How do I risk profile a vendor?

Classify your vendor's risk using the Vendor Register

Knowing which third party vendors are critical to your software business is essential to preparing for potential disruptions and determining the level of oversight necessary. However, many companies lack consistency in how they profile, tier and categorise their vendors.

Risk profiling, sometimes referred to as risk classification, is calculated based on a vendor’s services to your company. Certain vendors pose a greater risk. For example, your data centre provider will have a higher profiled risk than the design app your UX team use, since it holds more sensitive data and is critical to your day to day operations.

Once you have profiled a vendor and classified the risk they pose, you can determine the level of scrutiny applied. For low risk vendors, a periodic self-assessment may be sufficient, but for high risk vendors you may wish to continuously monitor their compliance posture.

A vendor’s risk profile is initially determined as part of the procurement process. They should be reassessed on a regular basis to ensure the vendor remains in the correct tier.

Calculating a vendor’s risk profile

Key areas you can use to determine the risk profile include:

Services provided
Types and volume of data handled
Location (geopolitical factors)
Industry (compliance factors)

Vendor Profiling Questionnaire

To help build the vendor profile, try answering the following questions:

What service(s) does the vendor provide?
How essential are these services to your company’s operations?
Is this service likely to be used for a short or longer term?
Is this the only vendor that provides this service?
Does the vendor have access to sensitive or confidential data?
What volume of data will the vendor have access to?
What would the impact be if the vendor had a data breach?
Does the vendor require access to your network or any of your internal systems?

Many companies use a vendor assessment/questionnaire to help determine the criticality of service being provided. A vendor profiling questionnaire can be sent straight from Adoptech, making it quick and easy for both parties. Chat with a member of our team for assistance by clicking on the Intercom icon in the bottom right.

Risk Classifications

Your company should agree how to classify vendors and apply that consistently. Within Adoptech there are 5 risk tiers are available:

Under this approach, each vendor is assigned to a tier indicating their criticality to the business. The scale goes from 1 (lowest risk) to 5 (highest risk).

This table is provided as an example. We suggest you define your own categories and provide specific examples that will help your team to consistently classify vendors. A template is available to help you with this, please chat with a member of our team by clicking on the Intercom icon in the bottom right.

Risk	Criticality	Risk Factors
5	Critical	The service is a critical component of our service The vendor has access to and is processing sensitive information The vendor service cannot be replaced quickly or without significant disruption
4	High	The service is an important component of our service The vendor has access to confidential information The vendor service could not be replaced quickly
3	Medium	The vendor supplies components of our service The vendor has limited access to sensitive data The vendor service could be replaced within a reasonably short period of time
2	Low	The service is not a component of and does not impact our own software service The vendor has access to no confidential information The vendor service could be replaced quickly and easily with another vendor service
1	Very Low	The service is not a component of and does not impact our own software service The vendor has access to no confidential information The vendor service could be replaced quickly and easily with another vendor service