See How to Assess Supplier Risk Step-by-Step

Running a supplier risk assessment shouldn’t be complicated - but it should be consistent. 

Too often, risk checks are scattered across spreadsheets, emails, or custom forms that vary by team. That creates duplication, inconsistency, and wasted effort - especially when legislation changes or supplier turnover is high. 

A structured process helps you move from reactive to proactive – spotting supplier risks early and focusing your attention where it matters most. 

Here’s how to assess supplier risk step-by-step, whether you're onboarding new suppliers or reviewing your existing base. 

Step 1: List Your Suppliers 

Start with a clean view of who you’re working with. Don’t just list Tier 1 vendors - include indirect suppliers who provide critical services or systems behind the scenes. 

Tip: Include categories like IT, logistics, consultancy, facilities, and subcontractors. A small indirect supplier can still pose a large risk. 

Smart shortcut: If you’re using a supplier risk management platform, like JOSCAR, your supplier list and categories are already centralised - making this step effortless. 

Step 2: Gather the Right Supplier Risk Data  

You can’t assess what you can’t see. Pull together relevant data for each supplier based on your risk categories. This might include: 

• Financial statements 

• Insurance cover and certifications 

• Cybersecurity and data protection evidence 

• Sustainability credentials 

• Performance or quality history 

• Business continuity plans 

Avoid duplication by using shared supplier risk assessment frameworks. Platforms like those provided by Hellios allow suppliers to upload once and share with multiple buyers - saving everyone time and confusion. 

Step 3: Sort Risks into Categories  

Not all risks are the same. Sort them into standard categories to make supplier risk assessment and comparison easier: 

• Financial risk – risk of insolvency or instability 

• Operational risk – inability to deliver or scale 

• Cybersecurity risk – potential exposure to breaches or data loss 

• Compliance risk – failure to meet legal, regulatory, or sector-specific requirements 

• Sustainability risk – environmental, social, and governance-related exposure 

Tip: If your team uses inconsistent categories, now’s the time to align them - so scoring and prioritisation are easier later. 

Step 4: Score Each Supplier Risk 

Now assess the likelihood and impact of each risk. This could be a simple low/medium/high model or a more detailed risk matrix. 

Key inputs: 

• Supplier criticality 

• Risk type 

• Contract value and duration 

• Performance history 

• Geographic or regulatory context 

Why it matters: A supplier may be low risk in one area but high in another. Scoring ensures you respond appropriately. 

Efficiency tip: Use platforms that embed supplier risk scoring logic so you’re not doing manual triage across dozens of spreadsheets. 

Step 5: Prioritise Follow-Up 

Not every flagged supplier risk requires immediate action. Once scored, focus on the suppliers and risks that need attention. 

• Investigate critical gaps 

• Request clarification or updated documentation 

• Set a reassessment timeline 

• Notify internal stakeholders if supplier exposure affects wider operations 

What to avoid: Letting low-priority issues consume the same time and attention as high-impact ones. Risk tiering helps here. 

Step 6: Track and Monitor Over Time 

Supplier risk changes. What’s low risk today might become high-risk tomorrow - especially after acquisition, breach, or regulation change. 

• Build in reassessment triggers: Contract renewal, performance issues, certification expiry, or environmental shifts. 

• Track changes centrally so you can see supplier status and trends immediately - not buried in inboxes or outdated folders. 

Hellios keeps supplier assurance data consistent - refreshed annually and updated when major risks emerge - so you don’t have to chase every change. 

Make Supplier Risk Assessment A Routine, Not A Rescue Mission   

When supplier risk assessment is built into your process - not bolted on - you can focus on resilience, not damage control. 

By following this step-by-step approach and using shared supplier risk frameworks, you avoid duplication, reduce admin, and get the visibility you need - without burning out your team or overwhelming your suppliers.