Back to Details

vendor-due-diligence

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese
⚠️ EXPERIMENTAL — This skill is provided for educational and informational purposes only. It does NOT constitute legal advice. All responsibility for usage rests with the user. Consult qualified legal professionals before acting on any output.
⚠️ 实验性功能 — 本Skill仅用于教育和信息参考,不构成法律建议。使用风险由用户自行承担。根据输出内容采取行动前,请咨询合格的法律专业人士。

Vendor Due Diligence Skill

供应商尽职调查Skill

Overview

概述

Production-ready framework for assessing IT service providers, technology vendors, and third-party partners. Provides a Three-Phase Assessment (Initial Screening, Detailed Assessment, Final Evaluation), Multi-Factor Risk Scoring across 6 dimensions with critical-service weighting, regulatory compliance checklists for 8 frameworks, vendor comparison matrices, and ongoing monitoring with Early Warning Indicators. Designed for procurement teams, legal counsel, IT security, and compliance officers evaluating technology vendors.
用于评估IT服务提供商、技术供应商及第三方合作伙伴的成熟框架。提供三阶段评估(初步筛选、详细评估、最终评估)、涵盖6个维度并带有关键服务权重的多因素风险评分、适用于8个框架的合规性检查表、供应商对比矩阵,以及带有预警指标的持续监控功能。专为采购团队、法律顾问、IT安全及合规人员评估技术供应商设计。

Table of Contents

目录

Tools

工具

1. Vendor Risk Scorer (
scripts/vendor_risk_scorer.py
)

1. 供应商风险评分器 (
scripts/vendor_risk_scorer.py
)

Scores a vendor across 6 risk dimensions based on questionnaire responses. Calculates weighted composite score with 2x multiplier for critical services. Generates risk heat map and overall recommendation.
bash
undefined
根据问卷回复对供应商的6个风险维度进行评分。计算带有关键服务2倍权重的加权综合得分,生成风险热力图及总体建议。
bash
undefined

Score a vendor from questionnaire responses

根据问卷回复为供应商评分

python scripts/vendor_risk_scorer.py vendor_responses.json
python scripts/vendor_risk_scorer.py vendor_responses.json

JSON output for dashboards

生成适用于仪表盘的JSON输出

python scripts/vendor_risk_scorer.py vendor_responses.json --json
python scripts/vendor_risk_scorer.py vendor_responses.json --json

Flag as critical service (2x weight on security + compliance)

标记为关键服务(安全+合规维度权重翻倍)

python scripts/vendor_risk_scorer.py vendor_responses.json --critical
undefined
python scripts/vendor_risk_scorer.py vendor_responses.json --critical
undefined

2. Vendor Comparison (
scripts/vendor_comparison.py
)

2. 供应商对比工具 (
scripts/vendor_comparison.py
)

Takes multiple vendor risk assessment JSONs and generates a side-by-side comparison matrix. Ranks vendors by composite score and recommends preferred vendor with rationale.
bash
undefined
接收多个供应商风险评估JSON文件,生成并排对比矩阵。根据综合得分对供应商排名,并给出首选供应商及理由。
bash
undefined

Compare two vendors

对比两个供应商

python scripts/vendor_comparison.py vendor_a.json vendor_b.json
python scripts/vendor_comparison.py vendor_a.json vendor_b.json

Compare multiple vendors with JSON output

对比多个供应商并生成JSON输出

python scripts/vendor_comparison.py vendor_a.json vendor_b.json vendor_c.json --json
python scripts/vendor_comparison.py vendor_a.json vendor_b.json vendor_c.json --json

Compare with critical service weighting

按关键服务权重进行对比

python scripts/vendor_comparison.py vendor_a.json vendor_b.json --critical
undefined
python scripts/vendor_comparison.py vendor_a.json vendor_b.json --critical
undefined

