For Risk Analysts ·
What you'll accomplish
By the end of this guide, you'll be able to run vendor questionnaire responses through Claude and get structured assessments in 20–30 minutes per vendor instead of 2 hours. You'll cover your entire third-party vendor backlog faster and produce more consistent assessments across your portfolio.
What you'll need
Before assessing your first vendor, define how you want Claude to score. Write a "framework prompt" you'll reuse for every vendor. Here's a starting template:
You are a third-party risk analyst. I will upload a vendor questionnaire response. Assess the vendor's risk posture across these control domains, scoring each 1-5 (1=significant gaps, 5=strong controls):
- Data security and encryption
- Access controls and identity management
- Incident response and notification
- Business continuity / disaster recovery
- Compliance certifications (SOC 2, ISO 27001, etc.)
- Fourth-party/subcontractor risk
Output:
1. Overall risk rating: Critical/High/Medium/Low
2. Domain scores table
3. Key strengths (2-3 bullets)
4. Critical gaps requiring remediation (if any)
5. 3 follow-up questions to ask this vendor
6. Recommended due diligence actions before contract/renewal
Save this prompt in a text file — you'll paste it before every vendor assessment.
Claude will generate a structured assessment. For each vendor:
What you should see: A structured assessment with a clear overall rating, domain scores table, and specific findings
After the initial assessment, add context Claude doesn't have:
Additional context: This vendor is [critical/standard/low-criticality]. They process [type of data, e.g. customer PII / financial transactions]. Our organization is subject to [regulatory framework, e.g. GLBA / HIPAA]. Does this change your risk rating or recommended actions?
Troubleshooting: If the vendor questionnaire is poorly formatted and Claude misses key sections, try uploading it as a text file with clear section headers, or paste the most important sections directly into the chat
1. Standard security assessment:
Assess this vendor's questionnaire across: security controls, access management, incident response, BCP, and compliance certs. Score 1-5 per domain, overall risk rating, top gaps, and 3 follow-up questions.
2. Regulatory compliance focus:
Assess this vendor's compliance posture for a [GLBA / HIPAA / SOX] environment. Identify gaps vs. required controls and flag anything that creates regulatory risk for us.
3. Vendor comparison:
Compare these two vendor assessments I'll provide separately. Which vendor has stronger controls overall? What are the key differentiating risk factors?
4. Contract risk review:
Review this vendor contract's risk and security provisions. Flag: missing notification requirements, inadequate liability provisions, absent audit rights, and gaps vs. industry standard terms.