Vendor Compliance Risk Calculator

Calculator

Vendor Name

Assessment Date

Data Sensitivity (1-5)

Service Criticality (1-5)

Access Level (1-5)

Compliance Gap %

Control Effectiveness %

Incidents Last 24 Months

Geopolitical Risk (1-5)

Financial Stability %

Contract Coverage %

Monitoring Maturity %

Remediation Speed (Days)

Fourth-Party Visibility %

Business Continuity %

Cyber Insurance Adequacy %

Security Training Coverage %

Penetration Test Status

Certification Status

MFA Enforced

Encryption At Rest

Encryption In Transit

Tip: Higher percentages for control quality reduce risk, while higher gap percentages increase risk.

Example Data Table

Vendor	Data Sensitivity	Criticality	Compliance Gap %	Controls %	Incidents	Monitoring %	Expected Risk Band
Critical Cloud Partner	4	5	18	72	2	61	Moderate
Payroll Processor	5	5	28	64	3	58	High
Marketing SaaS	2	2	8	88	0	82	Low

Formula Used

The calculator creates four category scores and then blends them into one weighted risk score. Each category is normalized to a 0 to 100 scale. Higher values mean greater vendor risk.

1) Inherent Exposure
= (Data Sensitivity × 40%) + (Service Criticality × 35%) + (Access Level × 25%) after converting 1–5 ratings into percentages.

2) Compliance Posture
= (Compliance Gap % × 45%) + ((100 − Control Effectiveness %) × 35%) + (Certification Risk × 20%).

3) Security Operations
= Incident History + Monitoring Weakness + Training Weakness + Pen Test Risk + MFA Risk, using the listed operational weights.

4) Resilience & Oversight
= Geographic, financial, contractual, remediation, fourth-party, continuity, insurance, and encryption weaknesses using weighted contributions.

Overall Risk Score
= (Inherent Exposure × 30%) + (Compliance Posture × 30%) + (Security Operations × 25%) + (Resilience & Oversight × 15%).

Risk bands used here are: Low under 35, Moderate from 35 to 54.99, High from 55 to 74.99, and Critical at 75 or above.

How to Use This Calculator

Enter the vendor name and assessment date.
Rate data sensitivity, service criticality, access level, and geopolitical risk from 1 to 5.
Enter measurable percentages for compliance gaps, controls, monitoring, contract coverage, continuity, and related oversight items.
Select whether the vendor has recent testing, current certifications, MFA, and encryption controls.
Click Calculate Risk to display the result above the form.
Review the overall score, category breakdown, chart, and top risk drivers.
Export the results or example table to CSV or PDF for review packs and governance records.

FAQs

1. What does this calculator measure?

It estimates third-party cybersecurity and compliance risk by combining inherent exposure, security operations, compliance posture, and resilience oversight into one weighted score.

2. Is the result a formal audit opinion?

No. It is a decision-support score for triage and governance. Formal conclusions still require evidence review, legal analysis, and organization-specific risk acceptance rules.

3. Why do some higher percentages reduce risk?

Percentages for control effectiveness, continuity, monitoring, insurance, and training represent maturity or strength. Stronger maturity lowers weakness, so the calculator converts them into residual risk values.

4. How should I rate data sensitivity?

Use 1 for low-impact public or noncritical information and 5 for highly sensitive regulated, financial, health, identity, or business-critical datasets.

5. Can I customize the weights?

Yes. The weights are visible in the code and can be adjusted to align with your procurement model, legal obligations, or sector-specific control framework.

6. What is fourth-party visibility?

It reflects how well the vendor identifies and governs its own subcontractors, hosting partners, and downstream service providers that may affect your security posture.

7. When should I reassess a vendor?

Reassess after major incidents, material scope changes, regulatory updates, new integrations, contract renewals, or whenever key evidence becomes outdated.

8. What should I do with a Critical result?

Escalate for executive review, block onboarding where necessary, tighten contractual safeguards, request remediation proof, and define explicit acceptance conditions before proceeding.