UpGuard allows you to create and store risk assessments for any of your monitored vendors. The risk assessment feature allows you to:

  • Specify the evidence you reviewed as part of the assessment (including domains and their associated risks, questionnaires, additional evidence, and automated scan results)

  • Document your findings based on this evidence

  • Record who conducted the assessment

  • Set a reassessment date

  • Export the assessment as a PDF

  • Make the assessment visible within the app to all the users of your account

Creating a risk assessment

Step 1: Monitor the vendor

Before you can create a risk assessment, you need to be monitoring the vendor. If you aren't currently monitoring the vendor you want to assess, you can learn how to monitor them here.

Step 2: Select the vendor

If you're already monitoring them, you can find the vendor by clicking on the Vendors section under Vendor Risk in the sidebar, marked 1 in the screenshot below. Now that you've chosen your vendor, click on Risk Assessment in the side panel:

Step 3: Conduct an assessment

If you haven't assessed the vendor, you should see a screen similar to the screenshot shown above. Click either Conduct Assessment button to proceed.

Step 4: Gather and select evidence

The next step is to gather and select the evidence you wish to use as part of your risk assessment. There are a variety of ways to do this, you can:

Step 5: Review the risks and request remediation

Based on the evidence selected, UpGuard will categorize and display the relevant risks for you to review and decide what action you will take for each.

This step also includes the ability to request remediation for any risks you believe the vendor can or should resolve. At the top of the Review Risk section, you can see a "Remediation Summary" which allows you to create or amend a remediation request linked to this risk assessment. Click the "Request remediation" button to select any risks you want to be remediated.

Once you've requested remediation, the status of the risks will be shown in the remediation summary. You can add or remove risks from the request, or click through to the request to view more details on its progress or correspond with the vendor.

You can still complete your assessment whilst remediation is in progress - the remediation summary will continue to update within the completed assessment until it is eventually closed.

Step 6: Write your commentary

Now that you've reviewed the risks, it's time to write up any corresponding notes that you wish to include in the add commentary section. This section may be used to document any risks you are intending to remediate or risk waivers that you are going to create for risks that have sufficient controls in place.

Step 7: Complete the assessment and define a reassessment date

Now that you've finished conducting your risk assessment, click on the Complete Assessment -> button in the bottom right corner, and define a date to reassess the vendor in the future.

Related Articles

Did this answer your question?