Risk Assessments
A risk assessment evaluates a vendor's compliance across risk domains using the criteria defined in playbooks. Learn how assessments relate to playbooks and how they fit into the broader due diligence workflow with intake.
What is a Risk Assessment?
Section titled “What is a Risk Assessment?”A risk assessment is a structured evaluation of a vendor across one or more risk domains — security, compliance, privacy, financial risk, business continuity, and more. Assessments use the criteria defined in playbooks to evaluate whether a vendor meets your organization’s standards, gathering evidence directly from the vendor through documentation uploads and/or questionnaire responses.
For each criterion in the playbook, Clarative’s AI produces a verdict:
- Pass — The vendor has provided sufficient evidence of compliance
- Partial Pass — The vendor meets the partial pass conditions
- Fail — The vendor does not meet the criterion
- Unable to Assess — There isn’t enough evidence to make a determination
Each verdict comes with a detailed explanation and numbered citations linking to the underlying evidence. Reviewers can override any AI verdict, request clarification from the vendor, and flag criteria as issues for follow-up.
How Assessments Relate to Playbooks
Section titled “How Assessments Relate to Playbooks”A playbook is a reusable template that defines the criteria, questions, and pass/fail conditions used to evaluate a vendor. An assessment is a specific instance of running one or more playbooks against a vendor at a point in time.
A single assessment can include multiple playbooks — typically one per risk domain. For example, an assessment might combine a security playbook, a privacy playbook, and a business continuity playbook to get a complete picture of vendor risk. Playbooks can also be layered within a domain, such as adding a higher-bar security playbook on top of a baseline one for vendors with elevated risk.
When creating an assessment, you select which playbooks to include. The same playbooks can be reused across vendors and repeated over time as part of periodic due diligence.
How Intake and Assessments Work Together
Section titled “How Intake and Assessments Work Together”Intake and assessments complement each other as a two-stage due diligence workflow.
Intake is the first pass. Before engaging the vendor directly, intake uses public data, AI enrichments, and intake survey responses from the vendor requester to quickly score inherent risk and populate the vendor inventory fields, like Data Classification or Criticality. This gives your team a fast, low-friction signal on whether a vendor warrants deeper scrutiny, without requiring the vendor to participate yet.
Risk assessments go further. Once a vendor is onboarded and you’re ready for a full evaluation, an assessment gathers documentation and questionnaire responses directly from the vendor, then evaluates those against playbook criteria to surface specific control gaps and compliance issues.
Together, intake answers “what is the inherent risk of working with this vendor for this use case?” and assessments answer “is this specific vendor actually meeting our standards?”
Assessment Workflow Summary
Section titled “Assessment Workflow Summary”- Create an assessment — Select a vendor and choose which playbooks to include. Optionally add reviewers who will be notified when the assessment is complete.
- Kick off the assessment — Upload vendor documents or send a questionnaire to the vendor (or both). The vendor responds via the Vendor Portal.
- Review results — Clarative’s AI evaluates all evidence against each criterion. Reviewers examine the AI’s reasoning, override verdicts as needed, and request any additional information from the vendor.
- Manage issues — Criteria flagged as Issue Detected automatically generate issues when the assessment is finalized. Create tasks to track remediation work.
For a step-by-step walkthrough, see the Due Diligence Quick Start.
Need Help?
Section titled “Need Help?”Contact support at support@clarative.ai.