July 5, 2026
Learn how to run a supplier risk assessment, build a risk matrix, tier suppliers by risk, and download a free supplier risk assessment template for Excel or Google Sheets.
Not every supplier deserves the same level of scrutiny. The one supplying a critical ingredient, component, or service can hurt you in ways the office-stationery vendor never will.
A supplier risk assessment is how you make that difference explicit. Instead of treating every supplier as equally trustworthy - or equally suspect - you score each one against defined risk criteria and let the result decide how much evidence, monitoring, and audit attention they get.
Done properly, it is the control that everything else in supplier management hangs off. The risk tier decides how a supplier gets approved, how often they are re-evaluated, what documents you insist on, and how quickly you react when something slips.
This guide walks through what to assess, how to build a supplier risk assessment matrix, what a worked example looks like, and how to turn the result into decisions rather than a spreadsheet nobody reopens. You can also download a free template and adapt it to your own supply base.
The Excel version is a working tracker with likelihood and impact scoring, an automatic risk rating, tier bands, and control fields. The PDF is a printable blank reference. If you want to see the layout before downloading anything, the full structure is also written out at the end of this guide.

A supplier risk assessment, also called a vendor risk assessment, is a structured process for identifying and scoring the risks a supplier introduces to your business, so you can decide how much control that supplier needs.
It answers the questions a gut feeling cannot:
The risk assessment is the first half of supplier control. It happens before - and decides the depth of - everything that follows: the approval checklist a supplier must pass, the documents that go on file, the entry on your approved supplier list, and the cadence of the supplier scorecard that monitors them afterwards. Assessment decides how much control a supplier needs; approval and monitoring apply it.
The terms usually describe the same control. "Supplier risk assessment" is more common in manufacturing, food, and quality teams; "vendor risk assessment" is more common in procurement, finance, and services.
One caveat: in IT and security circles, "vendor risk assessment" often refers specifically to third-party cybersecurity assessments - data handling, access controls, SOC 2 reports. That is a valid but narrower exercise. This guide covers the broader operational version: the risk a supplier poses to your product, your compliance status, and your continuity of supply. Cybersecurity can be one category within it.
Two reasons: regulators expect it, and flat supplier management fails quietly.
Regulators and standards expect it. Risk-based supplier control is written into most modern quality and safety frameworks. ISO 9001 requires criteria for evaluating external providers based on their ability to affect your output. Food safety schemes go further: BRCGS Issue 9 requires a documented risk assessment of each raw material or group of raw materials (clause 3.5.1.1) and risk-based supplier approval, SQF and FSSC 22000 expect the same discipline, and importers under FSVP must perform hazard analysis and supplier evaluation by law. In construction, prequalification of subcontractors is risk assessment under another name. When an auditor asks "why is this supplier approved on a questionnaire while that one needed an audit?", the risk assessment is the answer.
Flat supplier management fails quietly. Without a risk assessment, every supplier gets roughly the same treatment - which in practice means the difficult, critical suppliers get less scrutiny than they need, and the trivial ones generate paperwork nobody reads. The failure mode is predictable: the team spends its energy chasing documents from low-risk suppliers because they are easy to chase, while the sole-source supplier of a critical material coasts on history.
A working risk assessment gives you:
The four categories below apply to any supply base - every supplier you assess can be scored on all of them, whatever your industry. Score each on the same scale so the results can be combined and compared. If your supply base carries a specific exposure beyond these - cybersecurity for data-handling vendors, ESG for scrutinized supply chains - add it as an extra category rather than stretching these four.
Why this matters: this is usually the heaviest-weighted category. A supplier whose failure becomes your product failure - a contaminated ingredient, an out-of-tolerance component, defective workmanship - carries fundamentally different risk from one whose failure is merely inconvenient.
Why this matters: compliance failures compound. An expired certificate is not just a lapsed document - it can invalidate your own certification claims, void insurance, or turn a routine audit into a major non-conformance. And how a supplier handles paperwork is a leading indicator of how they run everything else: a supplier who routinely lets documents expire is telling you something about their internal control. This category is where risk becomes visible earliest - see tracking certificate expiries and renewals.
Why this matters: a mediocre supplier you can replace in a week is a nuisance. A mediocre supplier who is your only source of a critical input is a standing threat, whatever their quality scores say.
Why this matters: financially stressed suppliers cut corners before they close doors. Quality and documentation usually deteriorate first, which is why financial risk belongs in the same assessment as quality risk rather than in a separate finance-only review.
