Evidash logoEvidash
  • Supplier ManagementOnboard vendors and keep their compliance in one place
  • Expiry TrackingGet ahead of expiring certificates and insurance
  • Specification ManagementCentralize product specs and supplier requirements
  • Document ProcessingExtract data from documents automatically with AI

Everything you need to keep third-party compliance under control.

  • Food & BeverageSupplier approval and certification tracking for food teams
  • ConstructionManage subcontractor insurance and accreditations
  • BlogInsights on vendor risk and compliance operations

Evidash

AI-powered document and supplier data workflows for modern food and beverage teams.

Ask AI for a summary about this page

Company

  • About
  • Blog

Product

  • Supplier Management
  • Expiry Tracking
  • Spec Management
  • Document Processing

Solutions

  • Food & Beverage
  • Construction

Compliance

  • BRCGS
  • SQF
  • FSSC 22000
  • FSMA / FSVP

Legal

  • Privacy Policy
  • Terms of Use

© 2026 Evidash Ltd. All rights reserved.

71-75, Shelton Street, Covent Garden, London, WC2H 9JQ, UNITED KINGDOM

Evidash logoEvidash
  • Supplier ManagementOnboard vendors and keep their compliance in one place
  • Expiry TrackingGet ahead of expiring certificates and insurance
  • Specification ManagementCentralize product specs and supplier requirements
  • Document ProcessingExtract data from documents automatically with AI

Everything you need to keep third-party compliance under control.

  • Food & BeverageSupplier approval and certification tracking for food teams
  • ConstructionManage subcontractor insurance and accreditations
  • BlogInsights on vendor risk and compliance operations
Evidash logoEvidash
  • Supplier ManagementOnboard vendors and keep their compliance in one place
  • Expiry TrackingGet ahead of expiring certificates and insurance
  • Specification ManagementCentralize product specs and supplier requirements
  • Document ProcessingExtract data from documents automatically with AI

Everything you need to keep third-party compliance under control.

  • Food & BeverageSupplier approval and certification tracking for food teams
  • ConstructionManage subcontractor insurance and accreditations
  • BlogInsights on vendor risk and compliance operations
All articles

July 5, 2026

Supplier Risk Assessment: Process, Matrix & Examples (+ Free Template)

Learn how to run a supplier risk assessment, build a risk matrix, tier suppliers by risk, and download a free supplier risk assessment template for Excel or Google Sheets.

Not every supplier deserves the same level of scrutiny. The one supplying a critical ingredient, component, or service can hurt you in ways the office-stationery vendor never will.

A supplier risk assessment is how you make that difference explicit. Instead of treating every supplier as equally trustworthy - or equally suspect - you score each one against defined risk criteria and let the result decide how much evidence, monitoring, and audit attention they get.

Done properly, it is the control that everything else in supplier management hangs off. The risk tier decides how a supplier gets approved, how often they are re-evaluated, what documents you insist on, and how quickly you react when something slips.

This guide walks through what to assess, how to build a supplier risk assessment matrix, what a worked example looks like, and how to turn the result into decisions rather than a spreadsheet nobody reopens. You can also download a free template and adapt it to your own supply base.

Download the template

  • Download PDF template
  • Download Excel template

The Excel version is a working tracker with likelihood and impact scoring, an automatic risk rating, tier bands, and control fields. The PDF is a printable blank reference. If you want to see the layout before downloading anything, the full structure is also written out at the end of this guide.

Blank supplier risk assessment template showing supplier, risk category scores, likelihood, impact, risk rating, and tier columns

What is a supplier risk assessment?

A supplier risk assessment, also called a vendor risk assessment, is a structured process for identifying and scoring the risks a supplier introduces to your business, so you can decide how much control that supplier needs.

It answers the questions a gut feeling cannot:

  • Which of our suppliers could actually hurt us if they failed?
  • How likely is that failure, and how bad would it be?
  • Are we spending our audit and monitoring effort on the right suppliers?
  • What evidence should we demand from this supplier before and after approval?

