Tri-risk Ratings
What are Tri-risk ratings
Tri-risk ratings are Vendorapp's simplified yet powerful way of helping organizations understand the risk level associated with any vendor — across three distinct dimensions:
- Exposure Risk Rating (ERR)
- ESG Risk Rating
- Access Risk Rating (ARR)
Together, these ratings offer a balanced view of who a vendor is, what they do, and how much risk they introduce into your environment — operationally, ethically, and technically.
These ratings are automatically generated through Vendorapp Intelligence and are visible throughout the app, including during onboarding, in assessments, and on the Vendor View.
Why they matter
Managing vendor risk isn't just about identifying red flags — it's about understanding what kind of risk a vendor introduces.
Traditional due diligence processes often rely on long-form questionnaires or siloed review cycles. Vendorapp's tri-risk system changes that by:
- Standardizing how risk is measured
- Reducing the time needed for analysis
- Allowing smarter, faster decision-making
- Enabling downstream automation (e.g., workflows, approvals, alerts)
Tri-risk ratings help teams prioritize vendors that require attention, guide contract decisions, and simplify governance across departments.
The three types of risk
1. Exposure Risk Rating (ERR)
This rating evaluates the inherent operational risk of working with a vendor. It considers factors such as:
- Data protection and privacy controls
- Information security posture
- Business continuity planning
ERR scores are based on the answers to weighted assessment questions and can be:
- Low – minimal operational risk
- Medium – moderate risk requiring oversight
- High – significant risk, typically requiring deeper due diligence
2. ESG Risk Rating
The ESG (Environmental, Sustainability, and Governance) rating provides insight into the sustainability and ethics profile of a vendor. This rating considers:
- Publicly available data on environmental impact
- Labor practices and social policies
- Governance structures and transparency
ESG ratings help align vendor selection with internal CSR goals, ESG reporting frameworks, or investment principles.
Like the ERR, ESG risk is rated:
- Low – aligned with best practices
- Medium – potential concerns present
- High – notable ESG risk factors detected
3. Access Risk Rating (ARR)
The Access Risk Rating is specific to what the vendor can access within your company. It reflects the risk introduced by the nature of the contract.
ARR considers whether the vendor will:
- Access internal systems or data
- Have physical access to facilities
- Deliver services that could impact business continuity
ARR is assessed during contract setup and can be:
- Low – no system or premises access
- Medium – limited or monitored access
- High – broad, sensitive, or critical access
ARR directly affects visibility in the Vendor View, system access labels, and task creation logic.
How tri-risk ratings work together
Each risk rating focuses on a different dimension of vendor risk:
- ERR = How risky is this vendor's overall business profile?
- ESG = Is this vendor aligned with our sustainability and ethical standards?
- ARR = What kind of access are we giving this vendor?
Rather than combining the scores into one overall grade, Vendorapp keeps the three ratings distinct — providing a more nuanced, actionable risk profile.
This makes it easier to:
- Approve or reject vendors based on specific risk types
- Build automated workflows (e.g. flag all vendors with High ARR)
- Guide procurement, IT, and compliance teams with targeted insights
Risk Rating Lifecycle and Visibility
- ERR and ESG ratings are generated at onboarding and updated with each ad-hoc assessment.
- ARR is tied to each contract and reflects the highest level of access associated with that vendor.
Only one active ERR and ESG assessment is stored at a time. Older assessments are archived automatically once a new one is completed.
Plan visibility affects whether users can see full risk ratings:
⚠️ Obscured = Rating labels are hidden with blurred visuals and lock icons.