Vendor Risk Assessment
by @1kalin
Evaluate and score vendors on security, financials, compliance, operations, and data handling to classify risk and manage remediation plans effectively.
clawhub install afrexai-vendor-riskπ About This Skill
Vendor Risk Assessment
Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.
Usage
Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.Assessment Framework
1. Vendor Risk Scorecard (5 Domains, 0-100 each)
Security Posture (0-100)
Financial Stability (0-100)
Compliance & Regulatory (0-100)
Operational Dependency (0-100)
Data Handling (0-100)
2. Risk Tier Classification
| Aggregate Score | Tier | Review Cadence | Action | |----------------|------|---------------|--------| | 400-500 | Low Risk | Annual | Standard monitoring | | 300-399 | Moderate | Semi-annual | Remediation plan required | | 200-299 | High Risk | Quarterly | Executive escalation, alternatives identified | | 0-199 | Critical | Monthly | Exit plan required within 90 days |
3. Portfolio Risk View
Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: <10%)
Moderate: ___ (target: <30%)
Low risk: ___ (target: >60%)Top 3 concentration risks:
1. [Vendor] β [function] β [% of operations dependent]
2. [Vendor] β [function] β [% of operations dependent]
3. [Vendor] β [function] β [% of operations dependent]
Annual vendor spend: $___
Spend on high/critical vendors: $___ (___%)
4. Cost of Vendor Failure
| Impact Area | Calculation | |------------|-------------| | Revenue loss | Daily revenue Γ expected downtime days | | Recovery cost | Migration estimate + emergency procurement | | Compliance penalty | Regulatory fine range for data breach via vendor | | Reputation damage | Customer churn rate Γ LTV Γ affected customers | | Operational disruption | Staff idle cost Γ recovery period |
5. Quarterly Review Template
6. Red Flags (Immediate Action)
Industry-Specific Vendor Risks
| Industry | Critical Vendor Category | Specific Risk | |----------|------------------------|---------------| | Healthcare | EHR, billing, telehealth | HIPAA BAA gaps, PHI exposure | | Financial Services | Core banking, payments, KYC | PCI DSS, regulatory reporting | | Legal | Case management, ediscovery | Privilege breach, client data | | SaaS | Infrastructure, auth, payments | Cascading outages, PII | | Manufacturing | MES, supply chain, IoT | IP theft, production stoppage | | Construction | Project management, safety | Compliance documentation gaps | | Ecommerce | Payments, fulfillment, CDN | PCI, availability during peak | | Recruitment | ATS, background check, payroll | Candidate PII, bias in AI screening | | Real Estate | MLS, transaction mgmt, title | Wire fraud, closing delays | | Professional Services | CRM, billing, document mgmt | Client confidentiality breach |
Get the Full Playbook
π‘ Examples
Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.