Reference Guides

参考指南

ReferencePurpose
references/risk_assessment_framework.md
6-dimension scoring system, weighting methodology, composite score interpretation
references/regulatory_checklists.md
Pre-built compliance checklists for GDPR, DORA, NIS2, SOX, PCI DSS, ISO 27001/SOC 2, HIPAA, FedRAMP
references/monitoring_framework.md
Quarterly reviews, Early Warning Indicators, KPI metrics, risk mitigation strategies, onboarding checklists
参考文档用途
references/risk_assessment_framework.md
6维度评分体系、权重计算方法、综合得分解读
references/regulatory_checklists.md
预构建的合规检查表,覆盖GDPR、DORA、NIS2、SOX、PCI DSS、ISO 27001/SOC 2、HIPAA、FedRAMP
references/monitoring_framework.md
季度评审、预警指标、KPI度量、风险缓解策略、入职检查表

Workflows

工作流

Workflow 1: Three-Phase Vendor Assessment

工作流1:三阶段供应商评估

Phase 1: Initial Screening (Days 1-5)
  1. Gather basic vendor information (company profile, financial health, certifications)
  2. Run 
    vendor_risk_scorer.py
    with preliminary data for initial risk classification
  3. Check applicable regulatory frameworks from 
    regulatory_checklists.md
  4. Decision gate: Proceed to detailed assessment or reject early
Phase 2: Detailed Assessment (Days 5-15)
  1. Issue comprehensive vendor questionnaire covering all 6 risk dimensions
  2. Run 
    vendor_risk_scorer.py
    with complete questionnaire responses
  3. Execute regulatory compliance checklists for all applicable frameworks
  4. Request supporting documentation (SOC 2 reports, pen test results, financials)
  5. Conduct reference checks and public record searches
Phase 3: Final Evaluation (Days 15-20)
  1. Run 
    vendor_comparison.py
    if evaluating multiple vendors
  2. Compile Vendor Risk Report with dimension breakdowns
  3. Document gaps and required mitigations from 
    risk_assessment_framework.md
  4. Present recommendation (Approve / Approve with Conditions / Reject)
  5. If approved, generate onboarding checklist from 
    monitoring_framework.md
阶段1:初步筛选(第1-5天)
  1. 收集供应商基础信息(公司概况、财务状况、认证资质)
  2. 使用初步数据运行
    vendor_risk_scorer.py
    进行初始风险分类
  3. regulatory_checklists.md
    中确认适用的监管框架
  4. 决策节点:进入详细评估或提前淘汰
阶段2:详细评估(第5-15天)
  1. 发布覆盖全部6个风险维度的供应商综合问卷
  2. 使用完整问卷回复运行
    vendor_risk_scorer.py
  3. 针对所有适用框架执行合规性检查表
  4. 要求提供支持文档(SOC 2报告、渗透测试结果、财务报表)
  5. 进行背景调查及公开记录检索
阶段3:最终评估(第15-20天)
  1. 若评估多个供应商,运行
    vendor_comparison.py
  2. 编制包含维度细分的供应商风险报告
  3. 根据
    risk_assessment_framework.md
    记录差距及所需缓解措施
  4. 提交评估建议(批准/有条件批准/拒绝)
  5. 若批准,从
    monitoring_framework.md
    生成入职检查表

