Understanding Risk Levels

What each risk classification means and recommended actions

Overview

Ezy Risk uses a four-tier risk classification system based on assessment scores. Each level indicates the degree of security concern and helps guide your vendor relationship decisions.

Risk levels are determined by the automated scoring algorithm, which considers question responses, criticality weights, evidence quality, and auto-fail triggers.

Risk Level Spectrum

Low

75-100%

Medium

50-74%

High

25-49%

Critical

0-24%

Low Risk

Score: 75-100%

What it means:

The vendor demonstrates strong security controls and practices. They meet or exceed your security requirements with minimal gaps identified. Good evidence of policies and certifications typically supports their responses.

Typical characteristics:

• Encryption implemented for data at rest and in transit
• Robust access controls and identity management
• Regular security assessments and penetration testing
• Documented incident response procedures
• Industry certifications (SOC 2, ISO 27001, etc.)

Recommended Actions:

✓ Proceed with vendor relationship with standard contract terms
✓ Schedule annual reassessment to maintain visibility
✓ Routine monitoring of vendor security posture

Medium Risk

Score: 50-74%

What it means:

The vendor has adequate security controls but gaps exist that warrant attention. They may be missing some best practices or have limited documentation. These vendors are generally acceptable but require closer monitoring.

Typical characteristics:

• Basic security controls in place but not comprehensive
• Limited evidence or documentation provided
• Some security processes are informal or undocumented
• May lack industry certifications
• Security improvements planned but not yet implemented

Recommended Actions:

⚠ Review findings with your security team before proceeding
⚠ Consider additional contractual protections (SLAs, liability clauses)
⚠ Request remediation plan for identified gaps
⚠ Schedule semi-annual reassessment
⚠ Limit data sharing to what's strictly necessary

High Risk

Score: 25-49%

What it means:

Significant security gaps exist. The vendor may lack fundamental controls or have multiple areas of concern. Engagement should only proceed if the vendor is business-critical and risk can be appropriately managed.

Typical characteristics:

• Missing fundamental security controls
• No formal security policies or procedures
• Failed one or more critical security questions
• Little to no evidence of security practices
• No history of security assessments or audits

Recommended Actions:

⛔ Escalate to security leadership for approval
⛔ Require formal remediation plan with timeline
⛔ Implement compensating controls if proceeding
⛔ Minimize scope of engagement and data access
⛔ Quarterly reassessment until risk is reduced
⛔ Consider alternative vendors

Critical Risk

Score: 0-24%

What it means:

Severe security deficiencies. The vendor does not meet minimum acceptable security standards. Engagement poses significant risk to your organization and should be avoided unless absolutely necessary with executive risk acceptance.

Typical characteristics:

• No encryption for sensitive data
• No access controls or authentication
• No incident response capability
• Multiple auto-fail conditions triggered
• Evidence of past security incidents or breaches
• Non-compliance with regulatory requirements

Recommended Actions:

🚫 Do not proceed with engagement
🚫 If vendor is existing, consider termination or transition plan
🚫 Executive-level risk acceptance required if engagement is mandatory
🚫 Document all risk acceptance decisions for audit purposes
🚫 Implement maximum compensating controls
🚫 Continuous monitoring if engagement proceeds

Auto-Fail Triggers

Some questions are marked as "auto-fail" in assessment templates. A negative response to these questions automatically elevates the risk level to High or Critical, regardless of the numerical score. Common auto-fail triggers include: