Third-Party Risk Score Calculator

Score vendor risk using incidents, controls, exposure, dependencies. View weighted totals, tiers, and priorities instantly. Support stronger vendor decisions with transparent, defensible cyber scoring.

Calculator Inputs

Use the 1 to 5 fields where 1 means low and 5 means high. Percentage fields accept values from 0 to 100.

Example Data Table

Vendor Service Inherent Risk Control Strength Residual Risk Tier
Northwind Analytics Cloud analytics platform 71.50 68.00 48.60 Moderate
Contoso Payments Payment processor 83.75 54.00 66.33 High
Fabrikam Support Managed help desk 42.50 81.00 25.95 Guarded

Formula Used

This model converts each input into a normalized 0 to 100 risk contribution. Higher values increase risk for exposure factors. Higher values reduce risk for control quality factors.

Inherent Risk = Σ(Normalized Inherent Factor × Weight) / Σ(Inherent Weights)
Control Gap = Σ(Normalized Control Gap Factor × Weight) / Σ(Control Weights)
Modifier Score = Σ(Normalized Modifier Factor × Weight) / Σ(Modifier Weights)
Residual Risk = (Inherent Risk × 0.50) + (Control Gap × 0.35) + (Modifier Score × 0.15)

Control Strength is reported separately as 100 − Control Gap. Residual risk is then assigned to a qualitative tier: Low, Guarded, Moderate, High, or Critical.

How to Use This Calculator

  1. Enter the vendor name, date, service type, and contract value.
  2. Rate the inherent exposure fields from 1 to 5 based on business context.
  3. Enter control percentages and protective maturity scores using available evidence.
  4. Score incidents, breaches, dependencies, and concentration based on current observations.
  5. Submit the form to generate residual risk, tier, monitoring cadence, and recommendations.
  6. Use the export buttons to save the assessment for audit or procurement records.

FAQs

1. What does the third-party risk score represent?

It summarizes vendor cyber exposure after combining inherent risk, control weaknesses, and recent risk modifiers into one weighted residual score from 0 to 100.

2. Why separate inherent risk from control strength?

A critical vendor may always carry high inherent exposure, even when controls are strong. Separating them helps teams see whether mitigation or business reliance is driving the final score.

3. What is a control gap score?

Control gap is the weighted weakness level across maturity, evidence, resilience, completion, and coverage inputs. Higher gap values indicate less effective protection.

4. How should I choose 1 to 5 ratings?

Use internal criteria consistently. For example, 1 can mean minimal exposure or excellent readiness, while 5 can mean severe exposure or weak readiness.

5. Can this calculator replace a full vendor assessment?

No. It supports triage and governance decisions, but it should complement questionnaires, contract review, architecture review, and ongoing monitoring activities.

6. Why include incident and SLA history?

Past events often reveal operational weakness, weak recovery, or poor accountability. These modifiers help the score reflect demonstrated performance, not only stated controls.

7. How often should vendors be reassessed?

Use the monitoring cadence output as a baseline. Reassess sooner after incidents, major service changes, mergers, control failures, or new data processing activities.

8. Can I export results for audit evidence?

Yes. The calculator includes CSV and PDF export options so teams can retain a scored snapshot with summary metrics and factor breakdowns.

Related Calculators

third party impactvendor cyber riskvendor security riskvendor compliance risk

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.