What is a vendor risk assessment template?

A vendor risk assessment template is a standardised questionnaire and scoring framework used to evaluate a vendor's risk posture across multiple domains — cybersecurity, financial health, operational resilience, regulatory compliance, and ESG — and produce a composite risk score and tier classification.

How do you score a vendor risk assessment?

Score vendor risk assessments by assigning weighted scores to questionnaire responses (0–3 per question), applying domain weights based on vendor type (cybersecurity weighted higher for technology vendors), combining with external data scores (D&B, BitSight), and calculating a composite score. Scores above a defined threshold trigger enhanced review or risk treatment planning.

What is a vendor risk register?

A vendor risk register is a structured document or database record that captures identified risks for each vendor — the risk description, domain, inherent risk level, mitigating controls, residual risk level, risk owner, treatment decision, and review date. It is the primary evidence document for your TPRM programme.

How often should vendor risk assessments be updated?

Tier 1 (critical) vendors: annual formal reassessment plus continuous monitoring. Tier 2: annual reassessment. Tier 3: every 2–3 years. Triggered reassessment for any vendor following: a significant security incident, ownership or leadership change, material expansion of data access, or a regulatory enforcement action.

Vendor Risk Assessment Template: Free Framework & Scoring Guide 2026

☰ Contents

5-Domain Assessment Framework
Scoring Methodology
Sample Questionnaire Items by Domain
Vendor Risk Register Structure
Risk Threshold Definitions

5-Domain Vendor Risk Assessment Framework

A rigorous vendor risk assessment evaluates five distinct risk domains. Domain weights should be adjusted based on vendor type — technology vendors receive higher cybersecurity weighting; manufacturing suppliers receive higher operational resilience weighting.

No response provided; explicitly non-compliant

Domain	Default Weight	Increase Weight For	Key Questions
Cybersecurity & Data Privacy	30%	Technology, SaaS, data-access vendors	SOC 2 status, security questionnaire score, cyber risk rating, DPA execution

Composite Score Calculation

Composite Risk Score = Σ (Domain Score × Domain Weight). Domain Score = Average of all question scores within the domain × 33.3 (to produce a 0–100 scale). Combine the questionnaire composite score with external data scores (D&B, BitSight) using a 70/30 split: 70% questionnaire responses, 30% external data.

💡 Automation Note

Manual risk scoring from questionnaire responses takes 2–4 hours per vendor. Automated VRM platforms score questionnaire responses in real time as vendors complete the portal — reducing analyst review time to 20–30 minutes for standard assessments.

Sample Questionnaire Items by Domain

Cybersecurity Domain — Sample Questions

› Does your organisation have a current SOC 2 Type II report? (If yes, provide report)
› What is your organisation's vulnerability management cycle — time from vulnerability identification to patching for critical CVEs?
› Do all employees with access to customer data complete annual security awareness training?
› Does your organisation use multi-factor authentication for all remote access?
› What is your incident response notification commitment in the event of a breach affecting our data?

Financial Domain — Sample Questions

› What percentage of your annual revenue comes from your single largest customer?
› Has your organisation filed for bankruptcy or restructuring in the past 5 years?
› Does your organisation carry cyber liability insurance? What is the coverage limit?
› Do you have a documented business continuity plan that has been tested in the past 12 months?

Compliance Domain — Sample Questions

› Has your organisation been subject to any regulatory enforcement action in the past 5 years?
› Does your organisation have a documented anti-bribery and FCPA compliance programme?
› Does your organisation operate under any export control licences (EAR/ITAR)?
› Who is your organisation's designated privacy officer and what is their reporting line?

🚀 Free Executive Demo

Automate Risk Assessments with Procurement VMS

Join US procurement leaders who replaced manual processes with intelligent automation. Live in 4–8 weeks.

Request Your Executive Demo → Calculate Your ROI

🔒 SOC 2 Type II ⚡ Live in 4–8 Weeks 🇺🇸 US-Based Support

Vendor Risk Register Structure

Do not approve; escalate to executive team; consider relationship termination

Field	Description	Example
Vendor Name	Legal entity name	Acme Cloud Services, Inc.

Related Resources

→ Vendor Risk Management Complete Guide → 50-Point Due Diligence Checklist → Vendor Compliance Management → Vendor Scorecard Template → Vendor Onboarding Guide