Skip to main content

Risk Navigator Data | FAQ

Katie
Updated

Table of Contents

  • What is the difference between a Framework, Industry Profile, and Threat Profile?
  • What type of data does the Risk Navigator map to provide results?
  • How do I view and download ProcessUnity Assessment results? 
  • How do I view validation results for a company's attested assessment? 
  • Why do I see more or less high, medium, or low findings in Risk Navigator than identified prior in the old Findings Table?
  • What is the difference between Framework Control Score and Risk Exchange Control Score, and how do I use it to make decisions?
  • How do I use the Risk Navigator to make decisions?
  • How is predictive data calculated for the Risk Navigator?
  • I added a company to my portfolio, but no data is available. How long do I have to wait?
  • I see auto inherent risk (AIR) was calculated (ie unconfirmed inherent risk scores), why am I not seeing Maximum Impact data? 

What is the difference between a Framework, Industry Profile, and Threat Profile?

  • Frameworks (sometimes known as “Standard Frameworks”) focus on cybersecurity industry best practice frameworks, including MITRE ATT&CK, NIST, and CMMC. If you’re unfamiliar with Frameworks, use the Critical Controls framework, which focuses on controls ProcessUnity Global Risk Exchange believes are critical in assessing a vendor to get a jump start in analyzing a third party.
  • Industry Profiles focus on compliance and regulation standards like HIPAA, GDPR, and NERc.
  • Threat profiles are built from real-world cyber attacks. They are created to map an attack’s exploits to the ProcessUnity Global Risk Exchange assessment.

 

What type of data does the Risk Navigator map to provide results?

The Risk Navigator utilizes our assessment and predictive data to return results. Once a framework or profile is selected, it will be mapped to the third party’s assessment (Tier 1 or Tier 2.) If the third party does not have an assessment in the Exchange but does have predictive data available, the predictive toggle will default to “active,” and the mapping can be downloaded. Learn more about our predictive data here.

 

How do I view and download the ProcessUnity Assessment results? 

To view the ProcessUnity Exchange Assessment results directly correlating with the existing Assessment questionnaire model, map to the 'ProcessUnity Cyber Risk Questionnaire' framework. You may download the results as an Excel file through the 'Download (XLSX)' button. 

 

By default, the ProcessUnity Global Risk Exchange Assessment is automatically mapped to our new assessment model and displayed upon page load. Risk Domain instead of Control Groups group our latest assessment model. You may review the results on-platform, or you may download the results as an Excel file through the 'Download (XLSX)' button that is available. 

 

How do I view validation results for a company's attested assessment? 

Although you can view the validation results in any framework mapping, to view only those requested for validation, we recommend mapping to the 'ProcessUnity Critical Cyber Risk Questionnaire' framework, which consists only of those controls. 

The 'Validation Status' column describes the validation state, such as whether it was able to be validated or was not able to be validated. The 'Evidence Type' column provides additional context into what evidence was provided, such as written, demonstrated, or verbal evidence or if no evidence was provided. This status can be beneficial for evaluating scenarios that may warrant more consideration. For example, if the control was not validated, but the third party provided evidence, this indicates the third party did not provide adequate documentation to validate that control. 

 

What is the difference between Framework Control Score and Risk Exchange Control Score, and how do I use it to make decisions?

The Risk Exchange Control Score uses a third party’s control answers and metric answers (when available) to calculate their Coverage Scores for each sub-control question in the assessment. The scores for the sub-control questions are used to calculate a weighted average of these to provide a Framework Control Score. So, where a ProcessUnity Exchange Control Score focuses on each sub-control, the Framework Control Score delivers an overall score for the control’s “family” of questions. 

 

Both scores return a numerical value where a higher score means the control is “less risky,” and a lower score means the control is “more risky.” 



How do I use the Risk Navigator to make decisions?

Depending on the needs of your Third Party Risk Management (TPRM) program, the use cases of the Risk Navigator can vary. A key concept to remember is that both the Framework Control Score (which provides a weighted average of a specific control’s “family” of questions) and The Exchange Control score (which focuses on individual sub-control questions) return a numerical value where a higher score means the control is “less risky.” A lower score means the control is “more risky.”   

 

Below are a few examples of how to use the Risk Navigator:

  • Prioritizing with Insights
    • Select a framework, industry, or threat profile relevant to your organization
    • Filter by low Framework Scores to discover the controls relevant to your relationship with the third party
    • Then look for low Exchange Control Scores to find specific sub-controls that are relevant to your relationship with the third party
    • If you find a vulnerable control, address the concern with your third party  
  • Uncovering Blindspots
    • Select a framework, industry, or threat profile relevant to your organization
    • Filter results by Answer State to display “No” and “Skipped” answers
    • Review the “Control Unique Identifiers” column to determine which of the controls are most important to your operations
    • Reference The Exchange Control Score to decide if the score is within your acceptable range 

 

How is predictive data calculated for the Risk Navigator?

Our Predictive Risk data is produced by applying advanced machine learning to data from varied sources, with a majority coming from our third-party risk Exchange, created from more than 14,000 self-assessments validated by ProcessUnity Global Risk Exchange.  Our proprietary algorithm analyzes this data along with firmographic information and outside-in scanning data from our partners to predict a typical company would answer an assessment with up to 91% accuracy. Our data scientists are available to explain the process in more detail to help show how this data can be trusted and used in your TPRM program to save time and improve response rates. 

 

I added a company to my portfolio, but no data is available. How long do I have to wait?

If an attested assessment is available and has been authorized by your third party, the ability to utilize Risk Navigator should be immediately available. If a third party has no data on the Exchange, predictive data can be supplemented after the third party’s URL and industry are submitted. Predictive runs are conducted on the second and fourth Tuesday of every month, so if your submission falls in between those days, you will have to wait until the next run to access the third party’s predictive data.

 

I see Auto Inherent Risk (AIR) was calculated, why am I not seeing Maximum Impact data?

There are industries where we do not have enough information to calculate auto inherent risk. When that is the case, we have a fallback for these industries when calculating inherent risk mainly to ensure there is an overall unconfirmed inherent risk. These fallback instances are not currently being leveraged to calculate maximum impact per control.

 

Was this article helpful?

0 out of 1 found this helpful
Return to top

Related articles