ProcessUnity Risk Index is an exciting new feature that brings transparency, fairness, and actionability to third-party risk assessments for companies and their vendors. Below are answers to common questions to help you understand your index and how to engage with it.
General Understanding
What is Risk Index?
ProcessUnity Risk Index is a dynamic, data-driven risk metric that reflects your company’s risk posture using a combination of attested controls, predictive analytics, external threat intelligence and perimeter scanning.
Why does my company have a Risk Index rating?
Every company on the Global Risk Exchange has a Risk Index based on your most recent attested controls in your Exchange assessment, predictive analytics, external threat intelligence and perimeter scanning. Your Risk Index is recalculated when you update your profile and attested controls on the Global Risk Exchange.
Why has ProcessUnity started rating third parties?
ProcessUnity invested in Risk Index to accelerate the assessment lifecycle for both customers and their third parties. We believe that it will transform how customers interact with your client assurance team by streamlining due diligence requests, alleviating time-intensive request fulfillment for your team. By providing or updating your data contributing to your Risk Index, you help your customers quickly understand your risk posture to identify potential risk areas that will inform their assessment scoping decisions and prioritize the review of findings.
Composition & Transparency
What data is used to calculate my index?
Your rating is based on two types of data that we believe will provide customers with the most complete view of your risk posture:
- Inside-Out: Attested controls questionnaires and uploaded documentation. This includes predictive analytics, our proprietary machine learning model based on your firmographics and similar companies with completed assessments on the Exchange.
- Outside-In: External threat intelligence and permitter scanning (e.g., vulnerabilities, breach history)
How was my index calculated?
Risk Index is calculated using the following data inputs:
- Inside-Out (80%): Complete and/or update your attested standard Exchange assessment and upload supporting documentation (e.g., SOC 2 reports, ISO certifications, security policies, and remediation plans). Inside out data includes security controls (50%) and vulnerability resiliency (30%). Additionally, we leverage our Exchange predictive analytics based on your firmographics (industry, geography, vendor type) to generate predictive risk data that is blended with your attested data.
- Outside-In (20%): Externally gathered data from threat intelligence, perimeter scanning, breach history, and vulnerability exposure. Outside in includes perimeter scanning (10%) and threat intelligence (10%).
Influence & Improvement
How can I improve my index?
You can influence and improve your index by:
- Ensuring your profile information is accurate
- Completing the Global Risk Exchange assessment
- Following guidance to remediate weak controls and/or identified gaps
How quickly will my rating update after I take action?
Ratings typically update within 24 hours after new data is submitted or changes are made. Risk Index is recalculated every time you submit and re-attest the Exchange questionnaire and every time predictive analytics is generated for your company.
Can I dispute or appeal my rating?
If you believe there is an error with your Risk Index after completing the Global Risk Exchange assessment, you can contact exchangesupport@processunity.com to review the contributing data and provide updated information. If you need help understanding or addressing the external components of the rating after viewing them on the Monitoring tab of your profile, you can contact integrationsupport@processunity.com for guidance.
Can I hide my rating from customers?
No, there is no way to hide your Risk Index from customers. This decision was made to maintain the integrity of the Risk Index. Customers will be able to view your rating beginning in March 2026.
Documentation & Assessments
What documents should I upload to support my control attestations?
Common documents include SOC 2 reports, ISO certifications, security policies, and remediation plans.
Do I need to complete a full assessment to get a rating?
No. Risk Index is generated for your company through a predictive analytics model and external threat intelligence regardless of your assessment data on the Exchange. We recommend that you complete the Exchange assessment to provide additional context to your rating and ensure that it is as accurate as possible for your customers. In turn, Risk Index will reduce their requests for you to provide additional context or more information.
The Global Risk Exchange empowers you to complete the cyber controls questionnaire in under an hour with our Assessment Autofill feature. Simply upload the documentation supporting your due diligence requests, ie policies, certifications, and previously completed due diligence questionnaires, and Assessment Autofill will pre-populate the assessment for you. You can review the answers and edit before submission, drastically reducing the time it takes to complete the questionnaire.
Customer Visibility & Impact
Who can see my Risk Index?
Beginning in March 2026, customers will be able to view your Risk Index only if they have your company in their third-party portfolio. It is not publicly displayed.
How do customers use my rating?
Customers use the rating to shortlist your company, perform quick vetting, and streamline vendor assessments. It helps them make faster, more informed decisions.
Will customers see changes to my rating in real time?
Yes. Once your rating updates, customers will see the new version during their next review. Risk Index is recalculated every time you submit and re-attest the Exchange questionnaire and every time predictive analytics is generated for your company.
Getting Started
How do I claim my company profile and start improving my index?
You’ll receive an invitation to claim your profile. Once logged in, you can access your index on your Risk Profile, visit the Action Center, and upload documents to complete your controls questionnaire using Assessment Autofill.
Is there a cost to participate?
No. There is no fee for third parties to engage with the Risk Index or improve their rating.