The supplier risk assessment matrix is the standard tool for turning the categories above into a single, comparable rating. It scores each risk on two axes:
Multiply the two and you get a risk rating from 1 to 25:
| Impact 1 | Impact 2 | Impact 3 | Impact 4 | Impact 5 | |
|---|---|---|---|---|---|
| Likelihood 5 | 5 | 10 | 15 | 20 | 25 |
| Likelihood 4 | 4 | 8 | 12 | 16 | 20 |
| Likelihood 3 | 3 | 6 | 9 | 12 | 15 |
| Likelihood 2 | 2 | 4 | 6 | 8 | 10 |
| Likelihood 1 | 1 | 2 | 3 | 4 | 5 |
Then band the ratings into tiers:
Two things make the matrix defensible rather than decorative. First, define what the scores mean - if two assessors would rate the same supplier differently, the scale is too vague, and the output is opinion with numbers attached. Second, set the bands and their consequences before you score anyone. A matrix whose bands move after the results are in is not an assessment; it is a justification.
You can score likelihood and impact per risk category and take the highest or weighted result, or score the supplier once overall. Per-category scoring takes longer and is worth it for critical suppliers; a single overall score is usually enough for the long tail.

Decide what you are assessing (suppliers, materials, services, or all three), which risk categories apply, and what your scoring scale and tier bands mean. Write it down before scoring anyone - the rules have to exist before the results do.
You do not need a deep assessment of every supplier on day one. Start by sorting suppliers by spend and criticality, and assess the obviously critical ones first: sole sources, regulated materials, anything customer-facing.
Most of the evidence already exists somewhere: quality and rejection records, delivery history, certificate and insurance status, questionnaire responses, complaint logs, financial signals, and public information such as recall databases or sanctions lists. The assessment's job is to bring it into one frame.
Score each supplier (or each supplier-material combination, for critical inputs) against your categories. Base scores on records where you have them and stated assumptions where you do not - an assumption written down can be challenged and improved; a hidden one cannot.
Convert ratings into tiers, and tie each tier to concrete controls: the approval route, the required document set, the audit and review frequency, and the scorecard cadence. This mapping is the entire point of the exercise - a tier that does not change how a supplier is treated is just a label.
Re-assess on a schedule matched to the tier - annually for high risk is common, longer for low risk. But calendar reviews alone are too slow. Certain events should trigger an immediate re-assessment regardless of schedule: a failed lot, a recall or withdrawal in the supplier's category, an expired certificate, a change of ownership or site, a new material from an existing supplier, or a sudden deterioration in responsiveness.
Here is a worked supplier risk assessment example for two suppliers, scored 1-5 for likelihood and impact per category, using the highest category rating as the overall result.
Supplier A - sole-source supplier of a critical raw material:
| Risk category | Likelihood | Impact | Rating |
|---|---|---|---|
| Product and quality | 2 | 5 | 10 |
| Compliance and documentation | 2 | 5 | 10 |
| Supply continuity | 3 | 5 | 15 |
| Financial | 2 | 4 | 8 |
| Overall | 15 - High risk |
Supplier B - one of four suppliers of standard packaging:
| Risk category | Likelihood | Impact | Rating |
|---|---|---|---|
| Product and quality | 2 | 2 | 4 |
| Compliance and documentation | 3 | 2 | 6 |
| Supply continuity | 2 | 1 | 2 |
| Financial | 2 | 2 | 4 |
| Overall | 6 - Medium risk |
Notice what the matrix surfaces. Supplier A has no quality problems at all - likelihood scores are low across the board - but lands in the high-risk tier because a failure, however unlikely, would be severe and there is no alternative source. Supplier B is the reverse: sloppier with paperwork (compliance and documentation is their highest rating), but easily replaced and low-impact, so a medium tier and standard controls are enough.
This is the correction a risk assessment makes to instinct. Teams naturally watch the suppliers who cause friction. The matrix redirects attention to the suppliers who could cause damage - and they are often the quiet ones.
The matrix and process stay the same across industries. What changes is which risk categories dominate and what evidence sits behind the scores.
Under ISO 9001 and similar quality systems, the type and extent of control applied to external providers must reflect their effect on your final output - which is a risk assessment requirement in all but name. Expect emphasis on product criticality, certification currency, and quality history, with high-tier suppliers subject to audits, PPAP or first-article requirements, and tighter re-evaluation cycles.
Food safety schemes make supplier and raw material risk assessment explicit. BRCGS Issue 9 clause 3.5.1.1 requires a documented risk assessment of each raw material or group of raw materials - covering allergen presence and cross-contact, foreign-body, microbiological and chemical contamination, and fraud or substitution risk - and the supplier approval route must reflect that risk. SQF and FSSC 22000 carry equivalent expectations, and FSVP makes supplier evaluation a legal obligation for US importers. The risk tier then drives which suppliers can be approved by questionnaire and which need certification or audit evidence. See the food supplier approval checklist, the FSVP checklist, the SQF Edition 10 supplier-document gap checklist, and Evidash's food and beverage solution.
