Skip to main content

Compliance Score & Applying Overrides (Exemptions & Non-Compliance)

Kian Pace avatar
Written by Kian Pace
Updated over a week ago

As suppliers signup to the platform and complete their security profiles, you can setup your policies within Risk Ledger and assign supplier tags to automatically calculate a compliance score.

What is compliance?

Compliance is a measure of how many of the security controls that a supplier has implemented align with the requirements that you have applied over that supplier, within your applicable policies.

💡To calculate a suppliers compliance you must have tags applied to that supplier. If there are no tags applied the compliance score will automatically sit at 100% as there will be no policies applied over their assessment. If this is the case the platform will display a warning message on the supplier overview page under the "Policies Applied" card on the right hand side of the page.

How is the compliance score calculated on Risk Ledger?

A suppliers compliance score is automatically calculated by looking at the applicable requirements in your policies and comparing them against a suppliers assessment to give you a percentage output as a score.

The Suppliers Overview page gives you a quick snapshot of their overall compliance and highlights which domains are the most and least compliant.

You can view which controls are compliant and which non-compliant in detail by navigating to the "Assessment" tab.

You can filter for all compliant or non-compliant controls by selecting them in the "Filter by..." panel on the right hand side of the page.

To view further context for a control you can expand the control by clicking into it. From there you can see what your policy requires and can take action from there either by starting a discussion with your supplier, requesting remediation, or applying an exemption to the control (see below).

Applying an exemption to a non-compliant control

💡If a supplier marks a control as N/A but your policy requires that control to be in place the platform will still mark that control as non-compliant. This is so that you do not miss any potential security gaps. To accept the N/A response as a compliant, you can apply an exemption to the control.

An exemption makes a non-complaint control compliant. An exemption is a way for you to remove the requirement for a supplier to have a control implemented. You may want to do this if a supplier falls under a requirement that, upon examination, you don't think is relevant to them.

To apply an exemption, please follow the steps below;

  1. Navigate to a suppliers assessment page.

  2. Locate the control that you would like to apply non-compliance against. Please note, you can only apply non-compliant against a control that is compliant.

  3. Click on the control to expand it. To apply non-compliance, click the "Apply Non-Compliance" button.

  4. Enter a reason for applying the non-compliance and click "Apply Non-Compliance".

  5. You can remove the non-compliance by following the above steps for a control on which a non-compliance has been applied and the "Remove" button next to the "Non-Compliance Applied" box.

For non-compliant controls you can request that a supplier remediate the control.

Utilising the Overrides section on a supplier's profile

When navigating to a supplier’s profile, there is an Overrides section on the Overview page, which allows you to view any Overrides that have been applied to their assessment.

Overrides are when a client chooses to override a compliance calculation, and are broken down into:

  • Exemptions - if a client decides that a non-compliant control is acceptable

  • Non-compliances - if a client decides that a compliant control is actually non-compliant

You can manually click into either of these Override types, which will take you to the specific controls they are applied against.

Apply bulk exemptions or non-compliance:

You can apply exemptions or non-compliance to multiple controls at once by selecting the controls using the tick-box to the left of a control and selecting "Apply to Selected" button on the top right corner of the assessment page.

💡 If there is anything we haven't covered, please feel free to contact us at support@riskledger.com or alternatively, select the Chat icon in the bottom right corner.

Did this answer your question?