Third Party Risk Calculator

Score every supplier using clear, repeatable risk factors. Tune weights, capture evidence, and track decisions. Turn assessments into safer contracts and monitored relationships always.

Assessment Form

Use 0–5 ratings. Higher values mean greater exposure, except control maturity where higher means stronger controls.

Impact Factors

PII, financial data, secrets, or regulated data increases impact.
System privileges, network reach, and admin paths increase impact.
Higher when outages cause revenue loss or safety impact.
Higher when laws, audits, or reporting obligations apply.

Likelihood Factors

Internet-facing integrations, APIs, and broad connectivity increase likelihood.
Higher if frequent incidents, weak disclosure, or poor lessons learned.
Used as a “control gap” internally: 5 − maturity.
More fourth parties, less transparency, higher likelihood.
Consider stability, sanctions exposure, and data transfer complexity.

Mitigation and Assurance

Higher if you have strong audit evidence and test results.
Breach notice, right-to-audit, DPAs, and SLAs reduce residual risk.
Higher if remediation is funded, tracked, and time-bound.
Advanced scoring controls (optional)
Likelihood share is 100% minus impact share.
Weights are auto-normalized within each group. Leave blank to use defaults.

Impact weights

Likelihood weights

Reset

Formula Used

  • Impact score (0–100): weighted average of Impact factors, scaled from 0–5 to 0–100.
  • Likelihood score (0–100): weighted average of Likelihood factors, using control gap = 5 − control maturity.
  • Inherent risk: blend of Impact and Likelihood using the Impact share setting.
  • Residual risk: Residual = Inherent × (1 − Reduction).
  • Reduction: average of Assurance, Contract strength, and Mitigation strength, capped at 35% maximum reduction.

This model is transparent by design. Adjust weights to match your internal approach.

How to Use

  1. Enter vendor name and service scope.
  2. Rate Impact using data, access, criticality, and regulatory scope.
  3. Rate Likelihood using exposure, incidents, maturity, subcontractors, and jurisdiction.
  4. Rate Mitigation using evidence quality and contract safeguards.
  5. Submit to see results above the form, then export.

Tip: Save assessments to build a living third-party risk register.

Vendor inventory quality drives scoring accuracy

Start with a complete supplier list and consistent scopes. In practice, teams miss 10–20% of indirect vendors because renewal owners change. Capture the service name, business owner, and data pathways before rating factors. When the scope is clear, the 0–5 inputs map cleanly to the 0–100 impact and likelihood scores. Use the notes field to reference contracts, tickets, and evidence dates for future reviews. Reconcile invoices monthly to catch new suppliers early again.

Impact factors align to business harm

Impact is calculated from four elements: data sensitivity, access level, criticality, and regulatory exposure. Default weights are 0.35, 0.25, 0.25, and 0.15, and the tool normalizes any custom weights to sum to 1. If a vendor holds regulated PII and has privileged access, the impact score typically exceeds 60. Treat impact as the “blast radius” that leadership understands. Document assumptions so reviewers reproduce scores during audits easily.

Likelihood highlights control gaps and exposure

Likelihood blends exposure, incident history, subcontractor reliance, geographic risk, and a control gap defined as 5 minus control maturity. The default control-gap weight is 0.30, making evidence of mature controls a strong lever. A vendor with medium exposure (3) but weak maturity (1) produces a gap of 4, often pushing likelihood above 55. Track reported incidents and their remediation timelines to avoid stale ratings. Use threat intelligence updates when exposure ratings change materially.

Residual risk connects assurance to decisions

Inherent risk is a configurable blend of impact and likelihood, defaulting to 45% impact and 55% likelihood. Residual risk then applies a reduction based on assurance evidence, contract strength, and mitigation plan strength. The reduction is capped at 35%, preventing “paper compliance” from masking real exposure. For high tiers, require breach notice windows, right-to-audit language, and measurable remediation milestones. Escalate exceptions when residual risk stays above target thresholds.

Operationalizing tiers and review cadence

Residual scores map to tiers: Low under 25, Moderate 25–49, High 50–74, and Critical 75+. The calculator recommends Annual, Biannual, Quarterly, or Monthly reassessment accordingly. Use the saved register to monitor drift after mergers, hosting moves, or new integrations. Export CSV to share with procurement and risk committees, and keep PDF summaries for approvals and exceptions in your governance workflow. Record review dates to prove continuous oversight to regulators.

FAQs

What does a 0–5 rating represent?

Each factor uses a simple ordinal scale. 0 means not applicable or none. 3 reflects a typical, medium exposure state. 5 indicates very high exposure or sensitivity that would significantly raise likelihood or impact for the vendor.

Why is control maturity treated as a control gap?

Strong controls reduce the chance of incidents. The calculator converts maturity to a gap using 5 minus maturity, so weak evidence increases likelihood. This keeps the direction consistent: higher numbers always mean higher risk.

Can we customize the weights safely?

Yes. Enter your own weights in Advanced scoring controls. The tool normalizes weights within each group, so they sum to 1. If all weight fields are blank or zero, the default weights are applied automatically.

How should we choose the impact share setting?

Impact share sets how much business harm influences inherent risk. Use higher impact share for regulated data or safety-critical services, and lower impact share for high-volume internet exposures. Keep it stable across assessments for comparability.

What is stored when I save an assessment?

The register stores the vendor details, all selected ratings, calculated scores, tier, review frequency, and a record ID with timestamp. Data is kept in the current browser session on the server; exporting CSV preserves it externally.

How should procurement use the outputs?

Use the tier and residual score to set contract clauses, evidence requirements, and reassessment cadence. High and Critical vendors should require defined remediation plans and executive approval. Low vendors can follow streamlined onboarding with periodic refresh.

Example Vendor Risk Register

Vendor Service Residual Risk Tier Review Notes
Atlas Payroll Payroll Processing 68 High Quarterly Requires updated audit report and MFA evidence.
Nova CRM Customer Relationship Platform 41 Moderate Biannual Confirm data minimization and retention controls.
Orchid Analytics Metrics Dashboard 18 Low Annual Baseline checks, limited access, no regulated data.

Example data only. Your saved records appear below.

Saved Assessments

Download CSV Download last PDF

No saved assessments yet. Use “Save to register” before submitting.

Disclaimer: This tool supports prioritization. Final decisions should use validated evidence, stakeholder review, and documented acceptance of residual risk.

Related Calculators

Vendor Risk ScoreSupplier Security RiskVendor Breach ImpactVendor Risk RatingSupplier Risk IndexThird Party VulnerabilitySupplier Cyber RiskVendor Trust ScoreThird Party MaturitySupplier Incident Impact

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.