Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings
Risk settings overviewVendor risk settingsManage risk scenariosMaturity settingsSetting Risk models in General SettingsThe Data Protection Risk ModelThe Information Security / Asset Risk ModelMaturity model

Vendor risk settings

Configure how vendor risks are calculated and treated.

Vendor Risk Settings

The Vendor Risk Settings screen is where your organisation defines the mathematical framework that governs how risk scores are calculated for all third-party vendor relationships in DPMS. DPOs, compliance officers, and risk managers use this screen to review the current state of the vendor risk model, check who last updated it, and navigate to the edit flow when changes are needed. Without an active, fully configured vendor risk model, vendor records across the platform will either show no risk scores at all or rely on placeholder values that do not reflect your organisation's actual risk appetite — making this screen the essential starting point for meaningful third-party risk management.

How to open it

In the left-hand navigation bar, go to SettingsRisk Settings. In the Risk Settings sidebar, click Vendor Risk.

Heads up: The Vendor Risk entry may not appear in the sidebar in all installations. If you cannot find it in the menu, navigate directly to /risk/settings/vendor in your browser's address bar. This is a known configuration state and does not indicate a problem with your data.

You need the Risk Settings – Read permission to view this screen. Editing requires the additional Risk Settings – Edit permission. If you land on a "Forbidden" error page instead, contact your system administrator to have the appropriate role assigned.

What you see

The page is divided into two main areas. On the left is the Risk Settings navigation menu, which lets you jump between the different risk configuration sections — Standards, Control Sets, Risk Scenarios, Maturity Model, and Deadlines and Urgency — without leaving the Risk Settings area. The currently active section (Vendor Risk) is highlighted in that menu.

The right-hand content area, which takes up most of the page, starts with a title row that carries three pieces of information side by side: the section label ("Vendor Risk"), an Edit button with a pencil icon, and a status indicator. The status indicator is the fastest way to understand where things stand: if no vendor risk model has ever been configured, it reads "Not set" in bold; if the model has been set up and activated, it reads "Custom" followed by an audit note such as "Last edited by Jane Smith on 14 Nov 2024". A thin horizontal line separates this title row from the body below.

Below the title row, two summary tables sit side by side. The Likelihood table lists each configured likelihood level (for example, Very Low through Very High) alongside its numerical weight. The Damage table lists each damage category with its label, currency, and the minimum-to-maximum monetary range for that category (for example, "Low — 0–10K EUR"). If the model has never been configured, both tables are empty. Everything on this screen is read-only; all editing happens on a separate screen reached through the Edit button.

Working with this screen

Reviewing the vendor risk model before an audit

When an external audit is approaching, the Vendor Risk Settings screen gives you an instant, printable overview of your current configuration. Open the screen and look at the title row: if it shows "Custom" with a date and editor name, you can confirm at a glance that the model is active and note who last touched it. The Likelihood and Damage tables below then show you the exact numerical weights and monetary ranges that DPMS is using to calculate scores on every vendor record in the system.

If everything looks correct, no interaction is required — the screen is purely informational in this scenario. You can then use the left sidebar to jump directly to the Maturity Model or Risk Scenarios sections to continue your audit review.

Setting up the vendor risk model for the first time

If the title row shows "Not set", the model has never been configured. This is expected on a new installation and is not an error. Here is how to proceed:

  • Click the Edit button in the title row. DPMS navigates you to a setup page where you first choose how many risk categories you want (for example, three, four, or five bands such as "Minimal," "Average," and "Critical"). Choosing carefully matters here — once the model is activated, the number of categories cannot easily be changed.
  • After you confirm your choice, DPMS takes you to the full edit form. There you define each likelihood level and its numerical weight, each damage category with its monetary range and currency, the colour and label for each risk category band, and the threshold values on the risk slider that separate one category from the next.
  • Finally, within the edit form, click the Activate button (the pill-shaped toggle at the top of the form). The Activate button only becomes clickable once all required data — likelihood, damage, categories, and slider thresholds — has been filled in correctly. Once activated, the model is live and DPMS will begin calculating risk scores on all vendor records using your new configuration.

Once you return to this overview screen, the title row will now show "Custom" with your name and today's date.

Updating an existing configuration

If you need to adjust damage thresholds following a regulatory change, or update the likelihood scale after a board decision, the process is straightforward:

  • On the Vendor Risk Settings screen, verify the current values in the Likelihood and Damage tables so you know what you are changing from.
  • Note the "Last edited by…" audit note in the title row. This confirms who made the previous change and when.
  • Click Edit. DPMS navigates you to the full edit form where every value — likelihood weights, damage ranges, currency, category labels, and slider thresholds — can be modified.
  • Save your changes in the edit form. DPMS records your name and the current date-time in the audit trail. When you return to this overview screen, the "Last edited by…" note will reflect your update.

