Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.
Inherent risk scoring is a part of Third Party Risk Management in Vanta. It determines how vendors are categorized based on the risk they pose, helping you prioritize vendors, tailor security reviews, and make consistent decisions across onboarding, monitoring, and remediation. Inherent risk scores are calculated using a configurable rubric and are used throughout the product to support risk-based workflows.
Inherent risk scoring
Inherent risk represents the risk a vendor poses before any mitigating controls are considered. It provides a consistent baseline for assessing vendors based on factors such as data sensitivity, access level, and business criticality.
Vanta assigns an inherent risk score (Critical, High, Medium, Low, or Unscored) using your risk rubric. The score is calculated automatically based on the vendor’s information and updates as that context changes.
Editing your risk rubric
Editing your risk rubric
The inherent risk rubric defines the logic Vanta uses to calculate inherent risk scores. It’s made up of sections and attributes that evaluate different aspects of how a vendor interacts with your organization.
Editing the rubric allows you to align Vanta’s scoring logic with your internal risk methodology. Many teams start with Vanta’s default rubric and refine it over time as their vendor program matures.
To edit your inherent risk rubric:
Under the Vendors section of the navigation menu, open the Settings page.
Go to the Inherent risk rubric tab.
Click the Edit this rubric button.
Click to expand each section and review its attributes.
Hover over a section:
Click the ✎ pencil icon to edit the section.
Click the + add icon to add a custom attribute.
Hover over an attribute:
Click the ✎ pencil icon to edit the attribute.
Click View detailed breakdown to preview changes—updates to the inherent risk rubric may affect scores for existing vendors.
Click Save at the bottom of the risk rubric page to officially apply the changes.
Editing custom attributes
Editing custom attributes
Custom attributes allow you to account for risk factors that are specific to your organization. Each custom attribute contributes to the vendor’s inherent risk score and can be mapped to one or more vendor categories. Which attributes apply to a vendor depends on the vendor categories selected in the vendor profile.
To add a custom attribute:
When editing your risk rubric, hover over a section and click the + add icon.
Enter the following info: Name, status (enabled or disabled), description, inherent risk score, and the vendor categories to map it to.
Click Save to exit the modal.
Click View detailed breakdown to preview changes—updates to the inherent risk rubric may affect scores for existing vendors.
Click Save at the bottom of the risk rubric page to officially apply the changes.
You can rename or delete an attribute by opening the section, hovering over the attribute, and clicking the ✎ pencil icon.
Editing custom sections
Editing custom sections
Custom sections help you organize related attributes and structure your rubric in a way that reflects your internal risk model. Sections make it easier to understand how different groups of attributes contribute to a vendor’s inherent risk score.
To add a custom section:
When editing your risk rubric, click the + Add new section button.
Provide a section name.
Add any custom attributes you’d like to include.
Click Save to exit the modal.
Click View detailed breakdown to preview changes—updates to the inherent risk rubric may affect scores for existing vendors.
Click Save at the bottom of the risk rubric page to officially apply the changes.
You can rename or delete a section by hovering over the section and clicking the ✎ pencil icon.
Auto-scoring vs. manual scoring
Auto-scoring vs. manual scoring
By default, Vanta automatically assigns an inherent risk score to each vendor based on your risk rubric.
Vendors may be Unscored if there isn’t enough information to evaluate them against the risk rubric.
The score reflects the highest risk level among all applicable enabled attributes in the rubric.
As vendor information changes, the inherent risk score updates automatically to reflect the latest context.
If you manually set an inherent risk score within a vendor profile, that score becomes locked and will not be recalculated until auto-scoring is re-enabled. Manual scoring is useful when a vendor requires a judgment-based assessment that goes beyond attribute-driven logic.
Click View detailed breakdown to preview changes before saving—updates to the inherent risk rubric may affect scores for existing vendors.
Risk scores in security reviews
Risk scores are surfaced during security reviews to support decision-making and documentation throughout the review lifecycle.
Inherent risk score
Inherent risk score
Once a security review has begun, the inherent risk score can be edited from the vendor’s profile. During an active review, the inherent risk score is displayed in the security review header and details as read-only.
Residual risk score
Residual risk score
Residual risk score reflects your final assessment of the vendor’s risk after considering mitigating controls and review findings. You assign the residual risk score when you finalize the security review, capturing the outcome of your evaluation.
Scoping high-risk vendors for audits
Any vendor that has access to or manages your sensitive customer data is typically considered in scope. This includes vendors that provide services like cloud storage, payment processing, customer support, and more.
We recommend the following guidelines to determine what risk should be assigned to each vendor:
