Vendor Risk Assessment: Definition, Best Practices and Template

By Indeed Editorial Team

Published October 21, 2021

The Indeed Editorial Team comprises a diverse and talented team of writers, researchers and subject matter experts equipped with Indeed's data and insights to deliver useful tips to help guide your career journey.

Many businesses use outside suppliers, or vendors, to supply them with goods or services. Small businesses such as coffee shops rely on vendors to supply their coffee, whereas larger retailers rely on multiple vendors to supply a variety of goods to keep their shelves stocked.

Understanding the risks a vendor may cause to a business can help you determine which suppliers to do business with and which you can dismiss. In this article, we discuss what a vendor risk assessment is, how to conduct one and provide some tips and a template.

What is a vendor risk assessment?

A vendor risk assessment is a process that helps companies choose which vendors they'd like to do business with by assessing any potential risks that could negatively impact their business. You can complete the assessment by creating a template asking questions about the potential risks of working with a supplier such as losing business, receiving fines or having reputational damage.

After completing the template, you can evaluate the risks and determine whether you'd like to begin a partnership with them based on the assessment responses. The policies, procedures and needs of your company can help you make an informed decision.

Related: A Guide to the Vendor Selection Process (With Tips)

How to conduct a vendor risk assessment in 7 steps

Here are seven steps to help you conduct a vendor risk assessment:

1. Understand the types of risk

Before you begin an assessment of a company that you're considering doing business with, it's important to understand the types of risk you may encounter. Although you don't need to mention these types of risks specifically in the risk assessment, they're important factors to consider when creating your template.

Here are the risks you may encounter when doing business with a vendor:

  • Reputational risk: Will the reputation of the company change if you do business with them?

  • Replacement risk: Is it going to be easy or challenging to replace the vendor if needed?

  • Subsequent risk: Do they use any third-party vendors for their production needs that could affect your company?

  • Geographic risk: Do they operate in an area prone to natural disasters?

  • Financial risk: Is their company financially stable?

  • Strategic risk: Is there a chance they could take your business' ideas and use them as their own?

  • Compliance risk: Are they following the appropriate rules and regulations?

  • Technical risk: Is their data management secure and well protected?

  • Resource risk: Are they going to have all the resources you need and are paying them to have?

  • Operational risk: Is there a way their policies or procedures could put your company at risk?

Related: Business Risks: Definitions and Examples

2. Determine risk criteria

It can be useful to tailor a new assessment for each potential partner so you can accurately determine the risks that may occur if you do business with them. For example, the risks a grocery store might encounter by purchasing produce from a supplier are going to be different from a bank looking for a company to install and monitor security cameras. You can create a template with different questions for each partnership, depending on the potential risks you may encounter.

3. Assess the companies and their products

It can be valuable to assess both the company and the products you plan to purchase from them. Consider making a company assessment to determine whether you'd like to partner with them.

If you think they're a good match, complete a product assessment to figure out aspects such as the cost of an item or whether they use other suppliers when adding to their own supply of products. You might find that they pass your vendor assessment, but not the product assessment.

4. Categorize vendors by the level of risk

After you've used an assessment to determine a vendor's level of risk, you can separate them by their risk level. You can score them on a one-to-five scale or a low-to-high scale, depending on the answers on their assessment. This can help you narrow down your options based on the total amount of risk they pose to your business.

5. Create a risk management plan

After you've completed a risk assessment and determined that you're going to work with a supplier, you can make a risk management plan. They usually comprise strategies focusing on how to manage any potential risk that could occur from working with each vendor. Here are a few items you may want to include:

  • Risk scenarios: Determine some scenarios that could happen while partnering with the vendor.

  • Response tasks: If one of the risk scenarios occurs, decide how your organization is going to respond. Consider listing specific employees and their roles in the response tasks.

  • Ways to reduce risks: You can be proactive by discussing ways to reduce risks before they occur. For example, you might want to monitor how the vendor handles their products and familiarize yourself with their procedures.

Related: Risk Management: A Definitive Guide

6. Be aware of current regulations

As regulations and laws change, you can modify your current policies to stay compliant. It's essential for your vendors to follow those same guidelines. If they don't, they could lose licenses to continue manufacturing and selling goods, and this can put your business at risk. Consider assessing their ability to comply with regulations regularly.

7. Administer annual assessments

If you plan on having a long-term partnership with a vendor, consider conducting annual assessments to ensure their processes have remained the same. Some suppliers may have new management, which can change certain aspects of the way they work with other businesses. These changes may not align with your values or needs. Annual assessments can help determine if you'd still like to continue your partnership with each vendor.

Related: Vendor Relations: Definition and Strategies

Vendor risk assessment best practices

Here are a few best practices you can use when making and using vendor risk assessments:

Use an expert's advice

If you aren't familiar with the type of risk you're assessing, try locating someone in another department who has more knowledge on the subject. Show them your completed assessment so they can analyze the results more thoroughly to determine if you should conduct business with them. Depending on the number of vendors you use, you may even want to create a risk assessment team that includes an expert for each type of risk so you can consult with them as needed.

Use a vendor's previous feedback

Before agreeing to a partnership with a vendor, consider looking for feedback from their previous clients. You can call them and get their personal opinions, or look for online reviews from businesses that have worked with them. Their comments might give you the honest feedback you need to make a more informed decision.

Use direct language

When creating a risk assessment, try to use simple and concise language throughout the document. Limiting technical jargon can clarify the meaning of the questions on the assessment. Simple wording may provide a better understanding of the questions and answers.

Vendor risk assessment template

Businesses usually modify their risk assessments for each vendor for which they're considering doing business. Here's a general template you can use when creating your own vendor risk assessment:

Vendor risk assessment template
Category Question Yes/No/Other Score (1-5) Comments
Data security Do you use a firewall and VPN?
Data security Do you continuously monitor your controls to prevent cyber attacks?
Training and certification What type of training do employees receive regarding compliance risks?
Risk assessment Does the company have an assessment process for identifying risks? Explain the process.
Compliance Does the company have any industry-level certifications? If so, please list them and their expiration date.

Download Vendor Risk Assessment Template

To upload the template into Google Docs, go to File > Open > and select the correct downloaded file

Explore more articles