The risk assessment is the first half of supplier control. It happens before - and decides the depth of - everything that follows: the approval checklist a supplier must pass, the documents that go on file, the entry on your approved supplier list, and the cadence of the supplier scorecard that monitors them afterwards. Assessment decides how much control a supplier needs; approval and monitoring apply it.

Supplier risk assessment vs vendor risk assessment

The terms usually describe the same control. "Supplier risk assessment" is more common in manufacturing, food, and quality teams; "vendor risk assessment" is more common in procurement, finance, and services.

One caveat: in IT and security circles, "vendor risk assessment" often refers specifically to third-party cybersecurity assessments - data handling, access controls, SOC 2 reports. That is a valid but narrower exercise. This guide covers the broader operational version: the risk a supplier poses to your product, your compliance status, and your continuity of supply. Cybersecurity can be one category within it.

Why a supplier risk assessment matters

Two reasons: regulators expect it, and flat supplier management fails quietly.

Regulators and standards expect it. Risk-based supplier control is written into most modern quality and safety frameworks. ISO 9001 requires criteria for evaluating external providers based on their ability to affect your output. Food safety schemes go further: BRCGS Issue 9 requires a documented risk assessment of each raw material or group of raw materials (clause 3.5.1.1) and risk-based supplier approval, SQF and FSSC 22000 expect the same discipline, and importers under FSVP must perform hazard analysis and supplier evaluation by law. In construction, prequalification of subcontractors is risk assessment under another name. When an auditor asks "why is this supplier approved on a questionnaire while that one needed an audit?", the risk assessment is the answer.

Flat supplier management fails quietly. Without a risk assessment, every supplier gets roughly the same treatment - which in practice means the difficult, critical suppliers get less scrutiny than they need, and the trivial ones generate paperwork nobody reads. The failure mode is predictable: the team spends its energy chasing documents from low-risk suppliers because they are easy to chase, while the sole-source supplier of a critical material coasts on history.

A working risk assessment gives you:

  • a defensible basis for treating suppliers differently,
  • audit and monitoring effort concentrated where failure would actually hurt,
  • an early-warning frame: you know in advance which failures would be serious,
  • a documented answer when an auditor or customer asks how you decide supplier controls,
  • a shared language between procurement, quality, and operations about which suppliers matter most.

What risks to assess

The four categories below apply to any supply base - every supplier you assess can be scored on all of them, whatever your industry. Score each on the same scale so the results can be combined and compared. If your supply base carries a specific exposure beyond these - cybersecurity for data-handling vendors, ESG for scrutinized supply chains - add it as an extra category rather than stretching these four.

Product and quality risk

  • Could a supplier failure end up inside your product or service?
  • Complexity and hazard profile of what they supply
  • History of defects, rejections, or out-of-specification results

Why this matters: this is usually the heaviest-weighted category. A supplier whose failure becomes your product failure - a contaminated ingredient, an out-of-tolerance component, defective workmanship - carries fundamentally different risk from one whose failure is merely inconvenient.

Compliance and documentation risk

  • Does the material or service carry regulatory obligations (safety, labelling, licensing)?
  • Are certifications required, and are they genuine, current, and correctly scoped?
  • Do they supply required evidence - certificates, specifications, declarations, insurance - completely and on time, or do documents lapse before renewals arrive?
  • Any history of fraud, substitution, sanctions, or adverse findings?

Why this matters: compliance failures compound. An expired certificate is not just a lapsed document - it can invalidate your own certification claims, void insurance, or turn a routine audit into a major non-conformance. And how a supplier handles paperwork is a leading indicator of how they run everything else: a supplier who routinely lets documents expire is telling you something about their internal control. This category is where risk becomes visible earliest - see tracking certificate expiries and renewals.

Supply continuity and operational risk

  • Sole source or readily substitutable?
  • Lead times, capacity constraints, and logistics complexity
  • Geographic and geopolitical exposure

Why this matters: a mediocre supplier you can replace in a week is a nuisance. A mediocre supplier who is your only source of a critical input is a standing threat, whatever their quality scores say.

