Risk Assessments
Risk assessment is the process of evaluating a vendor’s security posture and calculating risk scores. SecureHive uses two key metrics: inherent risk (the baseline before any controls are considered) and residual risk (the remaining risk after evaluating the vendor’s controls via questionnaire responses).
Inherent risk
Inherent risk represents the baseline risk level before any security controls or mitigations are considered. It is calculated from five risk factors:
| Factor | Options |
|---|---|
| Vendor Tier | Tier 1 (Critical), Tier 2 (High), Tier 3 (Medium), Tier 4 (Low) |
| Service Criticality | Critical, High, Medium, Low |
| Data Access Level | Full, Partial, Minimal, None |
| Integration Depth | Deep, Moderate, Surface, None |
| Geographic Risk | High, Medium, Low |
To assess inherent risk, navigate to the vendor detail page, open the Inherent Risk tab, fill in all five risk factors, and click Assess Inherent Risk. The system automatically calculates the inherent risk score and assigns a risk level (Low, Medium, High, or Critical).
Creating a risk assessment
Verify prerequisites
Before creating an assessment, ensure the vendor’s inherent risk has been assessed. Optionally, a questionnaire should have been sent and responses reviewed.
Open the assessments tab
From the vendor detail page, click the Assessments tab.
Create the assessment
Click Create Assessment. If questionnaire responses are available, select the response to link. Optionally select a scoring method (the default method is used if none is specified). Click Create.
Review the assessment
The assessment is created with the vendor’s inherent risk score and level, status set to Draft, and the linked questionnaire response and scoring method recorded.
Calculating residual risk
Open the assessment detail
From the vendor’s Assessments tab, click View Details on the assessment card.
Calculate residual risk
Click Calculate Residual Risk (or Recalculate Risk if previously calculated). The system reads all reviewed questionnaire responses, applies the configured scoring method formula, calculates a residual risk score (0–100), determines the risk level, and calculates risk reduction metrics.
Review results
After calculation, the assessment page displays the residual risk score, residual risk level, absolute risk reduction (inherent minus residual), and percentage risk reduction.
Residual risk calculation requires reviewed questionnaire responses. Questions marked as “Not Applicable” are excluded from scoring. Only questions marked as “Applicable” or “Partially Applicable” contribute to the risk score.
Overriding risk scores
Sometimes you may need to manually override the calculated risk score based on additional context, expert judgment, or external factors not captured in the questionnaire.
Click Override Score
On the assessment detail page, click the Override Score button.
Enter override values
In the dialog, provide a new residual risk score (0–100), a new risk level (Low, Medium, High, or Critical), and a required override rationale explaining why you are overriding the calculated score.
Save the override
Click Save Override. The assessment is marked as manually overridden, and the rationale is stored for audit purposes.
Override rationale is required and will be visible in audit trails. Manual overrides are tracked separately from calculated scores.
Assessment statuses
Assessments move through four statuses:
Draft — Assessment created but risk not yet calculated.
In Progress — Risk calculated, pending review or approval.
Completed — Assessment approved and finalized.
Rejected — Assessment rejected during the approval workflow.
Assessment workflow
The typical assessment lifecycle follows five steps: create the assessment, calculate risk from questionnaire responses, review and optionally override the score, submit for approval through the multi-stage workflow, and finalize upon completion.
Next steps
To understand how questionnaire responses drive residual risk calculation, see scoring methods. For the multi-stage approval process, see approval workflows.