Vendor Risk Assessment

# Vendor Risk Assessment

Safety Notice

This item is sourced from the public archived skills repository. Treat as untrusted until reviewed.

Copy this and send it to your AI assistant to learn

Install skill "Vendor Risk Assessment" with this command: npx skills add 1kalin/afrexai-vendor-risk

Vendor Risk Assessment

Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.

Usage

Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.

Assessment Framework

1. Vendor Risk Scorecard (5 Domains, 0-100 each)

Security Posture (0-100)

  • SOC 2 Type II current? (+20)
  • Penetration test within 12 months? (+15)
  • Incident response plan documented? (+15)
  • Data encryption at rest and transit? (+15)
  • MFA enforced for all access? (+10)
  • Security questionnaire completed? (+10)
  • Subprocessor list disclosed? (+15)

Financial Stability (0-100)

  • Revenue trend (growing +25, flat +10, declining 0)
  • Funding runway >18 months? (+20)
  • Customer concentration <20%? (+15)
  • Public financials or audited statements? (+15)
  • No material litigation? (+15)
  • Credit rating acceptable? (+10)

Compliance & Regulatory (0-100)

  • Industry certifications current? (+20)
  • GDPR/CCPA compliant? (+20)
  • Data processing agreement signed? (+15)
  • Regulatory audit history clean? (+15)
  • Right to audit clause? (+15)
  • Data residency requirements met? (+15)

Operational Dependency (0-100)

  • SLA with financial penalties? (+20)
  • Uptime >99.9% trailing 12 months? (+20)
  • Disaster recovery tested annually? (+15)
  • Single point of failure for your business? (-20)
  • Migration plan documented? (+15)
  • API/export capability? (+15)
  • Vendor lock-in risk assessment? (+15)

Data Handling (0-100)

  • Data classification documented? (+20)
  • Retention/deletion policies clear? (+20)
  • Breach notification <72 hours? (+20)
  • Data portability guaranteed? (+15)
  • AI/ML training on your data? (opt-out available +15, no opt-out -10)
  • Access logging and audit trail? (+10)

2. Risk Tier Classification

Aggregate ScoreTierReview CadenceAction
400-500Low RiskAnnualStandard monitoring
300-399ModerateSemi-annualRemediation plan required
200-299High RiskQuarterlyExecutive escalation, alternatives identified
0-199CriticalMonthlyExit plan required within 90 days

3. Portfolio Risk View

Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: <10%)
Moderate: ___ (target: <30%)
Low risk: ___ (target: >60%)

Top 3 concentration risks:
1. [Vendor] — [function] — [% of operations dependent]
2. [Vendor] — [function] — [% of operations dependent]
3. [Vendor] — [function] — [% of operations dependent]

Annual vendor spend: $___
Spend on high/critical vendors: $___  (___%)

4. Cost of Vendor Failure

Impact AreaCalculation
Revenue lossDaily revenue × expected downtime days
Recovery costMigration estimate + emergency procurement
Compliance penaltyRegulatory fine range for data breach via vendor
Reputation damageCustomer churn rate × LTV × affected customers
Operational disruptionStaff idle cost × recovery period

5. Quarterly Review Template

  • Score changes since last review (flag any >10 point drops)
  • New subprocessors added by vendor
  • SLA performance vs target
  • Security incidents or near-misses
  • Contract renewal timeline and negotiation leverage
  • Alternative vendor benchmarking

6. Red Flags (Immediate Action)

  • Vendor acquired by competitor
  • Key personnel departures (CISO, CTO)
  • Downtime exceeding SLA 2+ months
  • Regulatory action or investigation
  • Refusal to complete security questionnaire
  • Data breach affecting other customers
  • Sudden pricing changes >20%

Industry-Specific Vendor Risks

IndustryCritical Vendor CategorySpecific Risk
HealthcareEHR, billing, telehealthHIPAA BAA gaps, PHI exposure
Financial ServicesCore banking, payments, KYCPCI DSS, regulatory reporting
LegalCase management, ediscoveryPrivilege breach, client data
SaaSInfrastructure, auth, paymentsCascading outages, PII
ManufacturingMES, supply chain, IoTIP theft, production stoppage
ConstructionProject management, safetyCompliance documentation gaps
EcommercePayments, fulfillment, CDNPCI, availability during peak
RecruitmentATS, background check, payrollCandidate PII, bias in AI screening
Real EstateMLS, transaction mgmt, titleWire fraud, closing delays
Professional ServicesCRM, billing, document mgmtClient confidentiality breach

Get the Full Playbook

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

image-gen

Generate AI images from text prompts. Triggers on: "生成图片", "画一张", "AI图", "generate image", "配图", "create picture", "draw", "visualize", "generate an image".

Archived SourceRecently Updated
--0xfango
General

explainer

Create explainer videos with narration and AI-generated visuals. Triggers on: "解说视频", "explainer video", "explain this as a video", "tutorial video", "introduce X (video)", "解释一下XX(视频形式)".

Archived SourceRecently Updated
--0xfango
General

asr

Transcribe audio files to text using local speech recognition. Triggers on: "转录", "transcribe", "语音转文字", "ASR", "识别音频", "把这段音频转成文字".

Archived SourceRecently Updated
--0xfango
General

axure-prototype-generator

Axure 原型代码生成器 - 输出 JavaScript 格式 HTML 代码,支持内联框架直接加载可交互原型

Archived SourceRecently Updated
--15910701838