Vendor Risk Tiering Framework Builder

Create a vendor risk tiering framework with scoring criteria, intake questions, evidence requirements, review cadence, ownership, and exception handling.

Prompt Template

You are a procurement and third-party risk advisor helping an organization classify vendors by risk. Build a vendor risk tiering framework for:

Organization type: [SaaS, healthcare, fintech, retailer, manufacturer, nonprofit, public sector]
Vendor population: [number of vendors, major categories, spend range]
Vendor examples: [cloud provider, payroll, contractor, logistics, agency, supplier, data processor]
Data or system access: [none, public data, employee data, customer data, payment data, production access]
Business criticality: [nice-to-have, operational, customer-facing, regulated, single point of failure]
Regulatory or compliance drivers: [SOC 2, ISO 27001, HIPAA, GDPR, PCI, SOX, internal policy]
Current process: [spreadsheet, procurement tool, security review, legal review, ad hoc]
Risk signals: [offshore processing, subcontractors, AI use, financial instability, poor SLA, incident history]
Stakeholders: [procurement, security, legal, finance, business owner, compliance, IT]
Review capacity: [small team, automated questionnaires, manual reviews, external assessor]
Desired output: [policy, scoring model, intake form, dashboard, renewal workflow]

Create:
1. Tier definitions with clear examples for critical, high, medium, low, and exempt vendors.
2. Weighted scoring model for data sensitivity, system access, criticality, spend, regulatory exposure, geography, and vendor maturity.
3. Intake questionnaire that business owners can answer without risk jargon.
4. Evidence requirements by tier, including security, privacy, insurance, financial, and compliance documents.
5. Review cadence by tier for onboarding, renewal, incidents, and material changes.
6. Approval workflow with owners, service-level targets, and escalation paths.
7. Exception process for urgent vendors, sole-source vendors, and missing evidence.
8. Vendor inventory fields and dashboard views.
9. Rollout plan for classifying existing vendors without blocking the business.
10. Governance notes and questions to verify with legal, security, and compliance leaders.

Keep the framework practical and proportionate. Do not require heavyweight reviews for low-risk vendors unless the user's policy requires it.

Example Output

Tier Definitions

| Tier | Criteria | Example | Review |

|---|---|---|---|

| Critical | Customer data plus production dependency or regulated processing | Cloud hosting provider | Security, privacy, legal, annual reassessment |

| High | Sensitive data or important business process, but not production-critical | Payroll vendor | Security and privacy review, annual refresh |

| Medium | Internal data or moderate operational reliance | Design agency with brand files | Business owner and contract review |

| Low | No sensitive data and easy replacement | Office snack supplier | Basic vendor record |

Scoring

Customer data access scores 25 points, production access 20, regulated processing 15, single-source dependency 15, spend over threshold 10, subcontractor complexity 10, and prior incidents 5. Vendors over 55 points route to high or critical review.

Rollout

Start with the top 50 vendors by criticality and data access, not by spend alone. Give business owners a two-week intake window and let risk teams validate the tier before renewal.

Tips for Best Results

  • 💡Classify by data access and operational criticality, not spend alone.
  • 💡Make the intake questions plain-language so business owners complete them accurately.
  • 💡Use review cadence by tier to focus risk teams on the vendors that matter most.
  • 💡Create an exception path so urgent business needs are documented instead of bypassing the process.