Enter Vendor Assessment Inputs
Use the fields below to score security maturity, compliance posture, exposure, operational resilience, and evidence freshness.
Example Data Table
| Vendor | Sector | Inherent Exposure | Compliance Readiness | Residual Risk | Suggested Decision |
|---|---|---|---|---|---|
| Northwind Cloud CRM | SaaS / Technology | 61.40 | 74.80 | 56.20 | Conditional Approval |
| Atlas Payments Hub | Finance | 49.00 | 83.40 | 42.10 | Approve with Monitoring |
| Harbor Managed Backup | Critical Infrastructure | 72.25 | 66.10 | 74.35 | Escalate for Security and Legal Review |
| BluePeak Payroll Services | Professional Services | 35.75 | 87.60 | 28.90 | Approve with Monitoring |
| MarketLoom Analytics | Retail | 57.00 | 62.90 | 55.60 | Conditional Approval |
Formula Used
This calculator converts each vendor input into a normalized risk score between 0 and 100. Higher normalized values always represent higher risk.
Base Weighted Risk Score
Base Score = Σ(Normalized Risk × Weight) ÷ 100
Sector-Adjusted Residual Risk
Overall Risk = Base Score × Sector Factor
Inherent Exposure
0.25×Sensitivity + 0.20×Access + 0.20×Criticality + 0.20×Regulatory + 0.15×Fourth-Party
Compliance Readiness
0.45×Compliance Coverage + 0.20×Questionnaire + 0.20×Contractual Assurance + 0.15×Fresh Audit Evidence
Control Strength
0.35×Security Controls + 0.25×Remediation Maturity + 0.20×Contractual Assurance + 0.20×Compliance Coverage
Weight Table
| Risk Domain | Weight % | Normalization Rule |
|---|---|---|
| Security Controls Gap | 12 | 100 − security controls |
| Compliance Gap | 10 | 100 − compliance coverage |
| Data Sensitivity | 8 | (rating − 1) × 25 |
| System Access Privilege | 8 | (rating − 1) × 25 |
| Business Criticality | 8 | (rating − 1) × 25 |
| Regulatory Exposure | 7 | (rating − 1) × 25 |
| Financial Stability Risk | 6 | 100 − financial stability |
| Remediation Program Gap | 8 | 100 − remediation maturity |
| Incident History | 8 | Minimum of incidents × 20 and 100 |
| Open Critical Findings | 7 | Minimum of findings × 12.5 and 100 |
| Audit Staleness | 5 | Minimum of (months ÷ 24) × 100 and 100 |
| Contractual Assurance Gap | 5 | 100 − contractual assurance |
| Questionnaire Gap | 4 | 100 − questionnaire completion |
| Fourth-Party Dependency | 4 | (rating − 1) × 25 |
How to Use This Calculator
- Enter the vendor name, date, and business sector. The sector adds a multiplier for industries with tighter regulatory or operational pressure.
- Score control quality, compliance evidence, remediation maturity, and financial stability from 0 to 100. Higher values are better for those inputs.
- Rate sensitivity, access, criticality, regulatory exposure, and fourth-party dependency from 1 to 5. Higher ratings increase inherent exposure.
- Add incident count, open critical findings, and months since the last audit. These fields raise residual risk when current issues or stale evidence exist.
- Click the calculate button. Review the result block above the form, inspect the Plotly graph, and export the assessment using CSV or PDF.
Frequently Asked Questions
1) What does the overall residual risk score mean?
It estimates remaining vendor risk after weighting exposure, control weakness, evidence freshness, incidents, and sector pressure. Lower values indicate safer vendors.
2) Why are some inputs scored from 0 to 100?
Those fields represent maturity or completeness. Higher scores mean stronger controls, evidence, or operational health, which reduce risk after normalization.
3) Why are sensitivity and access rated from 1 to 5?
Ordinal scales work well for exposure judgments. They simplify triage when exact numeric measurements are unavailable during vendor reviews.
4) What is the difference between inherent exposure and residual risk?
Inherent exposure reflects how risky the relationship is by nature. Residual risk adds control quality, compliance evidence, incidents, and vendor health.
5) How should I interpret compliance readiness?
It summarizes policy coverage, completed questionnaires, contract language, and audit freshness. Higher readiness supports approvals and lowers review friction.
6) Can this calculator replace a full vendor due diligence program?
No. It helps prioritize and document decisions, but formal reviews still need evidence validation, scoping, contract review, and business approval.
7) Why is there a sector factor?
Certain industries face stricter oversight, safety obligations, or breach impact. The factor modestly adjusts residual risk to reflect that environment.
8) When should a vendor be escalated instead of approved?
Escalate when the score is high, critical findings remain open, evidence is stale, or the vendor handles sensitive data with strong access.