Vendor Risk & Trust

Risk Assessment

Calculate and manage vendor risk scores, from inherent risk to residual risk assessment

Understanding Risk Assessment

Risk Assessment is the process of evaluating vendor security posture and calculating risk scores. The system uses two key risk metrics:

Inherent Risk

The baseline risk level before any security controls or mitigations are considered. Calculated from vendor tier, service criticality, data access, integration depth, and geographic risk.

Residual Risk

The remaining risk level after considering security controls and questionnaire responses. Calculated automatically from questionnaire answers using configurable scoring methods.

Assessing Inherent Risk

Step-by-Step Guide

Evaluate vendor baseline risk factors

Navigate to Inherent Risk Tab

From the vendor detail page, click on the "Inherent Risk" tab.

Assess Risk Factors

Fill in the following risk factors:

Vendor Tier

Tier 1 (Critical), Tier 2 (High), Tier 3 (Medium), or Tier 4 (Low)

Service Criticality

How critical is the vendor's service to your operations? (Critical, High, Medium, Low)

Data Access Level

What level of data access does the vendor have? (Full, Partial, Minimal, None)

Integration Depth

How deeply integrated is the vendor? (Deep, Moderate, Surface, None)

Geographic Risk

Geographic risk factors (High, Medium, Low)

Save Assessment

Click "Assess Inherent Risk" to save. The system automatically calculates the inherent risk score and risk level (Low, Medium, High, Critical) based on your inputs.

Creating Risk Assessments

Assessment Creation Process

Create assessments from questionnaire responses or manually

Prerequisites

Before creating an assessment, ensure:

Inherent risk has been assessed (see above)
Questionnaire has been sent to vendor and responses reviewed (optional but recommended)

Create Assessment

From the vendor detail page → Assessments tab:

Click "Create Assessment" button
If questionnaire responses are available, select the questionnaire response to link
Optionally select a scoring method (default will be used if not specified)
Click "Create"

Assessment Details

The assessment is created with:

Inherent risk score and level (from vendor profile)
Status: "Draft" (until risk is calculated)
Linked questionnaire response (if provided)
Scoring method used for calculation

Calculating Residual Risk

Automatic Risk Calculation

Calculate residual risk from questionnaire responses

Access Assessment Detail Page

From the vendor detail page → Assessments tab, click "View Details"on the assessment card.

Calculate Residual Risk

Click the "Calculate Residual Risk" button (or"Recalculate Risk" if already calculated). The system will:

Read all reviewed questionnaire responses
Apply the configured scoring method formula
Calculate residual risk score (0-100)
Determine risk level (Low, Medium, High, Critical)
Calculate risk reduction metrics

View Results

After calculation, the assessment page displays:

Residual Risk Score

Numerical score (0-100) calculated from questionnaire responses

Residual Risk Level

Risk level badge (Low, Medium, High, Critical)

Risk Reduction

Absolute reduction in risk score (inherent - residual)

Risk Reduction %

Percentage reduction in risk

Note: Residual risk calculation requires reviewed questionnaire responses. Questions marked as "Not Applicable" are excluded from scoring. Only questions marked as "Applicable" or "Partially Applicable" contribute to the risk score.

Overriding Risk Scores

Manual Risk Override

Manually override calculated risk scores when needed

Sometimes you may need to manually override the calculated risk score based on additional context, expert judgment, or external factors not captured in the questionnaire.

Click Override Score

On the assessment detail page, click the "Override Score" button.

Enter Override Values

In the dialog, provide:

Residual Risk Score: New score (0-100)
Risk Level: New risk level (Low, Medium, High, Critical)
Override Rationale: Required - Explain why you're overriding the calculated score

Save Override

Click "Save Override". The assessment will be marked as manually overridden, and the override rationale will be stored for audit purposes.

Important: Override rationale is required and will be visible in audit trails. Manual overrides are tracked separately from calculated scores.

Assessment Status and Workflow

Status Types

Draft

Assessment created but risk not yet calculated

In Progress

Risk calculated, pending review or approval

Completed

Assessment approved and finalized

Rejected

Assessment rejected during approval workflow

Assessment Workflow

Create Assessment

From vendor detail page

Calculate Risk

Automated from questionnaire

Review & Override (Optional)

Manual adjustments if needed

Approval Workflow

Multi-stage approvals

Complete

Assessment finalized

Next Steps

Approval Workflows

Learn about multi-stage approval workflows for assessments

Learn About Workflows

Scoring Methods

Configure how questionnaire responses are converted to risk scores

Learn About Scoring

Need Help?

Our support team is here to help you with risk assessments.

Contact Support Continue to Workflows