Note that after saving changes, a background job recalculates risk scores across all existing vendor records. The updated scores may not appear immediately in the vendor list — allow a few minutes for the recalculation to complete.

Checking who last changed the configuration

The audit note next to the "Custom" label is derived from the model's internal change record. It shows the name of the person who last saved threshold data, and the date of that save. This is useful when you need to confirm that a specific change — for example, a threshold update agreed in a board meeting — has actually been applied in DPMS. If the note matches the expected person and date, no further action is needed. If you want to make additional changes, click Edit; if you are satisfied, navigate away using the left sidebar.

Reviewing the screen with read-only access

If you have the Risk Settings – Read permission but not the Risk Settings – Edit permission, the Edit button appears in a greyed-out style with a not-allowed cursor. Hovering over it displays a tooltip explaining the restriction. You can still view all the configured likelihood levels, damage categories, activation status, and the audit note, and use that information for reporting or internal review. To gain edit access, ask your system administrator to assign the appropriate role.

Field reference

The overview screen itself has no editable fields — it is read-only. The tables it displays are populated from the model saved in the edit form. For reference, here is what each piece of information represents:

  • Likelihood level label — A qualitative name for a probability band, such as "Very Low" or "High". Each level maps to a numerical weight that feeds into the overall risk score formula.
  • Likelihood numerical value — The weight assigned to that probability band. Higher numbers indicate greater probability of a risk event occurring.
  • Damage category label — A qualitative name for an impact band, such as "Low" or "Severe".
  • Damage currency — The currency in which monetary damage ranges are expressed (set in the edit form).
  • Damage range (min–max) — The monetary boundaries of that damage band, for example 0–10,000 EUR. These ranges are used to translate financial impact into a damage score.
  • Status indicator — Shows either "Not set" (model has never been activated) or "Custom" (model is active and has been configured by your organisation).
  • Last edited by / on — The name of the last person to save threshold data in the edit form, and the date of that save. Only appears after the model has been saved at least once through the edit form.

How this connects to the rest of DPMS

The Vendor Risk Settings screen sits at the heart of your third-party risk workflow. Everything downstream depends on whether this model is properly configured and activated:

  • Vendor detail pages and risk dashboards — The likelihood weights, damage ranges, category thresholds, and activation status configured here are what DPMS uses to calculate the risk score shown on every vendor record. If the model is not activated, those screens will show empty or placeholder risk values.
  • Risk Settings navigation — The left sidebar lets you move between Vendor Risk and the other risk configuration areas (Standards, Control Sets, Risk Scenarios, Maturity Model, Deadlines and Urgency). Each of these screens is part of the broader framework that shapes how risk is understood across the platform.
  • Background recalculation — After you save changes in the edit form and return to this screen, a background job recalculates risk scores on all vendor records. The edit form will show a notification if a recalculation is still running, and during that time the edit form may be temporarily locked.

What to do after configuring this screen: Once the vendor risk model is active, visit individual vendor records to confirm that risk scores are populating correctly. You may also want to review the Risk Scenarios configuration to ensure that the scenarios assigned to vendors align with the likelihood and damage categories you have just defined.

Tips & common pitfalls

Tip: "Not set" is not a problem — it simply means the model has never been configured. Every new installation starts here. Click Edit and follow the two-step setup (choose category count, then fill in the detail) to get your first model live.
Heads up: The number of risk categories you choose at setup cannot be changed once the model is activated. If you later discover you need a different number of bands, you must first deactivate the model from within the edit form — which will affect all existing vendor risk scores until the model is reactivated with the new structure.
  • Activate inside the edit form, not here. This overview screen shows whether the model is active, but you cannot toggle activation from here. You must click Edit and use the activate control inside the edit form. The activate control only becomes clickable once all required data has been correctly filled in.
  • The "Last edited by…" note only appears after a full save. If you expect to see an audit note but the title row just shows "Custom" without a name or date, it usually means the model was imported or created automatically rather than saved through the edit form. Run a manual edit-and-save cycle to populate the audit trail.
  • After saving changes, scores update asynchronously. Don't be alarmed if vendor risk scores in the vendor list don't change immediately after you update the model. A background job handles the recalculation, and the edit form will tell you if that job is still running.
  • The Edit button is always visible, but may be greyed out. Even if you lack the Risk Settings – Edit permission, the button is still shown — just in a disabled style with a tooltip. If you need edit access, contact your system administrator.
  • If Vendor Risk is missing from the sidebar, navigate directly to /risk/settings/vendor. The menu item may be disabled in your installation's configuration. The screen and all its functionality are still available via direct URL.


Was this article helpful?

English
Powered by Product Fruits