Calculator
Example data table
| Supplier | Data | Access | Exposure | Controls | Incidents | Compliance | Overall score | Tier |
|---|---|---|---|---|---|---|---|---|
| Acme Payments | 5 | 4 | 5 | 2 | 3 | 2 | 84.2 | High |
| CloudHost Pro | 4 | 3 | 4 | 4 | 1 | 4 | 46.7 | Medium |
| Office Tools Co. | 2 | 1 | 2 | 4 | 0 | 3 | 22.9 | Low |
Formula used
1) Normalize factors to a 0–100 scale
Risk factors that increase exposure (data sensitivity, access, exposure, incidents, fourth‑party) are scaled directly.
Protective factors (control maturity, compliance coverage) are inverted so higher maturity lowers risk.
2) Weighted base score
Base = Σ(weightᵢ × factorᵢ) ÷ Σ(weightᵢ)
3) Impact points and multipliers
Impact points combine financial impact, downtime, and criticality (capped to 0–100).
The impact multiplier ranges from 0.60 to 1.60.
4) Appetite adjustment and overall score
Overall = clamp(Base × ImpactMultiplier × AppetiteMultiplier, 0, 100).
How to use this calculator
- Collect supplier details from questionnaires, audits, and technical reviews.
- Enter ratings (0–5) consistently across suppliers.
- Set criticality, financial impact, and downtime expectations.
- Open Advanced options to adjust weights and risk appetite.
- Click Calculate Risk to view the score and actions.
- Use CSV/PDF exports for reviews, approvals, and follow-ups.
Supplier cyber risk insights
Vendor intake and evidence quality
Strong scoring starts with consistent intake. Use the supplier name and industry fields to anchor context, then request objective evidence: last audit period, scope statements, patch SLAs, MFA enforcement, and incident post‑mortems. For high‑exposure vendors, capture counts such as public domains, externally reachable IP ranges, and the number of production admin accounts. Evidence-based inputs reduce “survey optimism” and improve repeatability across quarters.
How the factor ratings translate to risk
Each 0–5 rating is normalized to 0–100, so moving from 2 to 4 doubles the underlying factor score. Protective controls are inverted: a maturity of 5 yields 0 points for that factor, while 0 yields 100. This helps highlight control gaps even when exposure is moderate. If two suppliers have similar exposure, the one with weaker controls will trend toward a higher overall score.
Weight tuning for different business models
Weights are normalized automatically, allowing programs to emphasize what matters most. Payments and healthcare teams often increase data sensitivity and compliance weights, while cloud operators may prioritize internet exposure and network access. A practical baseline is to keep the three largest weights within a 10–15 point spread to avoid a single driver dominating every decision. Revisit weights after incidents or major architecture changes.
Linking impact, criticality, and appetite
Impact points combine financial impact, downtime, and criticality into an impact multiplier (0.60–1.60). This separates likelihood-like factors from business consequence. A vendor with modest exposure can still become high risk if downtime is expected to exceed several days. Risk appetite adjusts the final score (roughly 0.80–1.15), supporting stricter thresholds for regulated workloads and more tolerance for low-impact tools.
Using results for governance and remediation
Use the tier output to drive actions. “Critical” should trigger executive review, contractual remediation milestones, and contingency planning. “High” typically warrants targeted control uplift (MFA, logging, vulnerability management) and a re‑score after fixes. “Medium” fits scheduled improvements and monitoring, while “Low” can be reviewed annually. Export CSV/PDF for audit trails and to track score movement over time.
FAQs
1) What does a 0–100 score represent?
It’s a normalized risk index where higher values indicate higher supplier cyber risk. The score blends exposure factors, inverted control strength, business impact, and your risk appetite into one comparable number.
2) How should we rate control maturity?
Use observable evidence: security policies, MFA coverage, patch timelines, EDR deployment, logging, backup testing, and incident response exercises. Rate 5 only when controls are consistently implemented, measured, and independently validated.
3) Can we use this for subcontractors and fourth parties?
Yes. Enter the primary supplier, then increase the fourth‑party dependency rating when critical services are outsourced or concentrated. Ask for downstream assurance such as SOC reports, shared responsibility maps, and key subcontractor lists.
4) Why do compliance and controls reduce the score?
They are protective. Higher maturity and broader compliance coverage are inverted in the formula so they subtract risk, reflecting better prevention, detection, and governance that lowers the likelihood and blast radius of incidents.
5) How often should suppliers be re-scored?
At least quarterly for critical or high-risk suppliers, and annually for low-risk suppliers. Re-score after major changes: acquisitions, platform migrations, significant incidents, or new integrations that increase data access or exposure.
6) What thresholds should we use for approvals?
Start with tier-based gates: Critical requires executive sign-off; High requires remediation commitments; Medium requires tracked improvements; Low is approved with monitoring. Then refine thresholds using your risk appetite and historical incident outcomes.