← Back to Blog
Risk Management2026-03-25· 9 min read

Third-Party Risk: How to Build a Vendor Assessment That Actually Works

The Problem with Traditional Vendor Assessments

Most organizations send the same 200-question security questionnaire to every vendor, regardless of risk level. This creates three problems:

  1. Assessment fatigue - Vendors hate filling them out, so they rush through or copy-paste from previous responses
  2. No prioritization - A cloud-hosted CRM with access to customer data gets the same assessment as a catering vendor
  3. Point-in-time only - A questionnaire captures a snapshot, not an ongoing risk picture

A Better Approach: Tiered Vendor Risk Management

Step 1: Vendor Tiering

Classify every vendor into one of three tiers based on two factors: data access and business criticality.

Tier 1 (Critical) - Vendors with access to sensitive data or critical systems. Examples: cloud providers, HR systems, payment processors. Full assessment required.

Tier 2 (Important) - Vendors with limited data access or moderate business impact. Examples: marketing platforms, project management tools. Abbreviated assessment.

Tier 3 (Low Risk) - Vendors with no data access and low business impact. Examples: office supplies, facilities. Self-attestation only.

Step 2: Right-Size the Assessment

For Tier 1, use a detailed questionnaire covering access controls, encryption, incident response, compliance certifications, and business continuity. Request evidence - SOC 2 reports, penetration test summaries, insurance certificates.

For Tier 2, use an abbreviated questionnaire (30–50 questions) focused on data handling, access management, and incident notification.

For Tier 3, a simple self-attestation form confirming basic security practices.

Step 3: Continuous Monitoring

Annual reassessment isn't enough for Tier 1 vendors. Implement:

  • Automated security ratings - Tools like SecurityScorecard or BitSight provide continuous external monitoring
  • Incident notification clauses - Contractual requirement to notify you within 24–48 hours of a security incident
  • Periodic check-ins - Quarterly reviews with your most critical vendors

Making It Scale

The key to scalable TPRM is automation and consistency. Use a centralized platform to track vendor tiers, assessment status, and risk scores. Automate reminders for reassessment deadlines. Create templates that your team can deploy without reinventing the wheel for each vendor.