Risk Management and Vendor Vetting Glossary

This Risk Management and Vendor Vetting Glossary provides essential terminology for understanding how organizations assess, manage, and monitor risks associated with vendors and third-party relationships. From core risk concepts to vendor lifecycle management, these terms help professionals navigate the complex landscape of risk assessment, due diligence and vendor oversight.

Core Risk Concepts

Acceptable Risk

The level of potential losses an organization is willing to accept given the cost and benefits of taking action to reduce risk. This threshold helps organizations make decisions about risk treatment strategies.

Asset

Any item of value to the organization, including physical property, intellectual property, personnel, information, or systems that require protection from potential risks.

Control

Any measure or action that modifies risk. Controls include policies, procedures, practices, or organizational structures that can be administrative, technical, management, or legal.

Exposure

The extent to which an organization and/or stakeholder is subject to an event. Often quantified in terms of potential financial loss.

Impact

The outcome or effect of a risk event. Impacts can be positive or negative and are often measured in financial, operational, reputational, or regulatory terms.

Inherent Risk

The level of risk before any risk treatment or controls are implemented. Also known as “gross risk” or “untreated risk.”

Residual Risk

The risk remains after risk treatment or controls have been implemented. Also known as “net risk” or “treated risk.”

Risk Appetite

The amount and type of risk an organization is prepared to pursue, retain, or take in pursuit of its objectives.

Risk Tolerance

The acceptable variation is relative to the achievement of objectives. Often quantified and measured in the same units as the related objectives.

Risk Assessment & Monitoring

Business Impact Analysis (BIA)

A systematic process to determine and evaluate the potential effects of an interruption to critical business operations due to a disaster, accident, or emergency.

Key Performance Indicators (KPIs)

Metrics measure and monitor vendor performance against contractual obligations and service-level agreements.

Key Risk Indicator (KRI)

A metric used to provide an early warning of increasing risk exposures in various areas of the organization. KRIs monitor identified risks and trigger alerts when risk levels approach or exceed predetermined thresholds.

Risk Assessment

The overall risk identification, analysis, and evaluation process is to understand potential impacts and determine appropriate responses.

Risk Matrix

A tool used to determine the level of risk by considering the likelihood of an event occurring and its potential impact. Often displayed as a 5×5 grid showing different risk levels.

Risk Register

A documented record of identified risks, their assessment, and plans for treating them. Typically includes risk descriptions, owners, controls, and mitigation strategies.

Vendor Management

Attestation

A formal declaration or confirmation by a vendor regarding their compliance with specific requirements, controls, or standards. Often used as part of the ongoing monitoring process.

Business Criticality Assessment

The process of evaluating how essential a vendor’s services are to an organization’s operations. This helps determine the depth of due diligence required and the frequency of ongoing monitoring.

Contract Risk Assessment

Analysis of vendor contracts to identify potential risks, obligations, and liabilities. This includes reviewing terms, conditions, service level agreements (SLAs), and compliance requirements.

Critical Vendor

A third-party provider whose services are essential to core business operations, where disruption would significantly impact the organization’s ability to operate, serve customers, or meet regulatory requirements.

Due Diligence

The comprehensive investigation and evaluation of a potential vendor before entering into a business relationship. Includes assessment of financial health, operational capabilities, security controls, and compliance status.

Fourth Party Risk

The risk exposure arising from a vendor’s suppliers and contractors (your vendor’s vendors). It requires an understanding of the extended supply chain and associated risks.

Master Services Agreement (MSA)

The primary contract document outlines the vendor relationship’s terms and conditions, including services provided, pricing, responsibilities, and compliance requirements.

Service Level Agreement (SLA)

Documented commitment between a vendor and the organization that defines expected service levels, performance metrics, and penalties for non-compliance.

Third-Party Risk Management (TPRM)

The comprehensive program for identifying, assessing, and monitoring risks associated with using external vendors and service providers.

Vendor Lifecycle Management

Exit Strategy

A documented plan for terminating a vendor relationship, including transition procedures, data retrieval, and continuity of services. Required for critical vendor relationships.

Onboarding

Integrating a new vendor into an organization’s operations includes setting up accounts, access provisioning, and implementing monitoring controls.

Offboarding

The process of terminating a vendor relationship includes removing access, retrieving assets and data, and properly documenting the termination.

Performance Monitoring

Ongoing tracking and evaluation of vendor service delivery, SLA compliance, and adherence to contractual obligations.

Vendor Classification

Categorization of vendors based on factors such as criticality, access to sensitive data, regulatory requirements, and spending amount. Used to determine the appropriate level of due diligence and oversight.

Vendor Master File

A central repository of vendor information, including contracts, compliance documentation, risk assessments, and performance history.

Vendor Performance Scorecard

A tool used to track and evaluate vendor performance against established metrics, including service levels, quality, cost, and compliance requirements.

Vendor Risk Profile

A comprehensive view of the risks associated with a specific vendor relationship, including operational, financial, regulatory, and reputational risks.

Security & Compliance

Business Continuity Plan (BCP)

A documented strategy that outlines how an organization will continue to operate during and after a disruptive event. BCPs typically include procedures for maintaining critical functions and recovering operations.

Information Security Assessment

Evaluation of a vendor’s security controls, practices, and protocols to protect sensitive data and systems. This may include a review of certifications, penetration testing results, and security policies.

Operational Risk

The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.

Strategic Risk

Risks that affect or are created by an organization’s business strategy and strategic objectives.

Vulnerability

A weakness that one or more threats can exploit. It can exist in systems, procedures, design, implementation, or internal controls.

Create an account. Order Contacts. Plant your seeds. Check your Assumed inbox. It's that easy.

Register

Questions?

Get in touch, we will be happy to help!

Contact

Security, Risk & Compliance

Latest from our blog

Our mission is to assist companies in their fight against data leaks. We strive to provide a data leak monitoring and data partner vetting solution, giving businesses the tools and knowledge they need to monitor their most valuable asset: their data.

Solutions

Assumed Seeds

Data Leak Monitoring

Third-Party Vendor Risk Management

Sales Coaching

MSSP Tools

Honey Tokens

Resources

Blog

Case Study

Newsletter

Minimum Viable Secure Product

FAQ

Glossary

Changelog

Contact

Contact Us

Partners

Security

Assumed LLC

1731 N Marcey St., Suite 525
Chicago, IL, 60614