Prompt Chain: End-to-End Vendor Risk Assessment Workflow
For Risk Analysts
Tools: Claude | Time to build: 1–2 hours | Difficulty: Intermediate-Advanced Prerequisites: Comfortable using Claude for vendor questionnaire analysis — see Level 3 guide: "Vendor Risk Assessment with Claude"
What This Builds
A reusable, multi-step prompt chain that takes a raw vendor questionnaire response as input and produces a complete vendor risk assessment package — scoring, gap analysis, risk rating, follow-up questions, and a board-ready summary — as a single structured output. Instead of running separate analysis steps for each vendor, you run one chain and get everything in one pass. For a TPRM program with 50–200 vendors per year, this is a significant time multiplier.
Prerequisites
- Comfortable using Claude for vendor questionnaire analysis (Level 3)
- Claude Pro subscription ({{tool:Claude.price}}/month) for long document handling
- A standard vendor questionnaire template your organization uses
- Time to build: 1–2 hours to build and test the chain; 30 minutes per vendor after
- Cost: {{tool:Claude.price}}/month
The Concept
A prompt chain is a sequence of prompts where the output of one step becomes the input for the next. Instead of asking "assess this vendor" and getting a generic answer, you structure the analysis into logical stages: first score each control domain, then identify gaps, then rate overall risk, then generate follow-up questions. Each step builds on the previous one. The result is more thorough, more consistent, and more defensible than a single-prompt assessment.
Build It Step by Step
Part 1: Design Your Assessment Chain
Map out the steps your TPRM assessment process requires:
- Step 1: Domain scoring — Score each control domain 1–5
- Step 2: Gap identification — List specific gaps vs. required controls
- Step 3: Overall risk rating — Calculate Critical/High/Medium/Low with rationale
- Step 4: Follow-up questions — Generate specific clarification questions
- Step 5: Assessment summary — Write the board-ready summary paragraph
Part 2: Write the Chain Prompts
Open Claude. Here is the complete chain to paste in sequence:
CHAIN STEP 1: Domain Scoring
VENDOR RISK ASSESSMENT — STEP 1: DOMAIN SCORING
I will now upload a vendor questionnaire response. Please score the vendor's controls in each domain on a 1–5 scale:
1 = No controls / critical gaps
2 = Partial controls / significant gaps
3 = Basic controls present / some gaps
4 = Strong controls / minor gaps
5 = Excellent controls / fully documented
Domains to score:
A. Data security and encryption (in transit and at rest)
B. Identity and access management
C. Incident response and breach notification
D. Business continuity and disaster recovery
E. Compliance certifications (SOC 2, ISO 27001, PCI-DSS, etc.)
F. Fourth-party / subcontractor management
G. Change management and patching
Output: A table with Domain | Score | Key Evidence Found | Key Gaps Noted
[Now upload or paste the vendor questionnaire response]
Upload the vendor questionnaire and send.
CHAIN STEP 2: Gap Analysis (send after Step 1 completes)
STEP 2: GAP ANALYSIS
Based on your domain scores above, produce a gap analysis table:
Required Control | Standard (e.g., SOC 2 / NIST CSF) | Vendor Status | Gap? | Risk Implication
Include only gaps scored 3 or below. For each gap, note: is this a documentation gap (they have controls but didn't document them well) or a control gap (the control may not exist)?
CHAIN STEP 3: Overall Risk Rating (send after Step 2 completes)
STEP 3: OVERALL RISK RATING
Based on the domain scores and gaps identified, provide:
1. Overall risk rating: Critical / High / Medium / Low
2. Primary factors driving the rating (3 bullet points)
3. Whether the rating changes based on these vendor characteristics:
- Vendor criticality: [state: Critical / Important / Standard]
- Data sensitivity: [state: PII / Financial / Confidential / Non-sensitive]
- Access type: [state: Network access / Data access / Physical access / No system access]
4. Recommended disposition: Approve / Approve with conditions / Escalate for review / Do not approve
CHAIN STEP 4: Follow-Up Questions (send after Step 3 completes)
STEP 4: FOLLOW-UP QUESTIONS
Generate 5 specific follow-up questions for this vendor based on the gaps and risk rating above.
For each question: Question text | Why we're asking it | What answer would satisfy the gap | What answer would escalate the risk
CHAIN STEP 5: Assessment Summary (send after Step 4 completes)
STEP 5: ASSESSMENT SUMMARY
Write a 200-word vendor risk assessment summary suitable for our vendor risk register and audit committee review. Include: vendor type, overall risk rating and rationale, top 3 risks, recommended approval conditions (if any), and next review date recommendation. Formal tone.
Part 3: Save the Chain as a Reusable Template
Copy all 5 chain prompts into a Word document or text file. Label each step clearly. When you assess the next vendor:
- Open Claude, start new chat
- Upload vendor questionnaire
- Paste and run Step 1
- Wait for response
- Paste and run Step 2 (in the same conversation)
- Continue through all 5 steps
Each step's context builds on the previous ones — Claude remembers everything discussed in the same conversation.
Part 4: Test and Calibrate
Run the chain on 2–3 vendors you've already assessed manually:
- Compare chain outputs to your manual assessments
- Adjust scoring criteria in Step 1 to match your organization's standards
- Add any missing domains relevant to your vendor types (e.g., AI governance for technology vendors, ESG for supply chain vendors)
What you should see: After running all 5 steps, a complete assessment package — domain scores table, gap analysis, risk rating, follow-up questions, and a board-ready summary — produced in about 30 minutes per vendor
Real Example: Cloud Storage Vendor Assessment
Setup: Chain template ready; vendor's 45-page questionnaire PDF uploaded to Claude
Step 1 input: "Score this vendor's controls in all 7 domains" Step 1 output: Domain scores table — strong on encryption (4), access management (4), weak on fourth-party management (2), BCP documentation (2)
Step 2 output: Gap table showing 4 specific gaps, all in documented controls rather than control existence
Step 3 output: Medium risk rating — "Approve with conditions: vendor must provide SOC 2 Type II report and clarify subcontractor oversight process"
Step 4 output: 5 targeted follow-up questions, each tied to a specific gap
Step 5 output: 200-word assessment summary ready to paste into the risk register
Total time: 30 minutes including review and editing vs. manual: 2–2.5 hours
What to Do When It Breaks
- Step 5 summary doesn't match the earlier steps: Claude sometimes loses context in very long chains. If this happens, start Step 5 with: "Based on your domain scores [paste table], gap analysis [paste], and risk rating [paste], write a summary..."
- Scores feel inconsistently calibrated across vendors: Add specific examples to the scoring criteria in Step 1 — "Score 2 = vendor has a written incident response policy but hasn't tested it in 12+ months"
- Chain is too slow for volume: Combine Steps 1 and 2 into a single prompt once you're comfortable with the output quality
Variations
- Simpler version: Use just Step 1 (scoring) + Step 5 (summary) — eliminates 3 intermediate steps while keeping most of the value
- Extended version: Add a Step 0 that extracts key vendor metadata from the questionnaire header (vendor name, primary contact, assessment date, service description) before scoring begins
What to Do Next
- This week: Build the chain, test on 2–3 vendors, calibrate scoring criteria
- This month: Document the chain as your organization's standard TPRM assessment process; get it reviewed by your manager and legal team
- Advanced: Save the chain prompts in a Claude Project (Level 4 guide) so they're available with your organization's scoring framework pre-loaded as context
Advanced guide for risk analyst professionals. Review all AI-generated vendor assessments before using for contracting or compliance decisions.