Skip to main content

Compliance Scores, Exemptions and Overrides for Clients

Understand how supplier compliance scores work and how to apply exemptions and overrides when reviewing results.

ish avatar
Written by ish
Updated yesterday

What is compliance?

Compliance shows how well a supplier meets your security requirements. It tells you what percentage of your required security controls a supplier has implemented, calculated based on the policies you've applied to that specific supplier.

As suppliers signup to the platform and complete their security profiles, you can set up your policies within Risk Ledger and assign supplier tags to automatically calculate a compliance score.

Supplier Overview

The Suppliers Overview page gives you a quick snapshot of their overall compliance and highlights which domains are the most and least compliant.

Hovering over the question mark symbol (?) next to the Compliance Score will produce a popup where you can see which policies are applied to this supplier and their respective compliances:

You can also scroll down to policies in the right hand menu on the Overview page. Here you can see what policies have been applied to a supplier:

Reviewing control detail

You can view which controls are compliant and non-compliant in detail by navigating to the "Assessment" tab.

You can filter for all compliant or non-compliant controls by selecting them in the "Filter by..." panel on the right hand side of the page.

To view further context for a control you can expand the control by clicking into it. From there you can see which policies require this control and can take action from there either by starting a discussion with your supplier, requesting remediation, or applying an exemption to the control (see below):

How is the compliance score calculated on Risk Ledger?

A supplier's compliance score is automatically calculated by looking at the applicable requirements in your policies and comparing them against a supplier's assessment to give you a percentage output as a score.

What is included in the score

Only controls that are explicitly required by your policies are scored.

A control will only be included in the compliance calculation when:

  • your policy has a rule attached to that control, and

  • the control is in scope for the supplier

What is not scored

Controls will be marked Not scored and excluded from the calculation when:

  • no policy rule exists for that control

  • the supplier’s answers place a whole domain out of scope

  • a parent scoping-style control makes its child controls not applicable

Not scored controls do not affect the overall compliance percentage.

This ensures suppliers are only scored on requirements that are both relevant and explicitly required by your organisation.

Additional scoring behaviour

  • If a policy requirement exists, incomplete answers are still scored

  • If you require evidence for a control and no evidence is provided, the control will be marked non-compliant

  • Clients can still apply overrides to controls marked Not scored if required

Applying an exemption to a non-compliant control

An exemption makes a non-compliant control compliant. It removes the requirement for that supplier to implement the control.

To apply an exemption:

  1. Navigate to the supplier’s Assessment page

  2. Locate the control]

  3. Expand it

  4. Click Apply Non-Compliance

  5. Enter a reason and confirm

You can remove the non-compliance at any time using the same steps.

For non-compliant controls you can also request remediation from the supplier.

💡 View compliance scoring examples

Utilising the Overrides section on a supplier's profile

When navigating to a supplier’s profile, there is an Overrides section on the Overview page where you can view any overrides that have been applied.

Overrides are when a client manually changes a compliance result and are broken down into:

  • Exemptions – marking a non-compliant control as compliant

  • Non-compliances – marking a compliant control as non-compliant

You can click into either type to see which controls they apply to.

Apply bulk exemptions or non-compliance

You can apply exemptions or non-compliance to multiple controls at once by selecting the controls using the tick-box to the left of a control and selecting "Apply to Selected" button on the top right corner of the assessment page.

💡 If there is anything we haven't covered, please feel free to contact us at support@riskledger.com or alternatively, select the Chat icon in the bottom right corner.

Did this answer your question?