Understanding Portfolio Risk Findings – CyberGRX

Portfolio Risk Findings performs portfolio-level mappings to a selected framework or threat profile so that you can easily identify, evaluate, and prioritize your poorest-performing third parties and underperforming controls from the most meaningful perspective for your risk management activities.

How to use Portfolio Risk Findings?

Access this feature by clicking the Portfolio Insights icon on the left navigation bar.
You may select a framework to map to by selecting one in the dropdown, which will then immediately begin performing the mapping.
The visuals populate when the mapping is complete. Priority Third Parties represent your top 50 poorest-performing third parties. Risk Registry Priorities list the poorest performing controls shared by priority third parties.
To export the data found in the visuals or access your entire portfolio dataset beyond the top 50 third parties, there is the option to download this data as an Excel file by selecting the ellipses in the top right.
To map a new framework, you may select a new one from the dropdown.
To filter your dataset, choose from four options (Inherent Risk, Calculation Basis (Attested or Predictive), Industry, and Tags). If you have filters applied and choose to export the data to an excel file, those filters will be applied across the entire excel document.

Why would I want to use Portfolio Risk Findings results?

Portfolio Risk Findings is a powerful tool that can help you organize and understand the potential risks hidden inside your portfolio. Here are a few uses listed to help you get started:

If you have no context of what is happening in your portfolio, you can use Portfolio Risk Findings to understand the problem areas hidden in your portfolio when viewed through a Framework or Profile of your choosing to understand who your riskiest vendors are and what your most vulnerable controls are.
If you have limited time, money, or resources, you can select a Framework or Profile most relevant to your operations and then systematically decide which vendors or controls you want to tackle first. With a vendor, you can quickly reduce their access to data, request proof of coverage, request an assessment, or replace the vendor. Whereas if you have a vulnerable control across your entire portfolio, you can begin an internal mitigation strategy to be ready when the vulnerability is exposed.
If compliance is a concern, you can select the appropriate compliance Framework to test which vendors could negatively impact your standings.
If security is your primary focus, selecting an appropriate Threat Profile can give your security team the information on where to look for potential vulnerabilities.
If you need to vet multiple vendors, you can add custom tags to each vendor and then test them through a Framework or Profile vital to you so you can only focus on the vendors whose risk is acceptable to your organization.

How do I interpret a framework score?

A ranking system is applied to all framework scores found in the Priority Third Parties visual for the purposes of contextualizing this score. This ranking system is also associated with each company’s framework score throughout the excel file. The score ranking system is as follows:

Score Interpretation	Framework Score Ranges	Description of Framework Score Rating
Very Poor	0 to 49	Very Poor indicates minimal coverage and substantial risk.
Poor	50 to 69	Poor indicates some coverage and significant risk.
Fair	70 to 79	Fair indicates moderate coverage and risk.
Good	80 to 89	Good indicates significant coverage and limited risk.
Very Good	90 to 100	Very Good indicates maximum coverage and minimal risk.

How is the Framework Score calculated?

The framework score is a weighted average of mapped control scores. Primary controls are weighted more heavily than supporting controls in the calculation. Depending on the mapping, there may be zero, one, or many CyberGRX controls for every Framework control. The score returns a value between 0% - 100% (high risk to low risk.)

The source (attested or predicted) and the answer are the contributing control score factors. The chart below shows the possible scores our analytics algorithm may assign a given control based on the response provided or predicted.

Screenshot_2023-04-07_at_9.21.16_AM.png

What dictates whether a framework control is unmet?

Any framework control with a score less than 60 is considered a control that is unmet, or is at risk, and will be displayed as such in the visuals.

What is in the downloadable Excel report?

The XML report contains all the information from Portfolio Risk Findings but is interpreted differently across multiple sheets to allow you to decide how you want to use the data.

Priority Third Parties (Top 50) - This lists your riskiest (most risky to least risky) vendors regarding the Framework or Profile selected. This is an opportunity to get a big-picture view of which vendors can potentially be problematic.
Risk Registry - This view allows one to see each vendor and every one of their unmet controls. This will enable you to get granular and see where your vendors are, leaving you vulnerable.
Risk Registry Priorities - This is a “control” focused list that shows you the most common unmet control and associated vendors. This gives you a big-picture view of vulnerable controls that are shared across all of your vendors.
Full Portfolio - This sheet offers a view of all vendors in your portfolio with their corresponding Framework Score, whether their calculation was based on Attested or Predictive, the number of Controls at Risk, and whether their Inherent Risk is High, Medium, Low, or Unconfirmed (meaning we currently do not have data yet.)
Framework Reference - A mapping of the Framework to the corresponding CyberGRX assessment.

Can I Use a Custom Framework with Portfolio Risk Findings?

Yes. Your Custom Framework should be an option from the dropdown menu containing our Frameworks and Threat Profiles library. If you do not see it, please get in touch with Customer Success.