🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Vendor Risk Assessment

by @1kalin

Evaluate and score vendors on security, financials, compliance, operations, and data handling to classify risk and manage remediation plans effectively.

Versionv1.0.0
Downloads744
Stars⭐ 1
TERMINAL
clawhub install afrexai-vendor-risk

πŸ“– About This Skill

Vendor Risk Assessment

Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.

Usage

Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.

Assessment Framework

1. Vendor Risk Scorecard (5 Domains, 0-100 each)

Security Posture (0-100)

  • SOC 2 Type II current? (+20)
  • Penetration test within 12 months? (+15)
  • Incident response plan documented? (+15)
  • Data encryption at rest and transit? (+15)
  • MFA enforced for all access? (+10)
  • Security questionnaire completed? (+10)
  • Subprocessor list disclosed? (+15)
  • Financial Stability (0-100)

  • Revenue trend (growing +25, flat +10, declining 0)
  • Funding runway >18 months? (+20)
  • Customer concentration <20%? (+15)
  • Public financials or audited statements? (+15)
  • No material litigation? (+15)
  • Credit rating acceptable? (+10)
  • Compliance & Regulatory (0-100)

  • Industry certifications current? (+20)
  • GDPR/CCPA compliant? (+20)
  • Data processing agreement signed? (+15)
  • Regulatory audit history clean? (+15)
  • Right to audit clause? (+15)
  • Data residency requirements met? (+15)
  • Operational Dependency (0-100)

  • SLA with financial penalties? (+20)
  • Uptime >99.9% trailing 12 months? (+20)
  • Disaster recovery tested annually? (+15)
  • Single point of failure for your business? (-20)
  • Migration plan documented? (+15)
  • API/export capability? (+15)
  • Vendor lock-in risk assessment? (+15)
  • Data Handling (0-100)

  • Data classification documented? (+20)
  • Retention/deletion policies clear? (+20)
  • Breach notification <72 hours? (+20)
  • Data portability guaranteed? (+15)
  • AI/ML training on your data? (opt-out available +15, no opt-out -10)
  • Access logging and audit trail? (+10)
  • 2. Risk Tier Classification

    | Aggregate Score | Tier | Review Cadence | Action | |----------------|------|---------------|--------| | 400-500 | Low Risk | Annual | Standard monitoring | | 300-399 | Moderate | Semi-annual | Remediation plan required | | 200-299 | High Risk | Quarterly | Executive escalation, alternatives identified | | 0-199 | Critical | Monthly | Exit plan required within 90 days |

    3. Portfolio Risk View

    Total vendors: ___
    Critical tier: ___ (target: 0)
    High risk: ___ (target: <10%)
    Moderate: ___ (target: <30%)
    Low risk: ___ (target: >60%)

    Top 3 concentration risks: 1. [Vendor] β€” [function] β€” [% of operations dependent] 2. [Vendor] β€” [function] β€” [% of operations dependent] 3. [Vendor] β€” [function] β€” [% of operations dependent]

    Annual vendor spend: $___ Spend on high/critical vendors: $___ (___%)

    4. Cost of Vendor Failure

    | Impact Area | Calculation | |------------|-------------| | Revenue loss | Daily revenue Γ— expected downtime days | | Recovery cost | Migration estimate + emergency procurement | | Compliance penalty | Regulatory fine range for data breach via vendor | | Reputation damage | Customer churn rate Γ— LTV Γ— affected customers | | Operational disruption | Staff idle cost Γ— recovery period |

    5. Quarterly Review Template

  • Score changes since last review (flag any >10 point drops)
  • New subprocessors added by vendor
  • SLA performance vs target
  • Security incidents or near-misses
  • Contract renewal timeline and negotiation leverage
  • Alternative vendor benchmarking
  • 6. Red Flags (Immediate Action)

  • Vendor acquired by competitor
  • Key personnel departures (CISO, CTO)
  • Downtime exceeding SLA 2+ months
  • Regulatory action or investigation
  • Refusal to complete security questionnaire
  • Data breach affecting other customers
  • Sudden pricing changes >20%
  • Industry-Specific Vendor Risks

    | Industry | Critical Vendor Category | Specific Risk | |----------|------------------------|---------------| | Healthcare | EHR, billing, telehealth | HIPAA BAA gaps, PHI exposure | | Financial Services | Core banking, payments, KYC | PCI DSS, regulatory reporting | | Legal | Case management, ediscovery | Privilege breach, client data | | SaaS | Infrastructure, auth, payments | Cascading outages, PII | | Manufacturing | MES, supply chain, IoT | IP theft, production stoppage | | Construction | Project management, safety | Compliance documentation gaps | | Ecommerce | Payments, fulfillment, CDN | PCI, availability during peak | | Recruitment | ATS, background check, payroll | Candidate PII, bias in AI screening | | Real Estate | MLS, transaction mgmt, title | Wire fraud, closing delays | | Professional Services | CRM, billing, document mgmt | Client confidentiality breach |

    Get the Full Playbook

  • AI Revenue Leak Calculator β€” Quantify your total automation opportunity
  • Industry Context Packs β€” $47 each, deep-dive playbooks
  • Agent Setup Wizard β€” Build your AI agent workforce
  • πŸ’‘ Examples

    Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.