Calculator Inputs
Choose the option that best matches the vendor and the requested scope. Higher scores indicate higher onboarding risk.
Example Data Table
Sample vendor assessment inputs and the resulting risk score.
| Example vendor | Key highlights | Result |
|---|---|---|
| Cloud CRM Vendor | Sensitive data, admin scope, deep integration, many subprocessors. | Score 54.2/100 Elevated |
Show example inputs
| Factor | Selection |
|---|---|
| Data sensitivity | Personal data / regulated |
| Access level requested | Admin access (scoped) |
| Integration depth | API integration (read/write) |
| Network connectivity | IP allowlist / restricted paths |
| Compliance evidence | Independent attestations partial |
| Security controls maturity | Standardized controls |
| MFA coverage | Required for most users |
| Encryption posture | Strong keys and rotation |
| Logging and monitoring | Centralized logs |
| Vulnerability management | Regular scans, limited follow-up |
| Patch timeliness | Monthly / quarterly cadence |
| Incident history | Minor events, resolved |
| Subprocessor exposure | Many subprocessors |
| Data residency and geo risk | Mostly low-risk jurisdictions |
| Business criticality | Mission-critical |
| Contractual protections | Standard security addendum |
| Financial stability | Strong stability |
| Questionnaire completeness | Complete with evidence |
Formula Used
Each factor converts to a risk percentage from 0 to 100. The overall score is a weighted average of those percentages.
contribution = weight × risk_fraction
score = (Σ contribution / Σ weight) × 100
“Direct” factors raise risk when selected higher. “Inverse” factors reduce risk when selected higher.
How to Use
- Gather vendor details: scope, systems, data types, controls, and audits.
- Select the closest option for each factor in the form.
- Optionally enable weight overrides to match internal policy.
- Click Submit to view the score, contributors, and actions.
- Download CSV or PDF to share with stakeholders.
This calculator supports decision-making and due diligence, not a substitute for security review.
Risk Score Structure and Weights
The calculator translates each onboarding factor into a normalized risk fraction, then applies weights. Default weights sum to 120, keeping the score stable. Direct factors increase risk as selections rise, such as access level or integration depth. Inverse factors decrease risk as evidence improves, such as audits, MFA coverage, encryption posture, and monitoring. Incident history uses a 0–4 scale to separate “no events” from repeated major incidents. The output ranks contributions, so reviewers see which choices drive the score.
Interpreting Score Bands for Decisions
Use the score to choose the right onboarding path. Low (0–20) typically fits standard procurement checks and annual review. Moderate (20.1–40) benefits from targeted remediation before go‑live. Elevated (40.1–60) suggests narrowing scope, adding contract controls, and validating safeguards. High (60.1–80) usually requires leadership sign‑off plus tighter access boundaries. Critical (80.1–100) indicates onboarding should pause until material risks are reduced. Align thresholds with policy and risk appetite annually.
Using Evidence to Reduce Onboarding Risk
Lower scores come from measurable controls and verifiable artifacts. Request recent audit reports, a security addendum, and clear patch and incident timelines. Confirm least‑privilege access, segmented connectivity, and documented key management. Validate scanning frequency and remediation SLAs. If the vendor uses subprocessors, obtain an inventory, data flow mapping, and notification commitments. Every improvement should map to a factor, making mitigation impact visible in the contribution table.
Documenting Exceptions and Compensating Controls
Sometimes business need outweighs ideal security posture. When exceptions occur, document the scope, expiration date, and owner. Add compensating controls such as reduced privileges, dedicated tenant isolation, token rotation, monitoring hooks, and usage alerts. Strengthen contractual terms for breach notice, audit rights, and incident cooperation. Capture acceptance criteria that must be met for renewal. This record makes residual risk explicit and supports consistent governance.
Operationalizing Continuous Vendor Monitoring
Onboarding is the start, not the finish. Recalculate the score after major changes, renewals, new integrations, or incidents. Track trends over time to spot drift and control regression. Integrate evidence refresh cycles for audits, penetration tests, and subprocessor updates. Use the top‑contributors list to prioritize quarterly actions and budget. A repeatable scoring routine improves transparency and reduces surprise exposure.
FAQs
1) How is the risk score calculated?
Each selection maps to a risk fraction, then the calculator applies weights and computes a weighted average on a 0–100 scale. Higher scores mean higher onboarding risk and more required controls.
2) What information should I gather before scoring?
Collect requested access scope, data types, integration methods, network connectivity, audit evidence, security controls, vulnerability and patch practices, subprocessor details, and incident history for the last 24 months.
3) When should I use weight overrides?
Use overrides only when your organization has approved policy weights. Otherwise, keep defaults for consistency across reviewers and departments, and document any exceptions in the assessment record.
4) How can a vendor reduce a High or Critical score?
Reduce scope, enforce least‑privilege access, require MFA everywhere, strengthen encryption and logging, confirm scanning and patch SLAs, and obtain independent audit evidence. Update the inputs after each remediation to measure impact.
5) Does a Low score mean onboarding is always safe?
No. A Low score indicates lower relative risk for the stated scope, but you should still complete baseline due diligence, confirm contractual protections, and reassess when the vendor’s access or data handling changes.
6) How often should I reassess vendor onboarding risk?
Reassess at renewal, after major product or architecture changes, when new data types are introduced, after incidents, and whenever integrations or privileges expand. Many teams schedule at least an annual refresh.