Third-party risk assessment checklist for vendor vetting

Most third-party risk assessment checklists are just PDFs that rot in SharePoint. Nobody updates them, nobody follows them, and when something goes wrong, everyone scrambles to figure out what was even checked in the first place. That’s not risk management - it’s theater.

I’ve spent years watching mid-market companies get burned by vendors they never properly vetted. I learned this the hard way at Tallyfy with operations teams, the same story repeats: someone picks a vendor based on price and a handshake, six months later there’s a data incident or a service failure, and then everyone asks why nobody checked.

The answer is usually that someone did check. Once. Using a spreadsheet. That nobody ever opened again.

So before you automate your vendor risk assessments, you need a process worth automating. Here’s the checklist I wish more companies used.

What a real TPRM program looks like

Third-party risk management (TPRM) sounds like something only banks and hospitals need. It’s not. If your business depends on any external vendor for data handling, infrastructure, or critical services, you’ve got third-party risk whether you’ve named it or not.

A proper TPRM program’s got four moving parts:

1. Identification - catalog every vendor that touches your data or operations
2. Assessment - score each vendor’s risk based on what they access and how critical they are
3. Mitigation - address gaps before they become incidents
4. Monitoring - keep watching, because risk profiles change constantly

Most companies nail the first two and completely ignore the last two. That’s like locking your front door but never checking if the lock still works.

The NIST Cybersecurity Framework provides a solid foundation for structuring vendor risk categories, but I’ve found that most mid-market teams need something more practical than a government-issued reference document. They need a checklist they can actually run.

Security questionnaire that matters

Security questionnaires have a reputation problem. They’re long, boring, and vendors hate filling them out. But the alternative - trusting vendors without verification - is worse.

Here’s what your security questionnaire should cover, stripped down to what actually matters:

Data handling and storage

• Where is our data stored geographically?
• Is data encrypted at rest and in transit? What encryption standards?
• Who within the vendor’s organization can access our data?
• What happens to our data when the contract ends?
• Do they use subprocessors, and if so, who?

Access controls

• How do they manage authentication? Multi-factor required?
• What’s their password policy and rotation schedule?
• Do they conduct regular access reviews?
• How quickly can they revoke access when an employee leaves?

Incident response

• What’s their breach notification timeline? (GDPR requires 72 hours, but you might need faster)
• Do they have a documented incident response plan?
• When was it last tested?
• Will they share forensic reports with you?

Business continuity

• What’s their recovery time objective (RTO)?
• When did they last test their disaster recovery plan?
• Do they have geographic redundancy?

Skip the 200-question questionnaires. The question we get asked most often about compliance workflows, one pattern keeps surfacing: the teams that use shorter, targeted questionnaires get better responses than the ones who send vendors a 40-page document. Vendors actually complete the short ones.

This connects directly to how you approach operational risk management more broadly - the questionnaire is just one input into a bigger picture.

Financial stability assessment

A vendor’s security posture doesn’t matter much if they go bankrupt mid-contract. Financial due diligence doesn’t get the attention it deserves because it feels awkward - like asking someone how much money they have on a first date.

Do it anyway.

What to check:

• Credit reports and ratings - Services like Dun & Bradstreet or CreditSafe provide standardized reports. A D&B PAYDEX score below 50 is a red flag
• Revenue trends - Are they growing or shrinking? Consistent revenue decline signals trouble
• Funding and capitalization - For startups, check runway. How many months of cash do they have?
• Buyer concentration - If one buyer represents 40% of their revenue, losing that buyer could sink them
• Insurance coverage - Do they carry adequate professional liability and cyber insurance?
• Litigation history - Check PACER or local court records for pending lawsuits

I’m probably wrong about some vendors I’ve cleared in the past based on gut feeling alone. The financial checks would have caught issues I missed. That’s the point - systematic assessment beats intuition.

For vendors handling procurement and purchasing workflows, financial stability isn’t just nice to have. If your critical supplier can’t deliver because they’re insolvent, your entire operation stops.

Compliance verification beyond the certificate

SOC 2. ISO 27001. GDPR compliance. These three letters-and-numbers combinations show up on every vendor’s marketing page. But here’s what most people miss: a certificate tells you a vendor passed an audit at a specific point in time. It doesn’t tell you anything about today.

SOC 2 (Service Organization Control)

SOC 2 comes in two flavors. Type I says “we had controls in place on this date.” Type II says “we had controls in place and they worked over this period.” You’ll always want Type II. Always read the auditor’s opinion letter, not just the certificate. Look for qualified opinions or exceptions.

ISO 27001

ISO 27001 certification means a vendor’s got an information security management system (ISMS). Good. But the scope matters enormously. A company might certify their headquarters operations while their cloud infrastructure runs uncertified. Ask for the Statement of Applicability to see exactly what’s covered.

GDPR

There’s no such thing as “GDPR certified.” Anyone claiming GDPR certification is either confused or misleading you. What you can verify: Do they have a Data Protection Officer? Can they produce records of processing activities? Do they have a lawful basis for processing your data? Have they conducted a Data Protection Impact Assessment?

Managing regulatory change is hard enough internally. When you add vendors to the mix, you need to know they’re keeping up with the same regulatory shifts affecting your business.