Financial risk

  • Signs of financial distress: payment disputes, shrinking capacity, sudden price moves
  • Dependence on you, or on a single customer of their own

Why this matters: financially stressed suppliers cut corners before they close doors. Quality and documentation usually deteriorate first, which is why financial risk belongs in the same assessment as quality risk rather than in a separate finance-only review.

The supplier risk assessment matrix

The supplier risk assessment matrix is the standard tool for turning the categories above into a single, comparable rating. It scores each risk on two axes:

  • Likelihood - how probable is a failure? (1 = rare, 5 = almost certain)
  • Impact - how bad would it be if it happened? (1 = negligible, 5 = severe)

Multiply the two and you get a risk rating from 1 to 25:

Impact 1Impact 2Impact 3Impact 4Impact 5
Likelihood 5510152025
Likelihood 448121620
Likelihood 33691215
Likelihood 2246810
Likelihood 112345

Then band the ratings into tiers:

  • High risk (15-25). Full approval route: audit or certification evidence, complete document set, frequent review.
  • Medium risk (6-12). Standard route: questionnaire plus core documents, scheduled review.
  • Low risk (1-5). Light route: basic declaration and terms, periodic confirmation.

Two things make the matrix defensible rather than decorative. First, define what the scores mean - if two assessors would rate the same supplier differently, the scale is too vague, and the output is opinion with numbers attached. Second, set the bands and their consequences before you score anyone. A matrix whose bands move after the results are in is not an assessment; it is a justification.

You can score likelihood and impact per risk category and take the highest or weighted result, or score the supplier once overall. Per-category scoring takes longer and is worth it for critical suppliers; a single overall score is usually enough for the long tail.

Supplier risk assessment matrix showing likelihood and impact axes with high, medium, and low risk tiers

How to conduct a supplier risk assessment

1. Define scope and criteria first

Decide what you are assessing (suppliers, materials, services, or all three), which risk categories apply, and what your scoring scale and tier bands mean. Write it down before scoring anyone - the rules have to exist before the results do.

2. Segment the supply base

You do not need a deep assessment of every supplier on day one. Start by sorting suppliers by spend and criticality, and assess the obviously critical ones first: sole sources, regulated materials, anything customer-facing.

3. Gather the inputs

Most of the evidence already exists somewhere: quality and rejection records, delivery history, certificate and insurance status, questionnaire responses, complaint logs, financial signals, and public information such as recall databases or sanctions lists. The assessment's job is to bring it into one frame.

4. Score likelihood and impact

Score each supplier (or each supplier-material combination, for critical inputs) against your categories. Base scores on records where you have them and stated assumptions where you do not - an assumption written down can be challenged and improved; a hidden one cannot.

5. Assign tiers and map controls

Convert ratings into tiers, and tie each tier to concrete controls: the approval route, the required document set, the audit and review frequency, and the scorecard cadence. This mapping is the entire point of the exercise - a tier that does not change how a supplier is treated is just a label.

6. Set review triggers, not just review dates

Re-assess on a schedule matched to the tier - annually for high risk is common, longer for low risk. But calendar reviews alone are too slow. Certain events should trigger an immediate re-assessment regardless of schedule: a failed lot, a recall or withdrawal in the supplier's category, an expired certificate, a change of ownership or site, a new material from an existing supplier, or a sudden deterioration in responsiveness.

Supplier risk assessment example

Here is a worked supplier risk assessment example for two suppliers, scored 1-5 for likelihood and impact per category, using the highest category rating as the overall result.

Supplier A - sole-source supplier of a critical raw material:

Risk categoryLikelihoodImpactRating
Product and quality2510
Compliance and documentation2510
Supply continuity3515
Financial248
Overall15 - High risk

Supplier B - one of four suppliers of standard packaging:

Risk categoryLikelihoodImpactRating
Product and quality224
Compliance and documentation326
Supply continuity212
Financial224
Overall6 - Medium risk

Notice what the matrix surfaces. Supplier A has no quality problems at all - likelihood scores are low across the board - but lands in the high-risk tier because a failure, however unlikely, would be severe and there is no alternative source. Supplier B is the reverse: sloppier with paperwork (compliance and documentation is their highest rating), but easily replaced and low-impact, so a medium tier and standard controls are enough.

