Vendor Risk Assessment: What is it and how do you conduct one?

Vendor Risk Assessment: What is it and how do you conduct one?

Choosing the right vendor to work with, is an important part of any IT project.

A good partnership can add significant value, a poor one can expose a business to risk, reputational damage, and significant financial cost. What is a vendor risk assessment, why are they important, and how do organisations go about making one? Let’s find out.

What is a a Vendor Risk Assessment?

A vendor risk assessment, sometimes called a third-party risk assessment, is the process used by an organisation to identify, evaluate, prioritise, and mitigate the risks that may be encountered when partnering with an external supplier, vendor, or other type of business partner. Whilst the assessment process is often used prior to engaging with a vendor, it should also be carried out at other critical times, to ensure that the original conclusions are still valid and that service levels, etc, are being met.

Why is a Vendor Risk Assessment Necessary?

At first glance it may seem odd to assume that working with a vendor or business partner might introduce risk to a project or business, especially when the whole idea of engaging with such a partner is to add value in some way. Risks can come in many guises however, especially at a time where there are many geo-political, environmental, cyber, and financial issues which could affect the relationship directly or indirectly. Whilst no engagement will be risk free, knowing where the issues might lie, and how they can be handled and mitigated is critical for both successful projects and longer business continuity.

What are the Different Types of Vendor Risk?

There are many different types of risk, here are just a few of the major ones:

Financial risk: What are the chances of the partner getting into financial problems during the lifetime of the engagement?

Strategic risk: Does the company compete with the business in any way? Will they have access to intellectual property, ideas, or critical data?

Compliance risk: Is the partner fully compliant with relevant laws and regulations?

Geographic risk: Is there a risk from operating in areas prone to natural disasters or political instability?

Technical risk: How suitable are the technologies, data management processes, and infrastructure?

Resource risk: Is there sufficient resources, of the right type and in the right location, to meet the needs of the partnership? Think about people, money, and time!

Cyber security risk: What cyber risks are being exposed by sharing data or systems access with the vendor?

Subsequent risk: Does the vendor use third parties that could introduce risks affecting the company?

Replacement risk: How easy would it be to replace the vendor in the case of a major problem or issue?

Reputational risk: How will working with the partner affect a company’s reputation, both internally and externally?

Not all risks will apply to each engagement, so it is important to establish which areas are most likely to occur, or have the greatest impact.

The steps of a Vendor Risk Assessment

There are many frameworks and proformas available to run vendor risk assessment, and indeed consulting companies who can help run them. The assessment process is likely to contain some of these common steps:

  1. Identify the internal and external stakeholders – What areas of the business will be engaging with the vendor?
  2. What types of third-party risks might exist in the specific engagements? – Use the list above as a starter-for-ten!
  3. From the above, establish a “high-medium-low” vendor risk matrix, evaluating the likelihood of a risk occurring and the impact on the business if it does.
  4. Identify the specific risk scenarios which would either have a medium / high impact, or risk of occurring.
  5. Engage with the stakeholders associated with these higher risk areas and finesse the likely risk posed, and identify ways to mitigate or handle that risk.
  6. Review all risks where there is no, or limited mitigation.
  7. Identify metrics and review processes that will help identify when the theoretical risks are becoming actual.
  8. Consider working with the vendor to identify ways of mitigating the risk, or engaging with an additional partner who can help mitigate and address identified risks.
  9. Review the outcome of multiple vendor assessments to establish the best partner to work with.
  10. Engage with your new partner, monitor the progress, and review the risks!


There will always be risks in any partnership, no venture is risk free! By thinking about risks in advance and how they can be addressed, or mitigated, you stand the best chance of a successful project.

How can SCT help?

SCT provides customers with first-class maintenance support across a vast array of IT Infrastructure and Data Centre equipment. We specialise in the provision of high-quality IT spares, logistics and comprehensive complementary services designed to help boost your company’s efficiency and profitability, and enable you to excel. Our breadth of resources, services, and global reach, mean we can partner with you to reduce and mitigate many of the risks identified by your customers during such an assessment.

To find out more about how we work and what we can offer, please get in touch.

Related articles from Smart CT

Main Contact