{"skill":{"slug":"vendor-risk-assessment","displayName":"Vendor Risk Assessment","summary":"Assess third-party vendor risk for AI and SaaS products. Evaluates security posture, data handling, compliance, financial stability, and operational resilien...","description":"---\nname: vendor-risk-assessment\ndescription: >\n  Assess third-party vendor risk for AI and SaaS products. Evaluates security posture,\n  data handling, compliance, financial stability, and operational resilience. Use when\n  onboarding new vendors, conducting annual reviews, or building a vendor management program.\n  Generates a scored risk report with mitigation recommendations. Built by AfrexAI.\nmetadata:\n  version: 1.0.0\n  author: AfrexAI\n  tags: [vendor-risk, security, compliance, procurement, enterprise]\n---\n\n# Vendor Risk Assessment\n\nEvaluate any AI/SaaS vendor across 6 risk dimensions. Outputs a scored report with go/no-go recommendation.\n\n## When to Use\n- Onboarding a new SaaS or AI vendor\n- Annual vendor review cycle\n- Evaluating build-vs-buy decisions\n- Due diligence for partnerships or acquisitions\n- Compliance requirements (SOC2, ISO 27001, GDPR)\n\n## How to Use\n\nThe user provides vendor details (name, product, website, any available documentation).\nThe agent researches and scores the vendor across 6 dimensions.\n\n### Input Format\n```\nVendor: [Company Name]\nProduct: [Product/Service Name]\nWebsite: [URL]\nUse Case: [What you'd use it for]\nData Sensitivity: [low/medium/high/critical]\nAdditional Context: [Any docs, certifications, or concerns]\n```\n\n## Assessment Framework\n\n### 6 Risk Dimensions (each scored 1-10)\n\n#### 1. Security Posture\n- SOC2 Type II certification?\n- Penetration testing cadence\n- Encryption (at rest + in transit)\n- Access controls and authentication\n- Incident response plan\n- Bug bounty program\n\n#### 2. Data Handling & Privacy\n- Data residency and sovereignty\n- Data retention and deletion policies\n- Sub-processor transparency\n- GDPR/CCPA compliance\n- Data portability (can you get your data out?)\n- AI training opt-out policies\n\n#### 3. Compliance & Certifications\n- SOC2, ISO 27001, HIPAA, FedRAMP\n- Industry-specific (PCI-DSS, HITRUST, etc.)\n- AI-specific (EU AI Act readiness, NIST AI RMF)\n- Audit frequency and transparency\n- Regulatory track record\n\n#### 4. Financial Stability\n- Funding stage and runway\n- Revenue indicators (public or estimated)\n- Customer concentration risk\n- Acquisition risk\n- Pricing stability history\n\n#### 5. Operational Resilience\n- Uptime SLA and historical performance\n- Disaster recovery plan\n- Multi-region availability\n- Dependency on single cloud provider\n- Support responsiveness and escalation paths\n- Change management process\n\n#### 6. Contractual Terms\n- Termination and exit clauses\n- Liability caps and indemnification\n- IP ownership clarity\n- Auto-renewal traps\n- Price increase limitations\n- SLA breach remedies\n\n## Output Format\n\n```markdown\n# Vendor Risk Assessment: [Vendor Name]\n**Date:** YYYY-MM-DD\n**Assessor:** AI Agent (AfrexAI)\n**Data Sensitivity Level:** [low/medium/high/critical]\n\n## Overall Risk Score: [X/10] — [LOW/MEDIUM/HIGH/CRITICAL]\n\n## Dimension Scores\n| Dimension | Score | Risk Level | Key Finding |\n|-----------|-------|------------|-------------|\n| Security Posture | X/10 | LOW/MED/HIGH | ... |\n| Data Handling | X/10 | LOW/MED/HIGH | ... |\n| Compliance | X/10 | LOW/MED/HIGH | ... |\n| Financial Stability | X/10 | LOW/MED/HIGH | ... |\n| Operational Resilience | X/10 | LOW/MED/HIGH | ... |\n| Contractual Terms | X/10 | LOW/MED/HIGH | ... |\n\n## Recommendation: [APPROVE / APPROVE WITH CONDITIONS / REJECT]\n\n## Critical Findings\n- [Finding 1]\n- [Finding 2]\n\n## Mitigation Requirements (if Approve with Conditions)\n1. [Requirement 1 — deadline]\n2. [Requirement 2 — deadline]\n\n## Research Sources\n- [Source 1]\n- [Source 2]\n```\n\n## Scoring Guide\n- **9-10:** Excellent — minimal risk, enterprise-grade\n- **7-8:** Good — acceptable for most use cases\n- **5-6:** Moderate — proceed with caution, mitigations needed\n- **3-4:** Poor — significant concerns, conditional approval only\n- **1-2:** Critical — recommend rejection or major remediation\n\n## Overall Risk Calculation\n- Average of 6 dimensions, weighted by data sensitivity:\n  - Low sensitivity: equal weights\n  - Medium: Security 2x, Data 2x\n  - High: Security 3x, Data 3x, Compliance 2x\n  - Critical: Security 4x, Data 4x, Compliance 3x, Financial 2x\n\n## Research Process\n1. Check vendor website for security/compliance pages\n2. Search for SOC2/ISO certifications and trust pages\n3. Check status pages for uptime history\n4. Search for breach history or security incidents\n5. Review pricing page for contract terms indicators\n6. Check Crunchbase/LinkedIn for financial stability signals\n7. Search for customer reviews mentioning reliability/support\n\n## Pro Tips\n- Request the vendor's SOC2 Type II report directly — if they hesitate, that's a signal\n- Check their status page history (statuspage.io, etc.) for real uptime data\n- For AI vendors specifically: ask about model training on your data, output ownership, and hallucination liability\n- Compare their security page to competitors — vague = red flag\n\n---\n\n*Need help managing vendor risk across your entire stack? AfrexAI builds autonomous AI agents that monitor vendors continuously — not just at onboarding. Visit [afrexai.com](https://afrexai.com) or book a call: [calendly.com/cbeckford-afrexai/30min](https://calendly.com/cbeckford-afrexai/30min)*\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":906,"installsAllTime":0,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1771964190262,"updatedAt":1778992961246},"latestVersion":{"version":"1.0.0","createdAt":1771964190262,"changelog":"Initial release - third-party vendor risk scoring and mitigation","license":null},"metadata":null,"owner":{"handle":"1kalin","userId":"s17e1q0nx23qnh4n429zzqc05x83hvsw","displayName":"1kalin","image":"https://avatars.githubusercontent.com/u/15705344?v=4"},"moderation":null}