Reviewing and Adding Vendor Risks

In this article, you will find:

  • Navigation guidance to access Risk Review page.

  • A step-by-step guide on reviewing and adding risks to your Risk Register.

Accessing Vendor Risks

The Risk Review area of the OneClickComply platform allows users to review potential risks flagged based on the responses provided by vendors in their Due Diligence Questionnaire (DDQ). This section centralises all vulnerabilities identified by the platform from vendors questionnaire.

To access this area, navigate to: Compliance > Vendor Management > Risk Review, as shown below:

Navigation guidance for accessing the Risk Review area

Reviewing Vendor Risks

Once you navigate to the Risk Review area, you will see a page similar to the example below:

Screenshot of Vendor Risk Review page

On this page, you will see a list of potential vulnerabilities associated with your vendors. These risks are automatically flagged by the platform based on the responses provided by a vendor in their Due Diligence Questionnaire (DDQ).

You can manage these risks by manually Accepting or Declining each risk according to your business's specific needs.

Understanding the Vendor Risks Table

Each risk within the Vendor Risks table contains the following details to help you make an informed decision:

  • Vendor: The logo, name, and URL of the vendor associated with the risk for easy recognition.

  • Severity: Categorises the risk as Urgent, High, Medium, or Low to help you prioritise critical issues.

  • Risk Name: A short title for the specific risk identified.

  • Description: A longer explanation of the risk, including the vendor's specific response from the DDQ and why this security measure is important.

Taking Action

Each identified risk features two primary actions located on the far right of the row:

Accept: Acknowledges the risk and allows you to provide additional detail before adding it to your formal Risk Register.

Decline: Rejects the risk entirely, removing it from the Vendor Risks table.

Note: We strongly recommend that the Decline option only be used when a risk has been incorrectly identified. Rejecting a valid vendor risk will prevent your organisation from effectively managing or mitigating any potential impacts.

Managing and Logging Vendor Risks

Once you are ready to manage the discovered vendor risks, you can choose to either Accept or Decline them using the buttons on the far right of the table. If you choose to Accept a risk, a Manage Risk pop-up window will appear, as shown below:

Managing and Logging Vendor Risk

This window allows you to review and configure the specific details of the vulnerability before officially adding it to your organisation's Risk Register (accessible under the ISMS section of the platform).

You will need to review and provide the following information:

  • Risk Name: This field is automatically pre-filled by the platform based on the risk flagged from the vendor's questionnaire and cannot be edited.

  • Risk Description: This field is also pre-filled with an explanation of the risk, but it can be manually edited if you need to adjust the text or add more context.

  • Risk Category: Select the specific area of your business that the risk impacts (e.g., financial, legal, operational).

  • Likelihood: Select a numerical scale from 1-5 indicating how likely the risk is to occur.

  • Impact: Select a numerical scale from 1-5 representing the level of disruption the risk could cause.

  • Treatment Decision: State whether you will Accept, Avoid, Mitigate, or Transfer the risk.

  • Mitigation Status: Record whether the risk mitigation is ongoing, being Monitored, or Resolved.

  • Control Association: Describe any standard controls impacted by this risk, such as "Cyber Essentials Control A7 User Access Control".

Once this information has been filled in, click the Add to Risk Register button at the bottom of the window. This will instantly log the risk in the Risk Register area of your ISMS for continuous tracking.