When your organization enters into a working agreement with a new vendor, it’s important to audit and monitor that vendor through the lifecycle of the business agreement. Beyond vetting the vendor for their risk management program, due diligence requires that your organization conducts a thorough and ongoing risk assessment throughout the third-party vendor’s contract.

What is a vendor risk assessment?

A vendor risk assessment is a tool that will provide your organization with assurance that third-party vendors are in compliance with regulatory requirements. A thorough assessment will look at areas including data privacy and security risks and will help your organization determine whether a vendor will be a trustworthy and reliable business partner, ensuring business continuity.

How do you do a vendor risk assessment?

Vendor management requires a complete risk assessment that should focus on a few primary areas of concern: Reliability, security, and data handling.


Before entering into an agreement with a new vendor, run a background check on the company to identify any red flags. Your risk assessment should take into consideration feedback and reviews from former partners, along with any public news or information about the vendor’s previous business agreements.


Ensuring a vendor’s proper information security protocols is a major element of the risk assessment. Beyond their ability to protect against data breaches, evaluate how the vendor handles other security concerns including environmental, organizational, and human resource security. It’s important to determine whether the vendor’s procedures are in alignment with regulatory requirements and standard cybersecurity standards.

Data handling

Another significant element to assess is the vendor’s processes for handling data. This applies both to its ongoing preventative measures for data loss, and its recovery plans for any unexpected incidents. A vendor’s recovery plan should include details regarding data retrieval and backup plans.

How do you assess the financial risk of a supplier?

At the heart of every business, the agreement is the opportunity for financial gain, which is why it’s crucial to assess the financial risk of every supplier your organization partners with. While the process of assessing risk is similar to comprehensive risk management, there are specific financial risk assessment frameworks.

It’s important to review your vendor’s financial records and analyze their financial stability. Your vendor should be able to produce financial reports and their financial controls documentation to help demonstrate solvency and maturity. 

Beyond financial records, use the following financial tools to help assess your vendors.

Current Ratio

Current Ratio measures a vendor’s capacity to pay both short- and long-term obligations to their suppliers. If a vendor can prove consistent payments to their suppliers, it suggests reliability for your supply chain.

Quick Ratio

The Quick Ratio is about cash flow or liquid assets. A health cash flow suggests financial solvency, and the vendor’s ability to pay on time.

Assess Z-Score

The Altman Z-Score is a tool used to help measure a company’s likelihood of bankruptcy. Z-Score, essentially a credit-strength test, is a consistent framework that can be used to measure financial health for any new vendor. A score of over 3.0 suggests stability, while a score under 1.8 could be a red flag. 

Income Statement

Income statements are useful for assessing a vendor’s financial performance over a given period of time. By understanding a vendor’s profitability, you’ll be able to determine whether a partnership could benefit your organization—or it’s not worth the financial risk of joining forces.

What are the elements of a risk assessment?

Risk assessment generally falls under a few common elements: Identification, analysis, prioritization, creating an action plan, and monitoring.

Identify risks

Start by running a thorough risk identification session with your team to assess not only financial risk but any security risks that may arise in a new partnership.

Analyze risks

Take time to look at each potential vendor risk and look at both the likelihood of an incident and the factors that could lead to an incident occurring. 

Prioritize risks

Consider which risks pose the greatest threat to overall organizational and financial health. 

Make an action plan

Each risk should have an action plan—both as a preventative measure and in response to an incident. If a vendor risk is identified that is out of the control of your organization, work with your vendor to create an acceptable action plan.

Monitor risks

Risk management plans are incomplete without ongoing monitoring, so create a system that will help your organization monitor and review risks identified during the assessment process.

Assessing vendors for partnership is a lengthy process, but by vetting each potential partner with the above rubric, your organization will have a much greater likelihood for success. Be sure to carry out a complete vendor risk management assessment and measure for financial risk before entering into an agreement with new third-party vendors.