Overview
Vendor Risk AI provides three complementary views of vendor posture:
Questionnaire Compliance Score
Residual Risk Score
Reviewer Risk Score.
Each score answers a unique question and is designed to be transparent and explainable.
Key benefits
Transparency: Understand exactly how a vendor meets specific control requirements.
Explainability: View the evidence and logic behind every assessment.
Comprehensive insight: Evaluate vendor risk from three different perspectives for a more complete picture.
Using Vendor Risk AI scores
Questionnaire Compliance Score
The Questionnaire Compliance Score reflects how well the vendor meets the requirements of the selected questionnaire based on available evidence and responses. It answers the question: "To what extent does this vendor satisfy the controls in this questionnaire?"
The process
The AI cross-references vendor documents and responses against specific control requirements. Each item is verified as Meets, Partially Meets, Does Not Meet, or Insufficient Info.
For each question, Vendor Risk AI evaluates:
Vendor-provided documents
Questionnaire responses
Alignment with the control requirement
The result
A percentage based on satisfied controls. While high compliance shows a disciplined vendor, it doesn't account for external threats—only whether the "doors are locked" as requested.
Note: This is not a risk score. The Questionnaire Compliance Score measures control coverage, not exposure. High compliance doesn't always mean low risk.
Residual Risk Score
The Residual Risk Score reflects the vendor’s remaining risk after considering inherent risk, context, and control effectiveness. This is a dynamic look at real-world exposure. It calculates how much risk "leaks" through, even when controls are in place. It answers the question: "Based on evidence and context, how exposed is this vendor?"
The formula
(Inherent Risk from Data/Context) - (Control Effectiveness) = Residual Risk
How it functions
It considers the sensitivity of the data involved and the vendor's role. If a control is only "Partially Met," the residual risk level rises to reflect that gap. This score evolves as you gather more evidence or follow-up details.
Tip: The Residual Risk Score may be updated if additional evidence or follow-up responses are provided.
Reviewer Risk Score
The Reviewer Risk Score reflects the risks your team explicitly identified and chose to track at the time the assessment is closed. This score directly reflects team accountability. It ignores automated findings that your team deemed irrelevant and focuses solely on the "active" risks you chose to track. It answers the question: "How much unresolved risk did we decide matters to us?"
How it works
During review, your team decides which flags matter. You can request follow-ups, mark items as N/A, finish review (no risk), or convert a finding into an official "Risk."
Only created risks contribute to the Reviewer Risk Score. If no risks are created, the Reviewer Risk Score is 0.
Weighted impact
The final score is curated by your team’s actions:
Mitigation: High impact on score.
Accepted/Transferred: Reduced impact.
Avoided: Zero impact.
Note: The Reviewer Risk Score is fully controlled by your team and reflects decisions at the time the assessment is completed. Accepted risks still count (though less), while avoided risks don't contribute to the score.
Priority alignment
Scores are grouped by domain (e.g., Security, Privacy), which can be weighted to match your organization’s specific risk appetite.
Comparison of scores
Score | Purpose | Key takeaway |
Questionnaire Compliance Score
| Measures how well controls are satisfied | "Are controls met?" |
Residual Risk Score | Measures remaining exposure after controls | "What risk remains?" |
Reviewer Risk Score | Reflects the risks your team chose to track | "What risks did we decide matter?" |
Together, these scores provide a complete and transparent view of vendor risk.