Skip to main content

Configuring Inherent Risk Scoring

Updated this week

Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.

Inherent risk scoring is a part of Third Party Risk Management in Vanta. It determines how vendors are categorized based on the risk they pose, helping you prioritize vendors, tailor vendor assessments (such as security assessments), and make consistent decisions across onboarding, monitoring, and remediation. Inherent risk scores are calculated using a configurable rubric and are used throughout the product to support risk-based workflows.

Inherent risk scoring

Inherent risk represents the risk a vendor poses before any mitigating controls are considered. It provides a consistent baseline for assessing vendors based on factors such as data sensitivity, access level, and business criticality.

Vanta assigns an inherent risk score (Critical, High, Medium, Low, or Unscored) using your risk rubric. The score is calculated automatically based on the vendor’s information and updates as that context changes.

Editing your risk rubric

The inherent risk rubric defines the logic Vanta uses to calculate inherent risk scores. It’s made up of sections and attributes that evaluate different aspects of how a vendor interacts with your organization.

Editing the rubric allows you to align Vanta’s scoring logic with your internal risk methodology. Many teams start with Vanta’s default rubric and refine it over time as their vendor program matures.

To edit your inherent risk rubric:

  1. In your account header, click the Settings icon.

  2. In the Settings page menu, scroll to the Features section, select Vendors, and go to the Inherent risk rubric tab.

  3. Click the Edit this rubric button.

  4. Click to expand each section and review its attributes.

  5. Hover over a section:

    • Click the ✎ pencil icon to edit the section.

    • Click the + add icon to add a custom attribute.

  6. Hover over an attribute:

    • Click the ✎ pencil icon to edit the attribute.

  7. Click View detailed breakdown to preview changes—updates to the inherent risk rubric may affect scores for existing vendors.

  8. Click Save at the bottom of the risk rubric page to officially apply the changes.

Editing custom attributes

Custom attributes allow you to account for risk factors that are specific to your organization. Each custom attribute contributes to the vendor’s inherent risk score and can be mapped to one or more vendor categories. Which attributes apply to a vendor depends on the vendor categories selected in the vendor profile.

To add a custom attribute:

  1. When editing your risk rubric, hover over a section and click the + add icon.

  2. Enter the following info: Name, status (enabled or disabled), description, inherent risk score, and the vendor categories to map it to.

  3. Click Save to exit the modal.

  4. Click View detailed breakdown to preview changes—updates to the inherent risk rubric may affect scores for existing vendors.

  5. Click Save at the bottom of the risk rubric page to officially apply the changes.

You can rename or delete an attribute by opening the section, hovering over the attribute, and clicking the ✎ pencil icon.

Editing custom sections

Custom sections help you organize related attributes and structure your rubric in a way that reflects your internal risk model. Sections make it easier to understand how different groups of attributes contribute to a vendor’s inherent risk score.

To add a custom section:

  1. When editing your risk rubric, click the + Add new section button.

  2. Provide a section name.

  3. Add any custom attributes you’d like to include.

  4. Click Save to exit the modal.

  5. Click View detailed breakdown to preview changes—updates to the inherent risk rubric may affect scores for existing vendors.

  6. Click Save at the bottom of the risk rubric page to officially apply the changes.

You can rename or delete a section by hovering over the section and clicking the ✎ pencil icon.

Auto-scoring vs. manual scoring

  • By default, Vanta automatically assigns an inherent risk score to each vendor based on your risk rubric.

  • Vendors may be Unscored if there isn’t enough information to evaluate them against the risk rubric.

  • The score reflects the highest risk level among all applicable enabled attributes in the rubric.

  • As vendor information changes, the inherent risk score updates automatically to reflect the latest context.

  • If you manually set an inherent risk score within a vendor profile, that score becomes locked and will not be recalculated until auto-scoring is re-enabled. Manual scoring is useful when a vendor requires a judgment-based assessment that goes beyond attribute-driven logic.

Click View detailed breakdown to preview changes before saving—updates to the inherent risk rubric may affect scores for existing vendors.

Risk scores in assessments

Risk scores are surfaced throughout the vendor lifecycle to support assessment process and decision making.

Inherent risk score

Inherent risk represents each vendor’s risk across all risk domains and assessments. The score is displayed on the vendor detail page header and as a filter for the vendor table. Individual assessments do not impact on the overall inherent risk score.

Residual risk score

Residual risk score reflects your assessment of the vendor’s risk after considering mitigating controls and assessment findings. The assessment owner can assign a residual risk score per assessment when finalizing the assessment, capturing the outcome of evaluation. The score is displayed on the assessment detail page header and as a filter for the assessment table.

A residual risk score can also be assigned on the vendor level, when making the final vendor decision. The score is displayed on the vendor detail page header and as a filter for the vendor table. Assessment level scoring and vendor level scoring are independent from each other.