Assess IT vendors and third-party partners with multi-factor risk scoring and regulatory compliance checklists. Use when evaluating technology vendors.
Production-ready framework for assessing IT service providers, technology vendors, and third-party partners. Provides a Three-Phase Assessment (Initial Screening, Detailed Assessment, Final Evaluation), Multi-Factor Risk Scoring across 6 dimensions with critical-service weighting, regulatory compliance checklists for 8 frameworks, vendor comparison matrices, and ongoing monitoring with Early Warning Indicators. Designed for procurement teams, legal counsel, IT security, and compliance officers evaluating technology vendors.
scripts/vendor_risk_scorer.py)Scores a vendor across 6 risk dimensions based on questionnaire responses. Calculates weighted composite score with 2x multiplier for critical services. Generates risk heat map and overall recommendation.
# Score a vendor from questionnaire responses
python scripts/vendor_risk_scorer.py vendor_responses.json
# JSON output for dashboards
python scripts/vendor_risk_scorer.py vendor_responses.json --json
# Flag as critical service (2x weight on security + compliance)
python scripts/vendor_risk_scorer.py vendor_responses.json --critical
scripts/vendor_comparison.py)Takes multiple vendor risk assessment JSONs and generates a side-by-side comparison matrix. Ranks vendors by composite score and recommends preferred vendor with rationale.
# Compare two vendors
python scripts/vendor_comparison.py vendor_a.json vendor_b.json
# Compare multiple vendors with JSON output
python scripts/vendor_comparison.py vendor_a.json vendor_b.json vendor_c.json --json
# Compare with critical service weighting
python scripts/vendor_comparison.py vendor_a.json vendor_b.json --critical
| Reference | Purpose |
|---|---|
references/risk_assessment_framework.md | 6-dimension scoring system, weighting methodology, composite score interpretation |
references/regulatory_checklists.md | Pre-built compliance checklists for GDPR, DORA, NIS2, SOX, PCI DSS, ISO 27001/SOC 2, HIPAA, FedRAMP |
references/monitoring_framework.md | Quarterly reviews, Early Warning Indicators, KPI metrics, risk mitigation strategies, onboarding checklists |
Phase 1: Initial Screening (Days 1-5)
vendor_risk_scorer.py with preliminary data for initial risk classificationregulatory_checklists.mdPhase 2: Detailed Assessment (Days 5-15)
vendor_risk_scorer.py with complete questionnaire responsesPhase 3: Final Evaluation (Days 15-20)
vendor_comparison.py if evaluating multiple vendorsrisk_assessment_framework.mdmonitoring_framework.mdvendor_comparison.py on finalist assessmentstech-contract-negotiation skill)monitoring_framework.mdmonitoring_framework.md; escalate per defined paths| Problem | Cause | Solution |
|---|---|---|
| All dimensions score 1 (Low Risk) | Vendor self-reported optimistically on questionnaire | Cross-reference with SOC 2 reports, pen test results, and financial filings; adjust scores based on evidence |
| Composite score doesn't reflect known security issues | Security dimension not weighted for critical service | Re-run with --critical flag to apply 2x multiplier on security and compliance dimensions |
| Comparison matrix shows all vendors tied | Scoring inputs are too similar or too coarse | Request more granular data; use the 5-level scoring criteria from the risk framework to differentiate |
| Regulatory checklist seems incomplete for your industry | Only 8 frameworks are pre-built | Customize checklists by adding industry-specific requirements as additional items |
| Vendor refuses to complete questionnaire | Vendor sees assessment as overly burdensome | Share only the dimensions relevant to their service scope; offer to accept SOC 2/ISO 27001 reports as partial substitutes |
| Risk score changed dramatically between quarters | Major event occurred (breach, M&A, leadership change) | This is expected behavior; document the trigger event and follow the event-triggered review process |
This skill covers:
This skill does NOT cover:
finance/financial-analyst skill)legal/tech-contract-negotiation skill)| Anti-Pattern | Why It Fails | Better Approach |
|---|---|---|
| Relying solely on vendor self-assessment questionnaires | Vendors underreport risks; no independent verification | Cross-reference questionnaire responses with SOC 2/ISO 27001 reports, pen test results, and public records |
| Applying the same weight to all dimensions regardless of service type | A payroll vendor and a marketing tool have different risk profiles | Use --critical flag for critical services; adjust dimension weights based on service classification |
| Completing due diligence once and never revisiting | Vendor risk changes over time due to M&A, breaches, market shifts | Implement quarterly monitoring with annual re-assessment per the monitoring framework |
| Rejecting vendors for a single high-risk dimension without considering mitigations | Eliminates potentially strong vendors with addressable gaps | Use the gap analysis severity classification; require remediation plans for major concerns before final decision |
| Skipping the comparison matrix for sole-source procurements | Misses opportunity to benchmark the vendor against market standards | Run comparison against industry benchmarks or previous vendor assessments to establish a risk baseline |
scripts/vendor_risk_scorer.pyScore a vendor across 6 risk dimensions and generate an overall recommendation.