afrexai-vendor-risk
v1.0.0从安全、财务、合规、运营及数据处理等维度评估供应商并打分,实现风险分级与整改计划管理。
Sourced from ClawHub,
Authored by 1kalin
Installation
Vendor Risk Assessment
Score and manage third-party vendor risk across security, financial stability, compliance, operational dependency, and data handling. Built for procurement teams, CISOs, and operations leaders managing 10+ vendors.
Usage
Run this assessment for each critical vendor. Aggregate scores into a portfolio risk view.
Assessment Framework
1. Vendor Risk Scorecard (5 Domains, 0-100 each)
Security Posture (0-100) - SOC 2 Type II current? (+20) - Penetration test within 12 months? (+15) - Incident response plan documented? (+15) - Data encryption at rest and transit? (+15) - MFA enforced for all access? (+10) - Security questionnaire completed? (+10) - Subprocessor list disclosed? (+15)
Financial Stability (0-100) - Revenue trend (growing +25, flat +10, declining 0) - Funding runway >18 months? (+20) - Customer concentration <20%? (+15) - Public financials or audited statements? (+15) - No material litigation? (+15) - Credit rating acceptable? (+10)
Compliance & Regulatory (0-100) - Industry certifications current? (+20) - GDPR/CCPA compliant? (+20) - Data processing agreement signed? (+15) - Regulatory audit history clean? (+15) - Right to audit clause? (+15) - Data residency requirements met? (+15)
Operational Dependency (0-100) - SLA with financial penalties? (+20) - Uptime >99.9% trailing 12 months? (+20) - Disaster recovery tested annually? (+15) - Single point of failure for your business? (-20) - Migration plan documented? (+15) - API/export capability? (+15) - Vendor lock-in risk assessment? (+15)
Data Handling (0-100) - Data classification documented? (+20) - Retention/deletion policies clear? (+20) - Breach notification <72 hours? (+20) - Data portability guaranteed? (+15) - AI/ML training on your data? (opt-out available +15, no opt-out -10) - Access logging and audit trail? (+10)
2. Risk Tier Classification
| Aggregate Score | Tier | Review Cadence | Action |
|---|---|---|---|
| 400-500 | Low Risk | Annual | Standard monitoring |
| 300-399 | Moderate | Semi-annual | Remediation plan required |
| 200-299 | High Risk | Quarterly | Executive escalation, alternatives identified |
| 0-199 | Critical | Monthly | Exit plan required within 90 days |
3. Portfolio Risk View
Total vendors: ___
Critical tier: ___ (target: 0)
High risk: ___ (target: <10%)
Moderate: ___ (target: <30%)
Low risk: ___ (target: >60%)
Top 3 concentration risks:
1. [Vendor] — [function] — [% of operations dependent]
2. [Vendor] — [function] — [% of operations dependent]
3. [Vendor] — [function] — [% of operations dependent]
Annual vendor spend: $___
Spend on high/critical vendors: $___ (___%)
4. Cost of Vendor Failure
| Impact Area | Calculation |
|---|---|
| Revenue loss | Daily revenue × expected downtime days |
| Recovery cost | Migration estimate + emergency procurement |
| Compliance penalty | Regulatory fine range for data breach via vendor |
| Reputation damage | Customer churn rate × LTV × affected customers |
| Operational disruption | Staff idle cost × recovery period |
5. Quarterly Review Template
- Score changes since last review (flag any >10 point drops)
- New subprocessors added by vendor
- SLA performance vs target
- Security incidents or near-misses
- Contract renewal timeline and negotiation leverage
- Alternative vendor benchmarking
6. Red Flags (Immediate Action)
- Vendor acquired by competitor
- Key personnel departures (CISO, CTO)
- Downtime exceeding SLA 2+ months
- Regulatory action or investigation
- Refusal to complete security questionnaire
- Data breach affecting other customers
- Sudden pricing changes >20%
Industry-Specific Vendor Risks
| Industry | Critical Vendor Category | Specific Risk |
|---|---|---|
| Healthcare | EHR, billing, telehealth | HIPAA BAA gaps, PHI exposure |
| Financial Services | Core banking, payments, KYC | PCI DSS, regulatory reporting |
| Legal | Case management, ediscovery | Privilege breach, client data |
| SaaS | Infrastructure, auth, payments | Cascading outages, PII |
| Manufacturing | MES, supply chain, IoT | IP theft, production stoppage |
| Construction | Project management, safety | Compliance documentation gaps |
| Ecommerce | Payments, fulfillment, CDN | PCI, availability during peak |
| Recruitment | ATS, background check, payroll | Candidate PII, bias in AI screening |
| Real Estate | MLS, transaction mgmt, title | Wire fraud, closing delays |
| Professional Services | CRM, billing, document mgmt | Client confidentiality breach |
Get the Full Playbook
- AI Revenue Leak Calculator — Quantify your total automation opportunity
- Industry Context Packs — $47 each, deep-dive playbooks
- Agent Setup Wizard — Build your AI agent workforce