This is the correction a risk assessment makes to instinct. Teams naturally watch the suppliers who cause friction. The matrix redirects attention to the suppliers who could cause damage - and they are often the quiet ones.

Supplier risk assessment by industry

The matrix and process stay the same across industries. What changes is which risk categories dominate and what evidence sits behind the scores.

Regulated manufacturing and quality systems

Under ISO 9001 and similar quality systems, the type and extent of control applied to external providers must reflect their effect on your final output - which is a risk assessment requirement in all but name. Expect emphasis on product criticality, certification currency, and quality history, with high-tier suppliers subject to audits, PPAP or first-article requirements, and tighter re-evaluation cycles.

Food and beverage

Food safety schemes make supplier and raw material risk assessment explicit. BRCGS Issue 9 clause 3.5.1.1 requires a documented risk assessment of each raw material or group of raw materials - covering allergen presence and cross-contact, foreign-body, microbiological and chemical contamination, and fraud or substitution risk - and the supplier approval route must reflect that risk. SQF and FSSC 22000 carry equivalent expectations, and FSVP makes supplier evaluation a legal obligation for US importers. The risk tier then drives which suppliers can be approved by questionnaire and which need certification or audit evidence. See the food supplier approval checklist, the FSVP checklist, the SQF Edition 10 supplier-document gap checklist, and Evidash's food and beverage solution.

Construction and trades

In construction, supplier risk assessment mostly means subcontractor and trade prequalification: safety performance and RAMS quality, insurance cover in date and at the right level, accreditations such as CHAS, SafeContractor, or Constructionline, financial standing, and workload capacity. The impact axis is dominated by safety and programme: a scaffolding subcontractor and a landscaping supplier do not belong in the same tier, whatever their invoices look like. See Evidash's construction solution.

The common thread: every framework expects you to treat suppliers differently based on risk, and to be able to show the reasoning.

Common supplier risk assessment mistakes

Assessing once and filing it away

A risk assessment from three years ago describes a supply base that no longer exists. Suppliers change owners, sites, materials, and financial health. Set review cycles by tier and re-assess on trigger events, not just anniversaries.

Scoring everything medium

When criteria are vague, assessors hedge, and every supplier lands in the middle band. A matrix where 90% of suppliers are medium risk has failed at its one job: telling you where to look. Force the definitions to be concrete enough that high and low actually get used.

Confusing risk with performance

A supplier can perform beautifully and still be high risk - sole source, critical material, no fallback. Performance is measured by the supplier scorecard; risk is about what their failure would cost you. Assess both, and do not let a good score talk you out of a high tier.

Tiers that change nothing

If high-risk and low-risk suppliers end up with the same approval route, document set, and review frequency, the assessment is decoration. Every tier should map to a visibly different level of control.

Divorcing the assessment from the evidence

When the risk ratings live in one spreadsheet and the certificates, specifications, and corrective actions live somewhere else, the ratings drift out of date the day they are written. The supplier whose insurance lapsed last month is still marked low risk because nobody connected the two. We cover why this happens in the risks of manual supplier document management.

From spreadsheet to system

A spreadsheet is the right place to run your first supplier risk assessment, and the downloadable template is built for exactly that. The difficulty arrives afterwards: risk is not static, and a spreadsheet cannot watch anything.

The rating you gave a supplier in January quietly stops being true when their certificate expires in June, their responsiveness collapses in August, or they change site in October. In a spreadsheet, someone has to notice each of those and remember what it means for the tier. In practice, nobody does - until an audit or an incident forces the question.

A better setup keeps the assessment connected to the records it depends on:

  • supplier records, documents, approval status, and risk tier in one place,
  • certificates, specifications, and insurance linked to each supplier, with expiry visibility feeding the risk picture,
  • tier-driven review schedules with owners, status, and dates,
  • trigger events - expiries, overdue documents, open corrective actions - surfaced instead of discovered,
  • an audit trail showing what was assessed, when, on what evidence, and what changed.