In construction, supplier risk assessment mostly means subcontractor and trade prequalification: safety performance and RAMS quality, insurance cover in date and at the right level, accreditations such as CHAS, SafeContractor, or Constructionline, financial standing, and workload capacity. The impact axis is dominated by safety and programme: a scaffolding subcontractor and a landscaping supplier do not belong in the same tier, whatever their invoices look like. See Evidash's construction solution.
The common thread: every framework expects you to treat suppliers differently based on risk, and to be able to show the reasoning.
A risk assessment from three years ago describes a supply base that no longer exists. Suppliers change owners, sites, materials, and financial health. Set review cycles by tier and re-assess on trigger events, not just anniversaries.
When criteria are vague, assessors hedge, and every supplier lands in the middle band. A matrix where 90% of suppliers are medium risk has failed at its one job: telling you where to look. Force the definitions to be concrete enough that high and low actually get used.
A supplier can perform beautifully and still be high risk - sole source, critical material, no fallback. Performance is measured by the supplier scorecard; risk is about what their failure would cost you. Assess both, and do not let a good score talk you out of a high tier.
If high-risk and low-risk suppliers end up with the same approval route, document set, and review frequency, the assessment is decoration. Every tier should map to a visibly different level of control.
When the risk ratings live in one spreadsheet and the certificates, specifications, and corrective actions live somewhere else, the ratings drift out of date the day they are written. The supplier whose insurance lapsed last month is still marked low risk because nobody connected the two. We cover why this happens in the risks of manual supplier document management.
A spreadsheet is the right place to run your first supplier risk assessment, and the downloadable template is built for exactly that. The difficulty arrives afterwards: risk is not static, and a spreadsheet cannot watch anything.
The rating you gave a supplier in January quietly stops being true when their certificate expires in June, their responsiveness collapses in August, or they change site in October. In a spreadsheet, someone has to notice each of those and remember what it means for the tier. In practice, nobody does - until an audit or an incident forces the question.
A better setup keeps the assessment connected to the records it depends on:
That is when the risk assessment stops being an annual document and becomes a standing answer to the question "which of our suppliers should we be worried about right now?" For the wider picture, see our audit-ready supplier compliance framework.
A supplier risk assessment is not valuable because it produces a tidy matrix. It is valuable because it lets you defend a decision that every business makes anyway: giving some suppliers more scrutiny than others. Without the assessment, that decision is made by habit and whoever shouts loudest. With it, the decision is deliberate, documented, and pointed at the suppliers whose failure would actually hurt.
If your risk ratings cannot survive being compared with the certificates, specifications, and corrective actions on file today, they are not measuring risk. They are recording history.
Evidash helps compliance-driven businesses keep supplier records, documents, and expiries in one place, tie them to risk tiers and review schedules, and maintain a clear audit trail from assessment through approval and ongoing monitoring. Instead of re-running a risk assessment from scratch before every audit, teams work from ratings that reflect the records underneath them.
If you are building or tightening your supplier risk assessment, take a look at Evidash's supplier management software and expiry tracking to see how it can support risk-based supplier control.
If you want to see the workflow before committing, explore the interactive demo.
A supplier risk assessment is a structured process for identifying and scoring the risks a supplier introduces to your business - across categories such as product quality, compliance and documentation, supply continuity, and financial stability - so you can decide how much control, evidence, and monitoring that supplier needs. The output is usually a risk rating and tier that drives the approval route and review frequency.
A supplier risk assessment matrix scores each risk on two axes - likelihood of a failure and impact if it happens - typically on 1-5 scales multiplied into a rating from 1 to 25. Ratings are banded into tiers such as high (15-25), medium (6-12), and low (1-5), and each tier maps to a defined level of control.
Usually, yes. "Supplier risk assessment" is more common in manufacturing, food, and quality teams; "vendor risk assessment" is more common in procurement and services. In IT and security contexts, "vendor risk assessment" often refers specifically to third-party cybersecurity assessment, which is a narrower exercise that can sit as one category within the broader operational assessment.
Match the cycle to the tier: annual review for high-risk suppliers is common, with longer cycles for low-risk ones. Calendar reviews should be backed by trigger events that force an immediate re-assessment - a failed lot, a recall, an expired certificate or insurance policy, a change of ownership or site, or a new material from an existing supplier.
Performance measures how a supplier has actually behaved - quality, delivery, responsiveness - and is tracked on a supplier scorecard. Risk measures what their failure would cost you, which depends on criticality, substitutability, and regulatory exposure as much as on behaviour. A supplier can perform well and still be high risk; both need assessing, and they drive different controls.
Use this sample supplier risk assessment as a starting point and adapt the categories, scales, and tier bands to your industry, risk appetite, and audit requirements. Each row is one supplier, or one supplier-material combination for critical inputs.
Put supplier certificates, specs, and COAs through the same audit-ready workflow you just read about.