Workflow 2: Competitive Vendor Selection

工作流2:竞争性供应商选择

  1. Define requirements -- Document must-have and nice-to-have criteria mapped to risk dimensions
  2. Screen candidates -- Run initial scoring on all candidates; eliminate any with Critical risk
  3. Deep-dive finalists -- Full 6-dimension assessment on top 2-3 vendors
  4. Compare -- Run 
    vendor_comparison.py
    on finalist assessments
  5. Negotiate -- Use risk findings as leverage in contract negotiations (integrates with 
    tech-contract-negotiation
    skill)
  6. Select and onboard -- Approve preferred vendor; set up monitoring per 
    monitoring_framework.md
  1. 定义需求 — 记录必须满足和期望满足的标准,并映射到风险维度
  2. 筛选候选人 — 对所有候选人进行初始评分;淘汰存在关键风险的供应商
  3. 深入评估入围者 — 对排名前2-3的供应商进行完整6维度评估
  4. 对比分析 — 对入围者的评估结果运行
    vendor_comparison.py
  5. 谈判协商 — 将风险评估结果作为合同谈判的筹码(与
    tech-contract-negotiation
    Skill集成)
  6. 选择与入职 — 批准首选供应商;按照
    monitoring_framework.md
    设置监控机制

Workflow 3: Ongoing Vendor Monitoring

工作流3:供应商持续监控

  1. Quarterly review -- Re-score vendor using updated data; compare against baseline
  2. Event-triggered review -- Re-assess on M&A, breaches, regulatory changes, or leadership turnover
  3. Annual re-assessment -- Full 6-dimension re-evaluation with updated questionnaire
  4. Early Warning response -- Monitor indicators from 
    monitoring_framework.md
    ; escalate per defined paths
  5. Exit planning -- If risk exceeds threshold, activate exit provisions and dual-source strategy
  1. 季度评审 — 使用更新后的数据重新为供应商评分;与基线对比
  2. 事件触发评审 — 当供应商发生并购、数据泄露、监管变更或领导层变动时,重新评估
  3. 年度重新评估 — 使用更新后的问卷进行完整6维度重新评估
  4. 预警响应 — 监控
    monitoring_framework.md
    中的指标;按照既定流程升级处理
  5. 退出规划 — 若风险超过阈值,启动退出条款及双源供应策略

Troubleshooting

故障排查

ProblemCauseSolution
All dimensions score 1 (Low Risk)Vendor self-reported optimistically on questionnaireCross-reference with SOC 2 reports, pen test results, and financial filings; adjust scores based on evidence
Composite score doesn't reflect known security issuesSecurity dimension not weighted for critical serviceRe-run with 
--critical
flag to apply 2x multiplier on security and compliance dimensions
Comparison matrix shows all vendors tiedScoring inputs are too similar or too coarseRequest more granular data; use the 5-level scoring criteria from the risk framework to differentiate
Regulatory checklist seems incomplete for your industryOnly 8 frameworks are pre-builtCustomize checklists by adding industry-specific requirements as additional items
Vendor refuses to complete questionnaireVendor sees assessment as overly burdensomeShare only the dimensions relevant to their service scope; offer to accept SOC 2/ISO 27001 reports as partial substitutes
Risk score changed dramatically between quartersMajor event occurred (breach, M&A, leadership change)This is expected behavior; document the trigger event and follow the event-triggered review process
问题原因解决方案
所有维度均得1分(低风险)供应商在问卷中乐观自评与SOC 2报告、渗透测试结果及财务文件交叉验证;根据证据调整评分
综合得分未反映已知安全问题安全维度未按关键服务加权使用
--critical
标记重新运行,为安全和合规维度应用2倍权重
对比矩阵显示所有供应商得分持平评分输入过于相似或粗糙要求提供更细分的数据;使用风险框架中的5级评分标准区分差异
合规检查表对所在行业而言不完整仅预构建了8个框架通过添加行业特定要求作为额外项,自定义检查表
供应商拒绝填写问卷供应商认为评估过于繁琐仅共享与其服务范围相关的维度;允许接受SOC 2/ISO 27001报告作为部分替代
季度间风险得分大幅变化发生重大事件(数据泄露、并购、领导层变动)此为预期行为;记录触发事件并遵循事件触发评审流程