That is when the risk assessment stops being an annual document and becomes a standing answer to the question "which of our suppliers should we be worried about right now?" For the wider picture, see our audit-ready supplier compliance framework.

Final thoughts

A supplier risk assessment is not valuable because it produces a tidy matrix. It is valuable because it lets you defend a decision that every business makes anyway: giving some suppliers more scrutiny than others. Without the assessment, that decision is made by habit and whoever shouts loudest. With it, the decision is deliberate, documented, and pointed at the suppliers whose failure would actually hurt.

If your risk ratings cannot survive being compared with the certificates, specifications, and corrective actions on file today, they are not measuring risk. They are recording history.

Evidash helps compliance-driven businesses keep supplier records, documents, and expiries in one place, tie them to risk tiers and review schedules, and maintain a clear audit trail from assessment through approval and ongoing monitoring. Instead of re-running a risk assessment from scratch before every audit, teams work from ratings that reflect the records underneath them.

If you are building or tightening your supplier risk assessment, take a look at Evidash's supplier management software and expiry tracking to see how it can support risk-based supplier control.

If you want to see the workflow before committing, explore the interactive demo.

Frequently asked questions

What is a supplier risk assessment?

A supplier risk assessment is a structured process for identifying and scoring the risks a supplier introduces to your business - across categories such as product quality, compliance and documentation, supply continuity, and financial stability - so you can decide how much control, evidence, and monitoring that supplier needs. The output is usually a risk rating and tier that drives the approval route and review frequency.

What is a supplier risk assessment matrix?

A supplier risk assessment matrix scores each risk on two axes - likelihood of a failure and impact if it happens - typically on 1-5 scales multiplied into a rating from 1 to 25. Ratings are banded into tiers such as high (15-25), medium (6-12), and low (1-5), and each tier maps to a defined level of control.

Is a supplier risk assessment the same as a vendor risk assessment?

Usually, yes. "Supplier risk assessment" is more common in manufacturing, food, and quality teams; "vendor risk assessment" is more common in procurement and services. In IT and security contexts, "vendor risk assessment" often refers specifically to third-party cybersecurity assessment, which is a narrower exercise that can sit as one category within the broader operational assessment.

How often should supplier risk assessments be reviewed?

Match the cycle to the tier: annual review for high-risk suppliers is common, with longer cycles for low-risk ones. Calendar reviews should be backed by trigger events that force an immediate re-assessment - a failed lot, a recall, an expired certificate or insurance policy, a change of ownership or site, or a new material from an existing supplier.

What is the difference between supplier risk and supplier performance?

Performance measures how a supplier has actually behaved - quality, delivery, responsiveness - and is tracked on a supplier scorecard. Risk measures what their failure would cost you, which depends on criticality, substitutability, and regulatory exposure as much as on behaviour. A supplier can perform well and still be high risk; both need assessing, and they drive different controls.


Supplier risk assessment template

Use this sample supplier risk assessment as a starting point and adapt the categories, scales, and tier bands to your industry, risk appetite, and audit requirements. Each row is one supplier, or one supplier-material combination for critical inputs.

Supplier identification

  • Supplier name
  • Supplier ID or vendor code
  • Material or service assessed
  • Sole source? (yes / no)

Risk scoring (score likelihood and impact 1-5 per category)

  • Product and quality risk
  • Compliance and documentation risk
  • Supply continuity and operational risk
  • Financial risk

Result

  • Overall risk rating (highest or weighted category rating, 1-25)
  • Risk tier (high 15-25, medium 6-12, low 1-5)
  • Required approval route (audit / certification / questionnaire / declaration)
  • Required document set

Review and controls

  • Assessor and assessment date
  • Next review date (by tier)
  • Trigger events noted since last review
  • Mitigations and actions, with owners and due dates

See Evidash on your own documents

Put supplier certificates, specs, and COAs through the same audit-ready workflow you just read about.

Request early accessTry the demo