Skip to main content
Back to Home

How Risk Scoring Works

Understanding how Ezy Risk automatically calculates vendor risk levels

Overview

Ezy Risk uses a comprehensive scoring algorithm to automatically assess vendor risk based on their responses to security questionnaires. The system evaluates multiple factors to produce both a percentage score and a risk level classification.

This automated approach ensures consistent, objective risk assessments across all your vendors while saving time compared to manual evaluation.

Risk Level Classifications

Low Risk (75-100%)

Vendor demonstrates strong security controls and compliance. Minimal concerns identified. Recommended for standard vendor relationships with routine monitoring.

Medium Risk (50-74%)

Vendor has adequate security controls but some gaps identified. May require additional contractual protections or more frequent reassessment. Review findings before engagement.

High Risk (25-49%)

Significant security gaps identified. Vendor requires remediation before engagement or enhanced monitoring and contractual protections if business-critical. Escalate to security team.

Critical Risk (0-24%)

Severe security deficiencies. Vendor does not meet minimum security requirements. Not recommended for engagement without significant remediation and executive approval.

How Scores Are Calculated

The risk score is calculated based on several weighted factors:

1. Question Responses

Each question in an assessment template has an assigned weight. Positive responses (e.g., "Yes" to security controls) earn points, while negative responses reduce the score. The base score is calculated as: (earned points / maximum possible points) × 100

2. Question Criticality

Questions are categorized by criticality level:

  • Critical: Must-have controls (e.g., encryption, access management)
  • High: Important security practices
  • Medium: Standard security controls
  • Low: Best practices and enhancements

Critical questions have higher weight multipliers, meaning failures on critical controls significantly impact the overall score.

3. Section Weights

Assessment templates are organized into sections (e.g., "Data Protection", "Access Control", "Incident Response"). Each section can have a different weight based on its importance to your organization's risk profile.

4. Auto-Fail Triggers

Some critical questions may be marked as "auto-fail" triggers. A negative response to these questions automatically elevates the risk level regardless of the numerical score. Examples include lack of encryption for sensitive data or no incident response plan.

5. Evidence & Documentation

When vendors provide supporting evidence (policies, certifications, audit reports), it increases confidence in their responses. Questions requiring evidence that lack documentation may receive reduced scores.

The Scoring Formula

// Simplified scoring algorithm

For each question:
  base_score = response_value × question_weight
  weighted_score = base_score × section_weight × criticality_multiplier

Total Score = (Σ weighted_scores / Σ max_possible_scores) × 100

Risk Level:
  if auto_fail_triggered → HIGH or CRITICAL
  else if score >= 75 → LOW
  else if score >= 50 → MEDIUM
  else if score >= 25 → HIGH
  else → CRITICAL

Manual Override

While the system calculates risk automatically, authorized users can override the risk level when business context requires it. Common reasons for override include:

  • • Vendor is addressing findings with a documented remediation plan
  • • Compensating controls exist that aren't captured in the questionnaire
  • • Limited scope of engagement reduces actual risk exposure
  • • Executive acceptance of risk with documented justification

All overrides are logged in the audit trail for compliance purposes.

Best Practices

  • Review high and critical risk vendors with your security team before engagement
  • Request evidence for critical security controls to increase assessment confidence
  • Schedule periodic reassessments based on risk level (annually for low, quarterly for high)
  • Document any risk acceptances or overrides with business justification
  • Use findings to create remediation plans for vendors you choose to engage with

Have questions about risk scoring or need help interpreting results?

Go to Dashboard