Success Criteria

成功标准

  • Assessment Completeness: 100% of vendor assessments cover all 6 risk dimensions with evidence-backed scores
  • Timeline Adherence: Three-phase assessment completed within 20 business days for 90% of evaluations
  • Risk Prediction Accuracy: Vendors flagged as High/Critical risk experience 3x more incidents than Low risk vendors over 12 months
  • Regulatory Coverage: All applicable regulatory checklists completed with zero missed frameworks for 95% of assessments
  • Comparison Consistency: Vendor comparison rankings remain stable when re-scored by different assessors (inter-rater reliability > 85%)
  • Monitoring Compliance: 100% of quarterly reviews completed on schedule with documented findings
  • Early Warning Detection: 80%+ of vendor incidents preceded by at least one Early Warning Indicator flagged in monitoring
  • 评估完整性:100%的供应商评估覆盖全部6个风险维度,且评分有证据支持
  • ** timeline 合规性**:90%的评估能在20个工作日内完成三阶段流程
  • 风险预测准确性:被标记为高/关键风险的供应商在12个月内发生事件的概率是低风险供应商的3倍
  • 监管覆盖:95%的评估完成所有适用监管检查表,无遗漏框架
  • 对比一致性:不同评估人员重新评分时,供应商对比排名保持稳定(评分者间信度>85%)
  • 监控合规性:100%的季度评审按时完成,并记录评估结果
  • 预警检测:80%以上的供应商事件发生前,监控中至少有一个预警指标被触发

Scope & Limitations

范围与限制

This skill covers:
  • Multi-factor risk scoring across 6 dimensions (Financial, Operational, Compliance, Security, Reputational, Strategic) with critical-service weighting
  • Regulatory compliance checklists for GDPR, DORA, NIS2, SOX, PCI DSS, ISO 27001/SOC 2, HIPAA, and FedRAMP
  • Side-by-side vendor comparison with composite ranking and dimension-level analysis
  • Ongoing monitoring framework with quarterly reviews, Early Warning Indicators, and escalation paths
  • Risk mitigation strategies and onboarding checklists by risk level
This skill does NOT cover:
  • Real-time vendor monitoring dashboards, automated data feeds, or integration with GRC platforms (all input is via JSON files)
  • Financial auditing, forensic accounting, or detailed financial statement analysis of vendors (use the 
    finance/financial-analyst
    skill)
  • Physical security assessments, on-site facility audits, or hardware supply chain verification
  • Legal review of vendor contracts or negotiation of terms (use the 
    legal/tech-contract-negotiation
    skill)
  • Vendor relationship management, performance optimization, or strategic partnership development beyond risk assessment
本Skill涵盖:
  • 涵盖6个维度(财务、运营、合规、安全、声誉、战略)并带有关键服务权重的多因素风险评分
  • 适用于GDPR、DORA、NIS2、SOX、PCI DSS、ISO 27001/SOC 2、HIPAA及FedRAMP的合规性检查表
  • 供应商并排对比,包含综合排名及维度级分析
  • 带有季度评审、预警指标及升级路径的持续监控框架
  • 按风险等级划分的风险缓解策略及入职检查表
本Skill不涵盖:
  • 实时供应商监控仪表盘、自动化数据馈送或与GRC平台的集成(所有输入均通过JSON文件)
  • 供应商财务审计、法务会计或详细财务报表分析(使用
    finance/financial-analyst
    Skill)
  • 物理安全评估、现场设施审计或硬件供应链验证
  • 供应商合同的法律审查或条款谈判(使用
    legal/tech-contract-negotiation
    Skill)
  • 风险评估之外的供应商关系管理、性能优化或战略合作伙伴发展

