12 vendor risk management metrics every compliance leader should track

Vendor relationships add value but can also increase risk.

According to the SecurityScorecard Global Third Party Breach Report, 35% of breaches in 2024 were linked to third-party vendor access. In 2025, breaches ran the gamut from moderately worrisome to massive — for example, Australian airline Quantas was breached via a third-party call center platform, with millions of customer records stolen.

To combat potential threats, companies need robust third-party risk management (TPRM) strategies. Central to these strategies are risk management metrics: measurements of vendor operations, compliance requirements, security, financial practices, and reputation help organizations create a framework of trusted suppliers and service providers.

In this piece, we’ll explore the top 12 vendor risk metrics every compliance leader needs to know and walk you through the process of selecting, reporting, and making the most of these metrics.

What are vendor risk management metrics?

Vendor risk management (VRM) metrics help organizations quantify the level of potential risk posed by supply chain companies, software vendors, and service providers.

Consider a cloud-based Software as a Service (SaaS) vendor that regularly experiences downtime and does not meet its service level agreement (SLA) obligations. In this case, metrics aren’t necessary — it’s obvious that companies need to select a new provider.

What if the provider delivers consistent performance and responds quickly but lacks compliance with guidelines such as ISO 27001? Here, the risks are less obvious: Does it make sense to stay or change? VRM metrics help companies make data-driven decisions.

KPIs and KRIs: What’s the difference?

VRM metrics fall into two broad categories: key performance indicators (KPIs) and key risk indicators (KRIs). Here’s a look at both in more detail.

KPIs

KPIs measure performance. Common KPIs include return on investment (ROI) or net profit margin, but they can also be applied to vendors. For example, businesses might track third-party providers’ ability to meet their SLA obligations or the average amount of time vendors require to get back up and running after outages or service disruptions.

KRIs

KRIs measure risks, and these risks may be tied to exposure or events.

Risk exposure is passive. Any company using a third-party provider is exposed to some risk, as providers could experience server failures, malicious compromises, or accidental data breaches.

Events are active. Companies may allow vendors to access financial or customer data as part of e-commerce or data analytics functions.

Overall, KRIs help companies understand the combined potential of exposure and events to determine total risk and create risk mitigation strategies.

How metrics connect to governance and reporting

While metrics offer some value in isolation, they’re more effective when connected to governance and reporting processes.

For example, healthcare companies must ensure compliance with regulations such as HIPAA, which mandates the protection and privacy of patient data, regardless of where this data is stored or who stores it. This means that if the company uses a third-party provider for data storage, it needs to track metrics such as security incident rates and time to remediation.

These metrics are then integrated into company reporting to demonstrate compliance, and they’re used to inform governance practices — if incident rates are rising, companies may want to consider finding a new vendor.

The top 12 vendor risk metrics

But what metrics should you consider? To help streamline the process of selecting the right metric, we’ve broken our top 12 into four categories: operational, compliance, security, and financial/reputational:

Operational metrics

1. Time to remediate

This is a measure of incident response — how long it takes vendors to get back up and running after a system failure, security breach, or other issue.

2. Mean time between failures (MTBF)

This tracks the average time between failures. Often used in manufacturing, it’s also useful in risk management frameworks. These failures could be security, uptime, SLA compliance, or other metrics. The higher the MTBF, the better.

3. On-time delivery rate

Here, companies are measuring how often vendors deliver products or services on time — and how often they miss the mark.

Compliance metrics

4. Percentage of vendors that comply with SOC 2, ISO 27001, or other standards

This is an assessment of how many of your vendors are compliant with regulations that are relevant for your industry, such as ISO 27001 for information management, SOC 2 for information security, or GDPR for data privacy.

5. Number of outstanding compliance concerns

Measuring the number of outstanding compliance concerns from month to month across individual vendors and your entire third-party environment helps identify risk trends.

6. Average risk assessment frequency

Here, you’re tracking how often you carry out vendor risk assessments. Not all vendors need the same schedule of assessments — too often and you’re wasting time and money; too infrequently and you may miss key indicators of risk.

Security metrics

7. Number of security incidents per month/year/lifetime

By measuring the number of security incidents over different periods, your team can identify larger cybersecurity risk trends.

8. Vulnerability scores

Vulnerability scores help track vendor due diligence. One popular format is the Common Vulnerability Scoring System (CVSS), which ranks the severity of information security vulnerabilities in software systems from 0 to 10. Higher scores mean more risk, which requires more oversight.

9. SLA compliance

How often do vendors fail to meet SLA expectations? How long does it take companies to comply with SLA requirements when issues occur? Tracking SLA compliance lets companies make informed decisions about which vendors to keep and which to replace.

Financial and reputational metrics

10. Credit rating

Vendors with higher credit ratings are typically more trustworthy and less likely to go out of business unexpectedly.

11. Social media sentiment

Positive social media sentiment can improve customer engagement with more vendors and your company, while negative sentiment may impact businesses that associate with vendors.

12. Average net promoter score (NPS)

NPS is a measure of how likely customers are to recommend a company or service based on a scale of 1 to 10. Those who respond with a 9 or 10 are known as “promoters.” Answers of 7 or 8 are “passives” and any 6s or lower are “detractors.”

To calculate NPS, you subtract the percentage of detractors from the percentage of promoters to get a score from -100 to 100. The higher the score, the better for customer loyalty. Vendors with high NPS have a net positive effect on partnerships.

How to select the right metrics for your program

Not all of the metrics listed above may be relevant or actionable for your third-party risk management program. Depending on the size of your business, the total number of vendors you use, and the type of data these vendors handle, some metrics may be more applicable than others.

A three-step approach can help ensure you’re choosing KPIs and KRIs that deliver the right insight.

