Table of Contents
Summary
You may want to include the risk and criticality for a vendor. This article will review what each risk means and how to edit or update each field.
When it comes to risk analysis, there are two types of risk: Residual risk and Inherent risk. Both are industry standards.
- Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.
- Inherent risk is the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.
The Criticality level is a subjective level or measure to be determined by your team. This level can be anywhere from Nice to Have to Mission Critical.
- The criticality fields are found in the Vendor Details page in the upper-right corner.
- Each field has a dropdown. The Residual Risk and Inherent Risk dropdown options are determined by the input on the Risk Classifications found in Program Automation under the Admin Tools icon.
Adding Risk Classifications, Business Units, Connected Systems, and Vendor Criticality
- Select Admin Tools > Program Automation > Risk Classifications, Business Units, Connected Systems, and Vendor Criticality
-
You can assign a color to each of the levels of risk and Add a New Data Classification. The names and assigned colors will correspond to the dropdowns of the Residual Risk and Inherent Risk fields.
-
The dropdown options for the Criticality field are determined by the inputs of the Business Criticality Levels found in Program Automation. The names here correspond to the selections under the Criticality field. You can also Add a New Level.
-
To Edit the Residual Risk, Inherent Risk, and Criticality fields select Edit Vendor on the Vendor Details and then choose one of the dropdown options. You can select and change any field and it is not necessary to set all three. In the example given the Residual Risk was left blank.
This can be selected at a later date. Select Finish when done.
(If you have elected to use Intake Form Scoring, you will not be able to manually adjust Inherent Risk as it has been automatically determined by your defined scoring)
More on intake form scoring can be found HERE.
NOTE: Since the options for each field come from the inputs of the Data Classifications and Business Criticality Levels, once selected you can only change it to another option. For this reason, you may want to add another Data Classification such as To Be Determined or another phrase of your choosing.
-
For example, if you selected Low Risk Data by mistake for Inherent Risk you can change it to To Be Determined instead of having to choose one of the other levels of risk. The options given are based on your entries in Program Automation.
The image below shows the Inherent Risk field being selected and the options are High Risk Data, Medium Risk Data, and Low Risk Data based on the entries of Data Classifications from Program Automation.
If you have any issues with the steps above feel free to reach out to support@whistic.com.