������Ƶ

A Vendor Risk Assessment Form helps organizations evaluate potential risks when working with suppliers, contractors, or service providers in New Zealand. It captures key details about a vendor's business practices, security measures, financial stability, and compliance with local regulations like the Privacy Act 2020 and Health and Safety at Work Act 2015.

Businesses use these forms to make informed decisions about partnerships, protect sensitive data, and maintain quality standards. The assessment typically covers areas like data handling protocols, insurance coverage, business continuity plans, and any past compliance issues ��� creating a clear picture of potential risks before entering into commercial relationships.

Use a Vendor Risk Assessment Form before engaging any new supplier or contractor who will handle sensitive data, provide critical services, or access your systems. This early evaluation becomes especially important when dealing with vendors who process personal information under New Zealand's Privacy Act 2020 or perform high-risk operations covered by workplace safety laws.

Complete the assessment during vendor selection, contract renewal periods, or when significant changes occur in your supply chain. For example, if a current vendor starts offering cloud storage services, handling payroll data, or providing essential IT infrastructure, a fresh risk assessment helps protect your organization from data breaches, service disruptions, and compliance issues.

• Basic Risk Assessment: A streamlined form focusing on fundamental vendor details, financial stability, and basic compliance with New Zealand regulations.
• IT Security Assessment: Detailed evaluation of data protection measures, cyber security protocols, and Privacy Act 2020 compliance.
• Critical Service Provider Form: Enhanced scrutiny for vendors providing essential services, including business continuity plans and operational resilience.
• Health and Safety Focused: Specific assessment for contractors working on-site, aligned with Health and Safety at Work Act requirements.
• Financial Services Variant: Specialized evaluation meeting Reserve Bank and FMA regulatory requirements for financial sector vendors.

• Risk Management Teams: Lead the assessment process, design evaluation criteria, and coordinate with other departments to gather required information.
• Procurement Officers: Use the forms during vendor selection and contract negotiations to evaluate potential suppliers.
• Legal Advisors: Review and update assessment criteria to ensure compliance with New Zealand regulations and privacy laws.
• IT Security Teams: Evaluate technical risks and data protection measures of potential vendors.
• Vendor Representatives: Complete the form, provide supporting documentation, and address any identified risks or concerns.

• Vendor Details: Gather business registration, ownership structure, physical locations, and key contact information.
• Service Scope: Document exactly what services or products the vendor will provide and how they interact with your operations.
• Compliance Records: Collect certificates, licenses, and evidence of compliance with Privacy Act 2020 and industry regulations.
• Risk Categories: Define specific areas for assessment: data security, financial stability, operational capability, and health and safety practices.
• Evaluation Criteria: Create clear scoring metrics and acceptable risk thresholds for each assessment area.

• Vendor Information Section: Legal business name, registration details, and authorized representative contacts under Companies Act requirements.
• Risk Assessment Criteria: Clear evaluation metrics aligned with Privacy Act 2020 and industry-specific regulations.
• Data Handling Protocols: Specific measures for protecting personal information and maintaining confidentiality.
• Compliance Declaration: Vendor's confirmation of adherence to New Zealand laws, including Health and Safety requirements.
• Assessment Outcomes: Documentation of risk levels, mitigation strategies, and approval conditions.
• Authorization Block: Dated signatures from both vendor and assessor representatives.

A Vendor Risk Assessment Form differs significantly from a Vendor Risk Management Policy in both scope and application. While they work together, each serves a distinct purpose in your organization's risk management framework.

• Purpose and Timing: The assessment form is a practical tool used to evaluate specific vendors at a point in time, while the policy document sets out your organization's ongoing approach to managing vendor risks.
• Content Focus: Assessment forms contain specific questions and metrics for individual vendor evaluation, whereas the policy outlines broader principles, procedures, and responsibilities.
• Legal Standing: The policy serves as a governance document that demonstrates compliance with Privacy Act 2020 requirements, while the assessment form provides documented evidence of due diligence for specific vendor relationships.
• Usage Pattern: Assessment forms are completed multiple times for different vendors, but the policy remains relatively stable as your master framework document.