·Strutter Team

Vendor Risk Assessment: Questions Every RFP Should Include

Protect your organization with the right risk assessment questions in your RFP. Covers security, financial stability, compliance, and business continuity.

Every vendor relationship carries risk. The question isn't whether risk exists, but whether you've identified it before signing the contract or after something goes wrong.

Too many organizations treat vendor risk assessment as a separate activity from procurement, something the security team does after the vendor is already selected. Building risk assessment directly into the RFP changes the dynamic. It makes risk a selection criterion, not an afterthought.

Here's how to structure vendor risk assessment questions across five critical categories.

Category 1: Security and cyber risk

Security is the category that gets the most attention, and for good reason. A vendor with access to your data, systems, or network is an extension of your attack surface. Their breach is your breach.

Essential questions

  • Describe your information security management framework. Do you hold SOC 2 Type II, ISO 27001, or equivalent certifications? Provide current certification documentation.
  • How do you handle data encryption at rest and in transit? Specify the encryption standards and key management practices you use.
  • Describe your vulnerability management program. How frequently do you conduct penetration testing, and are tests performed by independent third parties?
  • What is your incident response plan? Describe notification timelines, escalation procedures, and the most recent incident you managed (sanitized for confidentiality).
  • How do you manage access controls for employees and subcontractors who would have access to our data?
  • Describe your approach to secure software development (SDLC), including code review and dependency scanning.

What to look for

Strong responses provide specific certifications with dates, name their testing firms, and describe real incidents they've managed. Weak responses talk about their "commitment to security" without naming a single certification or practice.

Pay special attention to incident response. Every organization experiences security incidents. How a vendor handles them matters more than whether they've had them.

Category 2: Financial stability

A vendor's financial health determines whether they'll be around to deliver on a multi-year contract. Financial instability leads to cost-cutting, talent attrition, and in the worst case, business failure mid-contract.

Essential questions

  • Provide audited financial statements for the past three fiscal years, or equivalent documentation if you are privately held.
  • What is your current revenue trajectory? Are you profitable, and if not, what is your path to profitability and current cash runway?
  • Describe your funding history and current capitalization. If venture-backed, when did you last raise, and at what stage?
  • What percentage of your total revenue does your largest client represent?
  • Have you undergone any mergers, acquisitions, or significant restructuring in the past three years? Are any anticipated?
  • Do you carry errors and omissions (E&O) insurance and general commercial liability insurance? Provide coverage amounts.

What to look for

Financial stability isn't about picking the biggest vendor. A small, profitable company with low client concentration is often a safer bet than a large, unprofitable company burning through venture capital.

Red flags include heavy dependence on a single client, declining revenue without a recovery plan, and reluctance to share any financial information. Privately held companies may not share full financials, but they should be willing to provide summary metrics or investor references.

Category 3: Compliance and regulatory risk

Your vendor's compliance gaps become your compliance gaps, especially when they handle regulated data or operate in heavily regulated industries.

Essential questions

  • List all regulatory frameworks applicable to your operations and the services being proposed (HIPAA, PCI DSS, GDPR, SOX, CCPA, etc.).
  • For each applicable framework, describe your compliance status and provide evidence of compliance (certifications, audit reports, assessments).
  • Have you been subject to any regulatory enforcement actions, fines, or consent decrees in the past five years? If yes, describe the outcome and remediation.
  • How do you monitor changes in regulations that affect the services you provide?
  • Describe your data residency practices. Where is our data stored, processed, and backed up? Do you use subprocessors, and if so, in which jurisdictions?

What to look for

Compliance is binary for many requirements. Either the vendor is HIPAA-compliant or they're not. Make those pass/fail in your evaluation.

Beyond certifications, look for evidence that the vendor actively manages compliance. Certifications expire. Regulations change. A vendor who conducts annual reviews and can describe how they adapted to recent regulatory changes is genuinely compliant, not just certified.

