Skip to main content

Vendor Risk

Third-party vendors are vital but can introduce risks, so organizations use vendor questionnaires to assess and mitigate them.

Danielle Moerman avatar
Written by Danielle Moerman
Updated over 3 months ago

Calculating vendor risk

Vendor risk is an umbrella term that covers a wide range of risks your organization may face due to relationships with third-party vendors and the services they provide. Hyperproof focuses on two areas of vendor risk:

  • Risk level - The overall level of risk a vendor poses to your organization.

  • Assessed risk - This is directly related to how a vendor answers a questionnaire. The lower a vendor scores on a questionnaire, the higher the assessed risk level. It cannot be edited.

Tip: Think of the risk level as the residual risk and the assessed risk as the inherent risk. The risk level is only impacted when linked controls are mitigated. If there are no mitigated controls, the risk level and assessed risk remain the same.

To ensure that your vendors are not a risk to your organization, you can set a risk level and tolerance, as well as host contract information, all within Hyperproof’s Vendor Register.

Risk level

The risk level is calculated from the latest questionnaire risk and the mitigation of linked controls. It can be overwritten in the event that your organization's risk mapping differs from the default Hyperproof risk map.

Assessed risk

The most recent questionnaire score determines the assessed risk. If the most recent questionnaire does not have any risk associated, it does not affect the assessed risk, i.e., the assessed risk stays at 'Not set' OR retains the preceding questionnaire risk score, whichever is applicable.

The assessed risk option cannot be edited as it is directly related to how a vendor answers a questionnaire. If a vendor hasn’t completed and submitted a questionnaire, the assessed risk level will not be set. The lower a vendor scores on a questionnaire, the higher the assessed risk level.

The assessed risk is calculated as the total question score divided by the total question weight. It is displayed according to the following scale:

  • Very low - 90-100%

  • Low - 70-90%

  • Moderate - 30-70%

  • High - 10-30%

  • Very high - 0-10%

Mitigation

The control health discounts the mitigation factor according to the following schedule:

  • Healthy - 0%

  • At risk - 50%

  • Critical - 100%

For each control, the actual mitigation factor is calculated as (the mitigation factor that the user inputted) x (1 - the discount from the health).

Vendor Health

Vendor health is calculated by comparing the risk level to the tolerance. If the risk level is less than or equal to the tolerance, the vendor is 'Healthy'. If the risk level is greater than the tolerance, the vendor is 'Critical'. If either value is not set, the vendor is 'At risk'.

Example

Galactacore sent out a questionnaire to its vendor, VendorX. The questionnaire contained one single-select question and one multi-select question.

  • The respondent was awarded 1/1 point for the single-select and .5/1 points for the multi-select.

  • Each question has a weight of 5.

Leveraging Questionnaires to Assess Vendor Risk

Third-party vendors are an essential part of any organization's ecosystem, but they can sometimes pose serious risks. To mitigate these risks (or to avoid them altogether), organizations rely on vendor questionnaires.

You may choose to edit questionnaires if you decide to add weight and points to questions to be able to leverage questions to assess risk, and set up gating questions.

In this video tutorial, we'll cover how you can edit an existing questionnaire, modify a questionnaire to leverage it to calculate the assessed risk of a vendor, and set up a gating question to follow.

The tutorial below is shown in the administrator role with organizational permission as a manager in Hyperproof. If you are in another role in Hyperproof or have a different permission, you may not have access to some of these areas shown, or they may be greyed out.

Click the arrow below to learn more:

Editing a questionnaire in Hyperproof

  1. From the left menu, select Vendors.

  2. Select the Questionnaires tab.

  3. Select the questionnaire you want to edit.

  4. In the right pane, click View questionnaire.

  5. Click Edit.

  6. Do any or all of the following:

    1. Click New to add a new section, question, or text box.

    2. Rearrange questions by dragging and dropping them.

    3. Rearrange sections by dragging and dropping them.

    4. Expand a question box to:

      1. Edit the question and/or answer options

      2. Add or remove scoring

      3. Change the question type

      4. Add or remove a weight

      5. Make the question optional or required

      6. Make the question a gating question

      7. Duplicate the question

      8. Delete the question

  7. Click Save.

Questionnaire Answer Scoring

Individual answer scoring is based on how much each answer is worth as determined by the author of the questionnaire. For answers without points, the points default to 'Not set'. Note that scoring is not yet available for the following question types: single-select with explanation, multi-select with explanation, open-text, and proof upload.

Total scoring

The total possible score is calculated based on the highest theoretical score, i.e. the summarized weights.

Related Articles
Third-Party Vendor
Sending and Monitoring Questionnaires
Understanding Objects on a Vendor
Vendor Risk
Accessing Vendors Tab
Did this answer your question?