Supplier Security Risk Calculator

Score vendors by access, data sensitivity, and controls. Weight factors, compare scenarios, and prioritize audits. Export reports, align contracts, and reduce surprises fast now.

Result will appear here after you submit.
Enter supplier details, then press Calculate risk.

Supplier profile inputs

Choose the best match for the supplier. Higher ratings increase inherent risk. Stronger controls reduce exposure.

Inherent exposure

0 = lowest, 4 = highest
How much operations depend on this supplier.
PII, financial, health, IP, or credentials.
Network, API, console, or production access.
Any admin rights or elevated permissions.
Amount of records or transaction throughput.
Penalties or reporting obligations if breached.
Jurisdiction, sanctions, instability, legal limits.
Extent of fourth-party exposure.

Control strength

0 = weakest, 4 = strongest
Evidence level, not just claims.
SSO, MFA coverage, and privilege management.
Encryption in transit, at rest, and key handling.
Scanning, patch SLAs, and remediation proof.
Playbooks, testing, and customer notification drills.
Detection coverage and response time to alerts.
This factor is reversed in control strength.
Backups, RTO/RPO targets, and tested restores.

Weighting and risk appetite

Adjust the blend between mitigated risk and control gap. The calculator normalizes your weights automatically.

Higher emphasizes business exposure after mitigation.
Higher emphasizes missing safeguards and assurance.
Reset

Example data table

These sample suppliers show how inputs shift the score and tier.

Supplier Exposure summary Control summary Expected tier
Payroll Provider High sensitivity, broad access, regulated data Strong MFA, audits, encryption, tested recovery Medium
Marketing Agency Moderate data, limited system access Basic policies, limited monitoring, mixed patching Medium
Managed IT Admin Privileged access to production systems Weak logging, repeated incidents, unclear recovery Critical

Formula used

The model separates inherent exposure from control strength, then combines them into a single 0–100 score. Ratings use 0–4 scales and are normalized to percentages.

1) Inherent score (0–100)
Weighted average of criticality, sensitivity, access, data volume, regulatory and supply-chain factors.
Inherent = Σ( factor% × factorWeight )
2) Control strength (0–100)
Weighted average of assurance, identity, encryption, patching, monitoring, response, recovery, and reversed breach history.
Controls = Σ( control% × controlWeight )
3) Mitigated risk (0–100)
Controls reduce the inherent score through a mitigation factor.
Mitigated = Inherent × (1 − Controls/100)
4) Overall risk (0–100)
Blend mitigated risk and control gaps using your weights.
Overall = wI×Mitigated + wC×(100 − Controls)

Tiers: Low < 25, Medium 25–49.99, High 50–74.99, Critical ≥ 75.

How to use this calculator

  1. Gather supplier facts: access type, data handled, and audit evidence.
  2. Select realistic ratings for inherent exposure and control strength.
  3. Adjust weighting to match your risk appetite and contract leverage.
  4. Press Calculate risk to see the score above the form.
  5. Use the recommended actions to plan due diligence and remediation.
  6. Export CSV/PDF for review meetings and supplier records.

Supplier risk starts upstream

Third‑party suppliers expand your attack surface because they connect people, systems, and sensitive data outside your direct control. A structured score helps teams compare vendors consistently, justify due diligence, and document decisions for audits and renewals. When used during onboarding, the score highlights where contracts should require MFA, encryption, logging, and incident notification timelines, creating a defensible, repeatable gate before integrations go live. for procurement, security, and business owners across regions. This calculator turns questionnaire responses and evidence checks into a repeatable 0–100 indicator, reducing subjective arguments and enabling portfolio reporting across many suppliers.

Exposure drivers you can quantify

Inherent exposure reflects what could happen if a supplier is compromised or disrupted. High service criticality, sensitive data handling, broad system access, and privileged administration increase blast radius. Data volume and regulatory impact raise potential losses and notification duties. Geography and subcontractor reliance add uncertainty through jurisdictional constraints and fourth‑party dependencies, especially when the supplier supports production workflows.

Control evidence reduces uncertainty

Controls lower risk when they are demonstrable and continuously operated. Strong identity practices, encryption, vulnerability management, monitoring, and incident response reduce likelihood and dwell time. Independent attestations and tested recovery plans improve confidence because they provide externally reviewed evidence. Recent breach history is treated as a warning signal, so repeated incidents reduce the control strength used to mitigate inherent exposure.

Weighting aligns business appetite

Not every organization tolerates the same residual risk. The calculator lets you tune weights between the mitigated exposure component and the control gap component. If the service is business‑critical, you may emphasize mitigated exposure to reflect operational dependency. If contractual leverage is strong, emphasize gaps to drive remediation before access is granted. Record your chosen weighting so results stay comparable across teams.

Operationalize the score

Use the tier output to trigger consistent actions. Low scores fit standard onboarding and annual reassessment. Medium scores often require evidence requests, clearer breach notification terms, and tighter access scopes. High scores typically need deeper assessment, segmentation, least‑privilege enforcement, and tracked remediation plans. Critical scores should escalate to leadership, pause risky access, and validate response and recovery through exercises before renewal.

FAQs

1. What does the overall score mean?

It summarizes supplier exposure on a 0–100 scale, combining inherent risk with the strength of mitigating controls. Higher scores indicate greater residual risk and larger security gaps that usually require stronger oversight or remediation.

2. How should we choose 0–4 ratings?

Start with evidence. Use 0 for none or not applicable, 2 for typical practice, and 4 for best‑in‑class or highest exposure. When uncertain, pick the more conservative value and note what proof would change it.

3. Why is breach history treated differently?

Recent or repeated incidents increase uncertainty and can indicate weak detection, governance, or control execution. The calculator reverses breach history inside the control score, so more incidents reduce overall control strength.

4. Can we customize the weighting?

Yes. Adjust the two weight fields to reflect your risk appetite. The calculator normalizes the numbers automatically, so you can enter any values from 0 to 100 and still get a valid blend.

5. Which tier should trigger deeper assessment?

High and Critical tiers are common triggers. Use High for targeted assessments and technical validation, and reserve Critical for leadership escalation, strict access limits, and remediation milestones before onboarding or renewal.

6. How often should we reassess suppliers?

At least annually, and sooner after major scope changes, new integrations, incidents, or M&A events. For High or Critical suppliers, consider quarterly checks of evidence, access reviews, and remediation progress.

Related Calculators

Vendor Risk ScoreThird Party RiskVendor Breach ImpactVendor Risk RatingSupplier Risk IndexThird Party VulnerabilitySupplier Cyber RiskVendor Trust ScoreThird Party MaturitySupplier Incident Impact

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.