Anti-Patterns

反模式

Anti-PatternWhy It FailsBetter Approach
Relying solely on vendor self-assessment questionnairesVendors underreport risks; no independent verificationCross-reference questionnaire responses with SOC 2/ISO 27001 reports, pen test results, and public records
Applying the same weight to all dimensions regardless of service typeA payroll vendor and a marketing tool have different risk profilesUse 
--critical
flag for critical services; adjust dimension weights based on service classification
Completing due diligence once and never revisitingVendor risk changes over time due to M&A, breaches, market shiftsImplement quarterly monitoring with annual re-assessment per the monitoring framework
Rejecting vendors for a single high-risk dimension without considering mitigationsEliminates potentially strong vendors with addressable gapsUse the gap analysis severity classification; require remediation plans for major concerns before final decision
Skipping the comparison matrix for sole-source procurementsMisses opportunity to benchmark the vendor against market standardsRun comparison against industry benchmarks or previous vendor assessments to establish a risk baseline
反模式失败原因优化方案
仅依赖供应商自评问卷供应商会低估风险;无独立验证将问卷回复与SOC 2/ISO 27001报告、渗透测试结果及公开记录交叉验证
无论服务类型如何,对所有维度应用相同权重薪资供应商与营销工具的风险特征不同对关键服务使用
--critical
标记;根据服务分类调整维度权重
完成一次尽职调查后不再复查供应商风险会因并购、数据泄露、市场变化而随时间改变按照监控框架实施季度监控及年度重新评估
因单一高风险维度直接拒绝供应商,未考虑缓解措施排除了存在可解决差距的潜在优质供应商使用差距分析严重性分类;在最终决策前要求针对重大问题制定整改计划
单一来源采购时跳过对比矩阵错失将供应商与市场标准对标机会与行业基准或过往供应商评估结果对比,建立风险基线

Tool Reference

工具参考

scripts/vendor_risk_scorer.py

scripts/vendor_risk_scorer.py

Score a vendor across 6 risk dimensions and generate an overall recommendation.
usage: vendor_risk_scorer.py [-h] [--json] [--critical]
                              input_file

positional arguments:
  input_file            Path to JSON file with vendor questionnaire responses

options:
  -h, --help            Show help message and exit
  --json                Output results as JSON
  --critical            Apply 2x weight to security and compliance
                        dimensions (for critical/essential services)
Outputs: 6-dimension risk scores (1-5 each), weighted composite score, risk level classification (Low/Moderate/High/Critical), overall recommendation (Approve/Approve with Conditions/Reject), dimension-level findings, and gap analysis.
对供应商的6个风险维度评分并生成总体建议。
usage: vendor_risk_scorer.py [-h] [--json] [--critical]
                              input_file

positional arguments:
  input_file            包含供应商问卷回复的JSON文件路径

options:
  -h, --help            显示帮助信息并退出
  --json                以JSON格式输出结果
  --critical            为安全和合规维度应用2倍权重(针对关键/核心服务)
输出内容: 6个维度的风险得分(各1-5分)、加权综合得分、风险等级分类(低/中/高/关键)、总体建议(批准/有条件批准/拒绝)、维度级评估结果及差距分析。

scripts/vendor_comparison.py

scripts/vendor_comparison.py

Compare multiple vendors side-by-side and recommend preferred vendor.
usage: vendor_comparison.py [-h] [--json] [--critical]
                             input_files [input_files ...]

positional arguments:
  input_files           Paths to vendor assessment JSON files (minimum 2)

options:
  -h, --help            Show help message and exit
  --json                Output results as JSON
  --critical            Apply 2x weight to security and compliance
                        dimensions (for critical/essential services)
Outputs: Side-by-side comparison matrix, composite score ranking, per-dimension strength/weakness analysis, preferred vendor recommendation with rationale, and risk delta highlights.
并排对比多个供应商并推荐首选供应商。
usage: vendor_comparison.py [-h] [--json] [--critical]
                             input_files [input_files ...]

positional arguments:
  input_files           供应商评估JSON文件路径(至少2个)

options:
  -h, --help            显示帮助信息并退出
  --json                以JSON格式输出结果
  --critical            为安全和合规维度应用2倍权重(针对关键/核心服务)
输出内容: 并排对比矩阵、综合得分排名、维度级优劣势分析、首选供应商推荐及理由、风险差异突出显示。