Vendor Risk Matrix Calculator

Risk inputs

Fill one vendor, or paste batch CSV. Fields use 1–5 scales unless noted.

* Required for single-vendor scoring.

Vendor name *

Used in exports and result headings.

Impact (1–5) *

Business impact if the vendor fails or is breached.

Likelihood (1–5) *

Probability of adverse events over your review window.

Control effectiveness (0–100%)

Higher values reduce residual risk more.

Resilience maturity (0–100%)

Caps at 20% additional reduction.

Incident history (0–5)

Use as a structured count or severity index.

Data sensitivity (1–5)

Regulatory exposure (1–5)

Financial exposure (1–5)

Availability requirement (1–5)

Fourth‑party reliance (1–5)

Notes

Notes are included in batch exports.

Advanced settings: weights, thresholds, and batch scoring

Weight: Inherent (0–1)

Relative importance of Impact × Likelihood.

Weight: Exposure (0–1)

Data, regulatory, financial, availability, fourth‑party.

Weight: Incidents (0–1)

Past issues, breach history, audit findings.

Low max

Moderate max

High max

Critical max

Batch CSV (optional)

If batch CSV is provided, single-vendor fields are ignored for scoring.

Reset

Example vendor data

Use these rows to test batch scoring. Copy into the batch CSV box.

vendor	impact	likelihood	control_eff	resilience	sensitivity	regulatory	financial	availability	fourth_party	incident_history	notes
Acme Payments	5	4	55	60	5	5	4	5	4	2	Handles card data
BlueSupport BPO	3	3	70	65	3	2	2	3	3	1	Customer contact center
CloudStorage Pro	4	3	60	75	4	3	3	4	4	0	Stores internal documents
DataInsights AI	4	4	45	50	4	4	3	3	5	3	Uses multiple sub‑processors

Copy‑ready CSV

vendor,impact,likelihood,control_eff,resilience,sensitivity,regulatory,financial,availability,fourth_party,incident_history,notes
Acme Payments,5,4,55,60,5,5,4,5,4,2,Handles card data
BlueSupport BPO,3,3,70,65,3,2,2,3,3,1,Customer contact center
CloudStorage Pro,4,3,60,75,4,3,3,4,4,0,Stores internal documents
DataInsights AI,4,4,45,50,4,4,3,3,5,3,Uses multiple sub-processors

Formula used

Inherent risk: Inherent = Impact × Likelihood (range 1–25).

Component scaling: Inherent, Exposure, and Incident are scaled to 0–100, then blended by weights.

Residual score: Residual = Base × (1 − Controls%) × (1 − 0.20×Resilience%) × Uplift.

Exposure uplift: Uplift = 1 + 0.15×(ExposureAvg − 1), to reflect sensitive and regulated vendors.

How to use this calculator

Set Impact and Likelihood based on your assessment rubric.
Estimate Control Effectiveness and Resilience maturity percentages.
Rate exposure drivers: sensitivity, regulatory, financial, availability, fourth‑party.
Optionally adjust weights and thresholds under Advanced settings.
Press Submit to view results above the form.
Use Download CSV or Download PDF for evidence and reporting.
For multiple vendors, paste batch CSV and submit once.

FAQs

1) What does the score represent?

It is a 0–100 residual risk score after considering inherent risk, exposure drivers, incident history, and reductions from controls and resilience.

2) How do I choose impact and likelihood?

Use your organization’s rubric. Impact reflects business harm if a vendor fails. Likelihood estimates probability during the review period, using incidents, audits, and threat context.

3) Why do exposure factors matter?

Exposure drivers capture what is at stake: sensitive data, regulation, financial dependency, uptime needs, and sub‑processor reliance. Higher exposure increases the uplift applied to residual scoring.

4) Can I align levels to my policy?

Yes. Edit the Low, Moderate, High, and Critical maximum thresholds in Advanced settings. Anything above Critical becomes Severe automatically.

5) What should I enter for control effectiveness?

Use a percent estimate based on control testing, certifications, audit results, and contract requirements. Higher values reduce residual risk more strongly in the formula.

6) How does batch CSV scoring work?

Paste CSV with the supported header, submit, and the tool calculates every row. Results are sorted by highest score and can be exported to CSV and PDF.

7) Is this a replacement for a full vendor assessment?

No. It’s a structured triage and reporting aid. Use it to prioritize reviews, set monitoring cadence, and justify decisions alongside questionnaires and evidence.