Category 4: Operational and business continuity risk

Server outages, natural disasters, pandemic disruptions, supply chain failures. Your vendor's ability to maintain service during disruptions directly affects your operations.

Essential questions

  • Describe your business continuity plan (BCP) and disaster recovery (DR) capabilities. When was the plan last tested, and what were the results?
  • What are your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the services being proposed?
  • Describe your infrastructure redundancy. Do you operate in multiple geographic regions? What is your failover architecture?
  • What is your historical uptime for the past 12 months? Provide SLA documentation and any outage post-mortems from the past year.
  • How do you manage key-person risk? What happens if critical staff members leave or are unavailable?
  • Describe your supply chain dependencies. What third-party services are critical to your ability to deliver, and how do you manage their availability?
  • Do you maintain a documented pandemic or remote work continuity plan?

What to look for

Strong vendors provide specific RTO and RPO numbers, share actual uptime data (not just SLA targets), and can walk you through their last DR test. Be wary of vendors who guarantee 99.99% uptime but can't describe their failover architecture. Business continuity planning is about specifics: which systems fail first, how long recovery takes, and who makes decisions during an incident.

Category 5: Reputational risk

A vendor's reputation becomes your reputation when they act on your behalf or are publicly associated with your organization. Reputational risk is harder to quantify, but it can be just as damaging.

Essential questions

  • Have you been involved in any significant legal disputes, lawsuits, or settlements in the past five years? If yes, provide a summary.
  • Describe any significant negative press coverage in the past three years and how you responded.
  • Do you have a published code of ethics or corporate responsibility policy? How is it enforced?
  • How do you vet and manage subcontractors who may represent your organization (and by extension, ours)?
  • Are there any pending investigations, regulatory inquiries, or known issues that could affect your reputation or ability to deliver services?

What to look for

Every organization of meaningful size has faced legal disputes or negative coverage. What matters is how they handled it: transparency, accountability, and corrective action. A vendor who acknowledges a past issue and explains what they changed is more trustworthy than one who claims a spotless record.

How to evaluate risk responses

Use a risk matrix

For each risk category, assess both the likelihood and the potential impact on your organization.

Risk LevelLikelihood x ImpactAction
CriticalHigh likelihood, high impactDisqualify or require remediation before contract
HighModerate likelihood, high impactRequire mitigation plan with contractual guarantees
MediumLow likelihood, moderate impactMonitor and include review clauses in contract
LowLow likelihood, low impactAccept and document

Weight risk appropriately

A vendor who scores highest on technical fit but has critical security gaps is not the right choice. Allocate 15% to 25% of your total evaluation weight to risk criteria. For regulated industries or high-sensitivity procurements, weight risk even higher.

Don't stop at the RFP

The RFP captures a snapshot of vendor risk at a single point in time. Risk management has shifted from periodic assessment to continuous monitoring, and AI-driven tools are accelerating this evolution. Build ongoing risk monitoring into your vendor management program:

  • Annual reassessment. Require vendors to update their risk documentation annually.
  • Continuous monitoring. Track vendor security ratings, financial health, and compliance status between formal assessments.
  • Contractual triggers. Include clauses requiring vendor notification of material changes: acquisitions, leadership changes, security incidents, regulatory actions.
  • Right to audit. Reserve the right to audit vendor practices for critical vendors handling sensitive data.

Build risk assessment into every RFP

Vendor risk assessment doesn't need to be a separate, heavyweight process. When you build the right questions into your RFP, it happens naturally alongside technical and commercial evaluation.

Strutter AI helps you do exactly this. Add risk assessment questions to your RFP, assign weights, and let AI score vendor responses across security, financial stability, compliance, operational resilience, and reputational risk. The comparison matrix shows risk scores alongside technical and commercial evaluations, giving you a complete picture of each vendor.

Start your first RFP free at rfp.strutterai.com. No credit card required.