Inherent Risk Rating Vendor Examples

Every TPRM program starts with the same challenge: you have 500 vendors but resources to deeply assess maybe 50. Inherent risk rating determines which vendors warrant continuous monitoring versus annual reviews.

The most successful programs we've analyzed share three characteristics. They map directly to regulatory requirements (SOC 2 Type II controls, PCI DSS 12.8, HIPAA § 164.308). They use objective criteria that procurement can evaluate during vendor onboarding. They produce ratings that actually drive different assessment workflows—not just labels in a spreadsheet.

This analysis examines how four organizations built inherent risk models that reduced assessment workload by 60-80% while improving actual risk coverage. Each started with regulatory requirements, then added factors specific to their attack surface.

Regional Bank: Five-Tier Model Aligned to OCC Guidance

A $15B regional bank redesigned their vendor risk program after OCC examination findings. Their previous binary critical/non-critical classification missed medium-risk vendors that aggregated into material exposure.

Rating Framework

The bank developed five tiers directly mapped to OCC Third-Party Risk Management guidance:

Tier	Inherent Risk Score	Examples	Assessment Frequency
Critical	9-10	Core banking platform, payment processors	Continuous monitoring
High	7-8	Wealth management systems, loan origination	Quarterly
Moderate	5-6	Marketing analytics, HR systems	Semi-annual
Low	3-4	Training vendors, facilities maintenance	Annual
Minimal	1-2	Office supplies, landscaping	Biennial

Scoring Criteria

Each vendor receives points across six categories:

1. Customer data access (0-3 points): Direct PII access = 3, anonymized data = 1
2. Transaction processing (0-3 points): Payment processing = 3, read-only = 0
3. System criticality (0-2 points): Production systems = 2, development = 1
4. Regulatory impact (0-1 point): Subject to banking regulations = 1
5. Concentration risk (0-1 point): Difficult to replace = 1

Implementation Results

After 18 months:

• Reduced full assessments from 340 to 85 annually
• Identified 12 previously unmonitored moderate-risk vendors
• Passed subsequent OCC examination with no findings
• Cut vendor onboarding time from 21 to 7 days for low-risk vendors

Healthcare Network: PHI-Centric Risk Model

A 12-hospital network built their model around HIPAA requirements after a breach involving a transcription vendor. They discovered their existing model underweighted vendors with limited but sensitive data access.

Three-Tier Framework

Category	Risk Indicators	Vendor Examples	Due Diligence Requirements
High Risk	PHI access OR clinical systems OR >10K records	EHR vendors, imaging systems, billing processors	Full security assessment, BAA required, annual audits
Medium Risk	Indirect PHI exposure OR operational systems	IT infrastructure, backup providers, appointment scheduling	Standardized questionnaire, BAA if applicable
Low Risk	No PHI access AND replaceable within 48 hours	Cafeteria services, non-clinical software	Simplified intake form

Key Differentiators

Unlike the bank's granular approach, the healthcare network used binary factors:

• Any PHI access automatically triggers high-risk classification
• Business continuity overrides other factors (can a 48-hour outage impact patient care?)
• Subcontractor access equals primary vendor access

This simplified model worked because HIPAA provides clear thresholds. The network processed 200+ new vendors in year one with zero misclassifications requiring rework.

SaaS Platform: Production Access Drives Ratings

A B2B SaaS company serving Fortune 500 clients developed their model after a vendor breach exposed customer API keys. Their framework focuses exclusively on production environment access and customer data exposure.

Four-Level System

Level 4 (Critical): Production write access or customer data processing

• Examples: Cloud infrastructure, CDN providers, payment processors
• Controls: Real-time monitoring, quarterly pen tests, SOC 2 required

Level 3 (High): Production read access or customer metadata

• Examples: Analytics tools, support platforms, monitoring services
• Controls: Monthly reviews, annual assessments

Level 2 (Medium): Development environment or employee data

• Examples: Dev tools, HR systems, corporate IT
• Controls: Quarterly reviews, standard questionnaire

Level 1 (Low): No technical access

• Examples: Marketing agencies, office vendors
• Controls: Annual attestation

Automation Focus

The SaaS company automated most their ratings through API integration:

• Pull permission scopes from identity providers
• Map data flows from their SIEM
• Track actual vendor usage versus contracted scope

Manual overrides handle edge cases like vendors with dormant accounts or future implementation plans.

Manufacturing Conglomerate: Operational Continuity Model

A global manufacturer with 47 facilities developed ratings based on operational impact after a ransomware attack on a logistics vendor halted production for 6 days.

Risk Calculation Matrix

They score each vendor on two axes:

1. Maximum acceptable downtime (MAD): How long operations continue without this vendor?
2. Geographic concentration: How many facilities depend on this single vendor?

MAD	Single Facility	Regional (2-10)	Global (11+)
<4 hours	Medium (5)	High (7)	Critical (9)
4-24 hours	Low (3)	Medium (5)	High (7)
1-7 days	Low (3)	Low (3)	Medium (5)
>7 days	Minimal (1)	Low (3)	Low (3)

Unique Considerations

Manufacturing added factors other industries ignored:

• Sole source vendors: Automatic +2 to base score
• Just-in-time suppliers: Minimum rating of Medium
• Safety system vendors: Override to Critical regardless of other factors

Common Variations and Edge Cases

Multi-tier Vendors

Large providers often span multiple risk levels. Microsoft might provide Office 365 (Low risk) and Azure hosting (Critical risk) to the same organization. Best practice: maintain separate risk ratings per service line with rolled-up reporting for executive visibility.

Acquisition Integration

During M&A, inherited vendors need rapid risk rating. Successful programs run abbreviated assessments focusing on:

• Data access permissions
• Contractual commitments
• Integration timelines
• Overlap with existing vendors

Vendor Consolidation

When vendors merge, re-rate based on expanded access. A Medium-risk HR vendor acquiring a payroll processor jumps to High risk due to financial data exposure.

Compliance Framework Alignment

Effective inherent risk models map directly to regulatory requirements:

SOC 2 CC2.2-CC2.3: Vendor risk assessment based on criticality ISO 27001 A.15.1: Supplier relationship security requirements PCI DSS 12.8.2: Maintain vendor inventory with risk ratings NIST SP 800-53 SA-4: Acquisition process includes risk determination

Programs succeeding at framework alignment build rating criteria from control requirements rather than retrofitting ratings to compliance needs.

Frequently Asked Questions

How often should we recalculate inherent risk ratings?

Annually for all vendors, plus trigger-based updates for material changes like new data access, M&A activity, or service expansion. Critical vendors warrant quarterly reviews.

Should inherent risk consider vendor security posture?

No. Inherent risk assumes zero controls—it's the worst-case scenario. Security posture factors into residual risk calculations after you evaluate their actual controls.

What's the optimal number of risk tiers?

Three to five tiers work best. Fewer than three lacks granularity; more than five creates artificial precision. Match tiers to distinct assessment workflows you can actually support.

How do we handle vendors refusing to share information for rating?

Default to the highest risk tier for their service category. Document the refusal and escalate through procurement. Many organizations make assessment participation a contractual requirement.

Can we use the same inherent risk model across different business units?

Core criteria should remain consistent, but weights may vary. A marketing vendor might rate Low for corporate IT but High for a unit handling customer data.

Should cost factor into inherent risk ratings?

Cost indicates business importance but not risk. Keep financial metrics separate from security ratings to avoid conflating budget impact with actual exposure.

How do we rate vendors during proof-of-concept phases?

Rate based on intended production use, not current limited access. This prevents rushed assessments when POCs convert to full implementations.