What to actually verify:

• Request the full audit report, not just the certificate
• Check the certification scope matches what they’re doing for you
• Verify the certifying body is accredited
• Note the expiration date and set a reminder to re-verify
• Ask about any remediation items from the last audit

After watching hundreds of teams try this with workflow automation, we’ve seen organizations that treat compliance verification as a one-time gate. That’s a mistake. A PCI compliance audit taught one financial services team that point-in-time checks miss drift between audits. The same principle applies to vendor compliance.

Risk scoring that drives decisions

Risk scoring without a clear system is just opinion with numbers attached. You need a method that’s repeatable and that different people in your organization won’t apply differently each time.

Here’s a scoring approach that works for most mid-market teams:

Step 1 - Classify vendor criticality

Step 2 - Score risk dimensions (1-5 scale)

• Data sensitivity - What data do they access? PII gets a 5. Public marketing data gets a 1
• Integration depth - API access to core systems scores higher than no integration
• Regulatory exposure - Vendors in regulated activities (financial, health data) score higher
• Geographic risk - Consider data sovereignty and political stability
• Financial stability - Based on your financial assessment findings
• Substitutability - How hard is it to replace them? Single-source vendors score high

Step 3 - Calculate composite score

Multiply criticality tier weight by average dimension score. Critical vendors get a 4x multiplier, Important gets 3x, Standard gets 2x, Low gets 1x.

Any vendor scoring above your threshold triggers enhanced due diligence - they’ll get deeper security reviews, on-site assessments, more frequent monitoring.

The scoring isn’t perfect. My guess is that most organizations will need to adjust the weights after their first round of assessments. That’s fine. The point is having a system you can iterate on, not getting it right the first time.

Ongoing monitoring that catches problems early

This is where most vendor risk programs fall apart. The initial assessment gets done, everyone feels good, and then nobody looks at it again until the contract renewal. Meanwhile, the vendor’s CTO left, they had a quiet data breach they didn’t disclose, and their financial position deteriorated.

What to monitor continuously:

• Security posture changes - Services like SecurityScorecard or BitSight provide continuous outside-in security ratings. They’re not perfect, but they catch obvious problems
• News and regulatory actions - Set Google Alerts for vendor names plus terms like “breach,” “lawsuit,” “investigation,” “layoff”
• Financial signals - Quarterly credit monitoring for critical vendors. Watch for late payments to their own suppliers
• Compliance status - Track certification expiration dates. Re-verify annually at minimum
• Performance metrics - SLA adherence, incident frequency, response times
• Subprocessor changes - Vendors adding new subprocessors can change your risk profile overnight

Monitoring cadence by tier:

• Critical vendors: Quarterly deep reviews, continuous automated monitoring
• Important vendors: Semi-annual reviews, monthly automated checks
• Standard vendors: Annual reviews
• Low vendors: Review at contract renewal

We’ve observed that operations teams who build monitoring into their regular workflows catch problems months earlier than teams who treat it as a separate annual project. At Tallyfy, this is exactly why we think risk assessment should be a living workflow, not a static document. When monitoring tasks are embedded in your ongoing processes, they actually get done.

The broader trend here matters: in the age of AI, defining processes matters more than ever. AI agents can monitor vendor risk signals and flag anomalies automatically - but only if you’ve defined what to watch and what thresholds trigger action. Without that process definition, AI just generates noise.

Putting it all together

A vendor risk assessment template only works if it lives inside a process that people actually follow. Strip away the jargon and most compliance teams won’t admit this: investment compliance teams in financial services figured this out years ago. They don’t use spreadsheets for critical risk workflows. They use trackable, auditable processes where every step has an owner and a deadline.

Your vendor risk assessment checklist should work the same way.

The minimum viable vendor risk process:

1. New vendor request comes in with business justification
2. Classify vendor tier based on data access and criticality
3. Send appropriate security questionnaire (shorter for low-risk, longer for critical)
4. Run financial stability checks
5. Verify compliance certifications and scope
6. Calculate risk score
7. Route for approval based on score threshold
8. Set up ongoing monitoring cadence
9. Document everything in an auditable trail

Each of those steps should have an owner, a deadline, and a clear handoff to the next person. Not a shared spreadsheet. Not an email thread. It’s got to be a real workflow with accountability.

This ties directly back to vendor onboarding - risk assessment is the front gate of onboarding. Get it wrong, and everything downstream suffers.

Feedback we’ve received suggests that teams who run their vendor risk assessments as structured workflows in Tallyfy cut their assessment cycle time by more than half. Not because the work disappears, but because nobody’s chasing emails or wondering whose turn it is.

Example Procedure

Employee Onboarding

1HR - Set up payroll and send welcome email

2IT - Order equipment and set up workstation

3Office Manager - Prepare physical workspace

4IT - Create accounts and system access

5HR - Welcome meeting and company orientation

+3 more steps

View template

Example Procedure

Client Onboarding

1Gather Basic Information

2Send Welcome E-Mail

3Conduct a Kick-Off Call

4Conduct a 1 month check-in Call

5Request Feedback

+1 more steps

View template

Stop treating vendor risk like a compliance checkbox. Treat it like what it is - a continuous process that protects your business from the outside in. The organizations that get this right aren’t the ones with the longest checklists. They’re the ones whose checklists don’t just sit in a folder collecting dust.