenue Leak Calculator — Quantify your total automation opportunity
- Industry Context Packs — $47 each, deep-dive playbooks
- Agent Setup Wizard — Build your AI agent workforce