User guideRisk managementVendor risk assessment
Risk management

Vendor risk assessment

Assess and track risks associated with your AI vendors.

Overview

Vendor risk assessment looks at the risks that come from relying on third-party providers for AI capabilities. When you use external AI services, models or platforms, you inherit risks from those relationships, and they're different from the risks of systems you build and control yourself.

Third-party AI creates dependencies that can affect your compliance, security and operations. A vendor security breach could expose your data. A vendor going out of business could disrupt your services. Changes to a vendor's model could alter your system's behavior in unexpected ways. You need to understand and manage these risks.

Why assess vendor risks?

Vendor risk assessment helps you:

  • Maintain compliance: Under regulations like the EU AI Act, you remain responsible for AI systems even when using third-party components
  • Protect sensitive data: Knowing what data flows to vendors helps you make better decisions about data sharing
  • Plan for continuity: Spotting critical vendor dependencies helps you prepare contingency plans
  • Prioritize oversight: Risk scores help you focus review efforts on the vendors that matter most
Vendor risk scores are calculated based on the scorecard fields on each vendor record. Update these fields regularly to maintain accurate risk profiles.

Scorecard dimensions

Vendor scorecard advanced section showing dropdown fields for data sensitivity, business criticality, past issues, and regulatory exposure
The vendor scorecard captures risk factors to calculate an overall risk score.

VerifyWise assesses vendor risk across four dimensions:

Data sensitivity

The sensitivity level of data shared with or processed by the vendor.

Business criticality

How critical the vendor is to your core business operations.

Past issues

Historical incidents or problems with this vendor relationship.

Regulatory exposure

Which regulations apply to this vendor relationship.

Assessing data sensitivity

Higher data sensitivity increases vendor risk. Classify the most sensitive data shared with the vendor:

  1. None: No sensitive data (lowest risk)
  2. Internal only: Internal business data
  3. Personally identifiable information (PII): Names, emails, identifiers and other personal data
  4. Financial data: Financial records, transactions or payment information
  5. Health data (e.g. HIPAA): Health and medical information subject to privacy regulation
  6. Model weights or AI assets: Proprietary model parameters or training data (highest risk)
Best practice
Minimize data shared with vendors when possible. Consider data anonymization or synthetic data for development and testing environments.

Assessing business criticality

Evaluate how dependent your operations are on this vendor:

  • Low (vendor supports non-core functions): Non-essential services; alternatives are readily available
  • Medium (affects operations but is replaceable): Important but not critical; disruption would be manageable
  • High (critical to core services or products): Disruption would significantly impact business

Consider these factors when assessing criticality:

  • Number of projects depending on this vendor
  • Availability of alternative vendors
  • Time required to switch providers
  • Revenue impact if vendor services are unavailable

Recording past issues

Document any historical incidents with the vendor to inform future risk decisions:

  • None: No known issues (best)
  • Minor incident (e.g. small delay, minor bug): Small issues that were resolved satisfactorily
  • Major incident (e.g. data breach, legal issue): Significant incidents affecting operations or compliance
Important
A history of major incidents significantly increases vendor risk. Consider whether the vendor has addressed root causes before continuing the relationship.

Tracking regulatory exposure

Identify which regulations apply to your relationship with this vendor:

  • GDPR, European data protection requirements
  • HIPAA, US healthcare data requirements
  • SOC 2, security and availability controls
  • ISO 27001, information security management
  • EU AI Act, European AI regulation
  • CCPA, California consumer privacy

More regulatory exposure means higher risk and more oversight. Make sure vendors can demonstrate compliance with all applicable regulations.

Understanding risk scores

VerifyWise calculates an overall risk score from the scorecard inputs. Higher scores mean greater risk. Things that push the score up include:

  • Higher data sensitivity levels
  • High business criticality
  • History of past issues
  • Multiple regulatory exposures

Acting on risk scores

Use risk scores to guide vendor oversight intensity:

  • Low scores: Annual reviews; standard monitoring
  • Medium scores: Semi-annual reviews; enhanced monitoring
  • High scores: Quarterly reviews; active oversight and mitigation planning

Risk review workflow

Use the vendor review workflow to track risk assessments:

  1. Assign a reviewer to conduct the assessment
  2. Update review status to "In review"
  3. Complete the scorecard fields based on current information
  4. Document findings in the review result
  5. Set status to "Reviewed" or "Requires follow-up"
Best practice
Schedule vendor risk reviews based on risk score. High-risk vendors should be reviewed more frequently than low-risk vendors.

Related articles

Vendor management

Manage your complete vendor registry

Conducting risk assessments

General risk assessment methodology

Risk mitigation strategies

Implement controls for identified risks

PreviousVendor management
Vendor risk assessment - Risk management - VerifyWise User Guide