Step 1: Align metrics with expectations and business goals

What are you measuring? Why? What benefit will these metrics offer?

By understanding end goals, you’re better prepared to identify best-fit metrics. For example, if your objective is to lower the risk levels of a third-party data breach, key metrics may include the number of data breaches per vendor over the last year, along with the most common attack vector.

Step 2: Prioritize valuable vs. vanity metrics

Some metrics look great on paper but don’t offer much in the way of value. Generally speaking, these “vanity” metrics are largely unchanging — answers are effectively known in advance rather than a reflection of vendor action.

Consider a company measuring the risk of phishing attacks tied to a large-volume vendor. While this seems like a usable metric, the company knows full well that its vendor has substantive anti-phishing measures in place, and the likelihood of a successful attack is minimal.

The result is a metric that looks great but doesn’t have any practical value since the outcome is effectively predetermined.

Step 3: Review and recalibrate quarterly

What’s valuable and actionable today may not be next year or next quarter. Companies should review the impact and usability of their metrics each quarter, and recalibrate as necessary to improve their security posture.

Reporting and visualizing vendor risk metrics

Identifying best-fit metrics and capturing key data is only half the battle — even the most accurate and timely measurements won’t deliver value if they’re not effectively reported and visualized to executives.

Dashboard best practices

Dashboards should be simple and straightforward.

Simple means metrics that are applicable to current circumstances without the need for interpretation or explanation. Here’s a quick test: If displayed metrics require more than a sentence's worth of exposition, they’re likely too complex.

Straightforward means removing jargon and technical terms. Both internal risk teams and vendors have their own sets of acronyms, unique descriptors, and portmanteaus that describe their specific situation — but these terms mean nothing to C-suite executives. Whenever possible, present metrics in plain language.

Choosing the right visualization tools

The visualization tools you select also make a difference.

Look for solutions that include:

• Embeddability. Tools should be embeddable. This means they can be embedded in other applications or websites, enabling teams to easily share visualization data.
• Chart and graph customization. Along with standard line, bar, pie, plot, and other common chart and graph formats, tools should allow customization to highlight key metrics or showcase specific findings.
• Interactive exploration. In addition to displaying information, tools should enable users to click through on visualizations to discover underlying data sources and connections.

Tailoring report frequency by stakeholder group

It’s also important to recognize that different stakeholders need different KPI and KRI update frequencies.

For example, CEOs and CFOs may want quarterly reports, while CISOs or CIOs may prioritize monthly or biweekly reports. Shareholders may only require yearly updates.

Bear in mind that needed frequencies can change depending on current financial conditions, upcoming investments, and market demands.

Common mistakes when measuring vendor risk

Vendor risk assessment is not a static process. Geopolitical factors, logistics challenges, and the actions of malicious actors can all impact overall risk.

The result? Despite best efforts, measuring mistakes happen, and these are three of the most common:

Emphasizing volume over impact

More metrics aren’t inherently better metrics. While it’s possible to collect metrics every minute of every day, higher volumes don’t equal more value.

Consider a company measuring vendor security incident rates. Over the course of a year, the vendor experiences ten cybersecurity incidents, four of which result in a breach. Measuring this KRI once per month or every two weeks provides enough information to act.

Measuring incident rates every day, however, doesn’t add value — it simply adds volume. The result is hundreds and hundreds of “no change” entries that take up time and space.

Collecting data manually

Manual data collection is inherently error prone. While human beings excel at interpreting and acting on data, we are not designed for tireless and accurate data collection.

In the best-case scenario, errors are discovered ASAP, and companies must spend time recollecting and double-checking data. In the worst case, these errors go unnoticed, and businesses make bad decisions based on manual mistakes.

Ignoring trend analysis

Point-in-time metrics are useful for immediate action. For example, if a company discovers 50 vendor regulatory compliance issues during a regular monthly review, teams can take steps to remediate these problems.

Trends suggest the need for more in-depth solutions. Consider the same company measuring and comparing the number of issues each month. If the past six months have shown 30, 40, 45, 45, 47, and 50 issues, there’s a larger underlying issue that needs to be addressed.

How AuditBoard helps you track and report vendor risk metrics

With AuditBoard, your teams are better equipped to track, report, and address vendor risk metrics.

Key features include:

Automated vendor performance dashboards

Creating a comprehensive vendor risk management program is no easy task. With automated vendor performance dashboards, your teams can see what’s happening in real time and take targeted action to reduce potential risks.

Customizable KPI and KRI libraries

With AuditBoard, your teams can create and customize KPI and KRI libraries, giving you complete control over what you measure, how you measure it, and what actions you take.

“AuditBoard helped us connect our risks through a single source of truth, so we now have a library of risks that everyone understands, and at the same time, a library of controls that everyone understands,” says Michelle Cubid, Internal Audit Lead at Wise. “It has been helpful for us in terms of understanding our risk profile and managing our risks appropriately because we now have a single point of reference for all things risk management."

Integration with enterprise risk and compliance reporting

While KPIs and KRIs are critical components in reducing risk, they don’t exist in isolation. AuditBoard offers easy integration with enterprise risk and compliance reporting solutions to ensure staff, managers, C-suites, and stakeholders are all on the same page.

Ready to build a successful risk assessment plan that helps identify vendor issues and remediate root causes? Start with AuditBoard.

About the authors

Tamara Jendruh, PMP is a Manager of Product Solutions (ITRC) at AuditBoard, where she serves as a product expert on the AuditBoard platform, mainly focused on IT Risk and Compliance. Prior to AuditBoard, Tamara oversaw the GRC Program at MongoDB and spent time in the Global Cloud Compliance organization at Cisco where she served in several roles including Cloud Program Manager Lead and Federal Program Manager lead, focused mainly on IT Security Audits. Connect with Tamara on LinkedIn.