A vendor Risk Assessment, is a process that helps companies choose and monitor their business partners.

During this process, you identify and evaluate the potential risks of working with a vendor. 

Then, you decide whether the rewards of the partnerships would outweigh the risks. 


Before you can begin evaluating third parties, you need to know all of the types of risk you could face when entering into a business agreement. 

  • Strategy risk: Will they steal your trade secrets, ideas or intellectual property?
  • Financial risk: Are they financially stable?
  • Compliance risk: Do they follow relevant laws and regulations?
  • Geographic risk: Do they operate in a risky location?
  • Technical risk: How sound are their IT and data management processes and infrastructure?
  • Subsequential risk: Do they use third parties for any of their processes that could affect your company?
  • Resource risk: Do they have adequate resources to do what you’re paying them for?
  • Replacement risk: How easy would it be to replace them if they ceased operations?
  • Operational risk: How could their day-to-day policies and procedures put your company at risk?
  • Reputational risk: How will working with them affect your company’s reputation internally and externally?


Now that you know all of the possible categories of risk, you’ll need to develop risk criteria for your third-party assessments.


Third party risk assessments should actually consist of two separate assessments: 

A company level evaluation shows you the risk of working with the vendor.

Aa product level evaluation shows you the risk of a specific product


Every vendor should be evaluated before you enter into a partnership with them.


After you’ve assessed a vendor, you should determine its overall level of risk. 

Separating potential vendors into risk levels can help you quickly determine whether to work with them and speed up the risk management planning process if so.

First, score the vendor as high, medium or low risk based on your risk criteria. 

Then, give the vendor a business impact score. In other words, how important is the vendor and their product or service to your organization?

Finally, decide what amount of due diligence you’ll do for vendors at each risk level. 


The plan should include risk scenarios and specific response tasks, including the name or role of the employee responsible for each one.

In addition, include ways that you will reduce these risks.


Your organization should stay up to date on new and updated laws and regulations. 


As you modify your policies and procedures to stay compliant, assess all your vendors to ensure they are compliant, too.


Depending on the vendor’s risk level, you can assess them on a monthly or yearly basis. Ongoing monitoring ensure your business relationships are safe and beneficial for both parties.