Framework for assessing IT service providers, technology vendors, and third-party partners. Creates structured risk assessments across financial, operational, compliance, security, and reputational dimensions with regulatory checklists (GDPR, DORA, NIS2, SOX). Use when: (1) Evaluating new vendors or technology providers, (2) Conducting third-party risk assessments for procurement, (3) Performing critical vendor due diligence for regulatory compliance, (4) Creating vendor onboarding documentation, (5) Establishing ongoing vendor monitoring processes, (6) Assessing vendor concentration risk, or (7) Generating executive-level vendor risk reports.
Comprehensive vendor assessment and due diligence framework for IT service providers, technology vendors, and third-party service providers. Creates structured risk assessments, evaluation reports, and ongoing monitoring frameworks across financial, operational, compliance, security, and reputational dimensions.
IMPORTANT: This skill provides general information and frameworks for vendor assessment purposes only. It does NOT constitute legal, financial, or professional advice. Users should:
The frameworks provided are templates only. Actual vendor assessments require expertise in law, finance, cybersecurity, and risk management. Neither the skill creator nor Claude/Anthropic assumes any liability for decisions made based on this skill's output.
Use this skill when you need to:
Phase 1: Initial Screening (Days 1-5)
Phase 2: Detailed Assessment (Days 5-15)
Phase 3: Final Evaluation & Decision (Days 15-20)
Each vendor receives scores (1=Low Risk to 5=Critical Risk) across:
Enhanced Feature: Weighted risk calculations based on service criticality. Critical services (payment processing, customer data systems) receive 2x weight on security and compliance factors.
Pre-built assessment templates for:
Enhanced Feature: Regulatory gap analysis that identifies which requirements the vendor currently fails to meet and severity classification (blocker, major concern, minor gap, acceptable with mitigation).
Comprehensive documentation requirements organized by assessment phase:
Structured interview guides for:
Enhanced Feature: Red flag detection prompts - specific questions designed to uncover hidden risks (e.g., "Describe your three most recent security incidents and response," "What percentage of revenue comes from your top 3 clients?")
Post-onboarding continuous oversight:
Enhanced Feature: Early warning indicators (EWIs) that trigger immediate re-assessment - bankruptcy filings, mass layoffs, major customer losses, data breaches, audit failures, regulatory fines.
Comprehensive assessment report including:
Side-by-side evaluation of multiple vendors:
Structured requirements list:
Enhanced Feature: Risk-based onboarding paths - higher risk vendors face stricter requirements (more frequent reviews, additional certifications, enhanced SLAs, stronger termination rights).
Proportional Assessment: Scale diligence depth to service criticality and risk exposure
Document Everything: Maintain audit trail of assessment decisions, risk acceptances, and mitigation measures
Involve Stakeholders: Include Legal, IT/Security, Procurement, Business Units, and Compliance in assessment process
Challenge Vendor Claims: Verify certifications independently, request evidence, conduct site visits for critical vendors
Plan for Exit: Always assess vendor replaceability, data portability, and transition complexity before signing
Continuous Monitoring: Due diligence is not one-time - reassess regularly and after triggering events
Concentrate Risk Management: Track total vendor exposure across organization to identify dangerous concentration
Enhanced Feature: Third-party validation recommendations - when to engage external auditors, security firms, or legal counsel for independent verification (critical vendors, regulated services, high-value contracts).
Common approaches to address identified gaps:
This skill does NOT:
Users must:
While this skill references common regulations (GDPR, DORA, NIS2, etc.), users must:
Last Updated Framework Version: January 2025 (Regulatory references may become outdated)
FINAL REMINDER: This is an educational framework and starting point only. Professional due diligence requires expertise in law, finance, cybersecurity, and risk management. Always engage qualified professionals for critical vendor assessments and do not rely solely on this skill for decision-making.