The Auto Inherent Risk (AIR) Tab displays the 8 Impact Assessment questions for all "non-confirmed" Third Parties in a user's portfolio. These questions are used to help calculate the “Business Exposure” level (High, Medium, Low) a specific TP has to the user based on their relationship. More information about that calculation can be found here.
AIR and the Impact Assessment is typically used in the early stages of a TPRM team's workflow to identify the riskiest Third Parties in the portfolio, and as such can help prioritize the team's activities around confirming and/or remediating the risk those Third Parties.
Due to the importance of the insight enabled by this feature, and the upfront nature of this step in most workflows, CyberGRX automatically populated the answers to the 8 Impact Assessment questions to expedite this process. These answers are auto-populated by crowd-sourcing the thousands of company relationships that already exist in the Exchange, and presenting the most common answer provided by similar Customer companies working with similar Third Party companies. This automation is re-run monthly to ensure we are calibrating the auto-populated answers to the optimized option on a routine basis.
Users are able to edit or accept the auto-populated answers directly on the AIR tab. Once accepted or edited and submitted, the Third Party will be "confirmed" and will no longer display in the AIR tab table. However, confirmed Third Parties do get calculated in the aggregate displayed at the top of the page. Furthermore, the answers to these questions can still be edited at any time, even after they are confirmed, from the Third Party's Vendor Profile Page.
The answers to the 8 Impact Assessment questions not only help identify the riskiest Third Parties in the absence of self-attested data, but these answers also allow CyberGRX to further contextualize the analysis of the self-attested results, once available. For example, these answers are used to indicate the severity of identified control gaps e.g. a Third Party may indicate on their assessment that they do not encrypt data. But if the user evaluating the Third Party does not provide that vendor with any data, then this gap in the Third Party's controls will not be presented as a "High" severity finding because it will have less impact on the respective user reviewing those results.
Each time a user edits any answer to the 8 Impact Assessment questions the analytics machine is re-triggered to provide updated analysis in real time. These changes can be viewed in the Vendor Profile Page of any Third Party with a completed and delivered assessment.
Please sign in to leave a comment.