If a vendor provides compensating control information, or other information that indicates that the risk level of a particular finding differs from the inherent risk, you may want to adjust the severity level of the risk to reflect the residual risk level. UpGuard allows you to adjust the severity level of vendor risks within the platform, and record a justification for that severity adjustment. This functionality is available for risks raised in questionnaires and additional evidence. There are a number of places you can use as the starting point for adjusting risk severity.
There are several other places within the platform where you can create a severity adjustment:
The individual vendor's portfolio risk profile
The portfolio risk profile
In the Manage risks step of a risk assessment
From the Adjusted risks tab in the Modified risks section for a selected vendor.
From within a remediation request
From the questionnaire details page
Irrespective of where you initiate the request, the process for creating the request is the same. In this case we will run through the case where the request is initiated from the individual vendor's portfolio risk profile.
Adjusting risks from the Risk Profile
If you are exploring a vendor’s risk profile and identify a risk for which you want to adjust the severity, click on the risk to expand it. Once the risk is expanded, you’ll see an option to Manage risk, which lists the various actions you can take to manage the risk. In this case, select Adjust this risk.
Once you click Adjust the risk, you’ll be taken to the second step of the risk adjustment process, where you can Configure the risk severity adjustment, by indicating the new (adjusted) risk severity, enter the justification for the severity adjustment (generally based on compensating control information or other context provided by the vendor), set an expiry date if applicable, and nominate an approver if the waiver requires approval. Then click Next.
You’ll be taken to the final step of the process Review and complete. This step is designed to let you review the details of the new risk risk severity adjustment. When you are happy with the details, click Submit Risk Adjustment.
Once the risk adjustment has been completed, (including approval if relevant), you will see the adjusted risks in the Adjusted risks tab in the Modified risks section for a selected vendor.
Once a risk severity has been adjusted, while it is active, it will appear through out the platform and reports based on the new risk severity, with the original risk severity indicated by the background, smaller dot icon.
The vendor score will also be adjusted based on the new severity. Like risk waivers, severity adjustments will only impact the risk severity and vendor score shown to your organization.