All Collections
Client Guide - Reviewing Your Suppliers
Reviewing Your Suppliers
Compliance Score & Applying Overrides (Exemptions & Non-Compliance)
Compliance Score & Applying Overrides (Exemptions & Non-Compliance)
Kian avatar
Written by Kian
Updated over a week ago

As suppliers signup to the platform and complete their security profiles, you can setup your policies within Risk Ledger and assign supplier tags to automatically calculate a compliance score.

What is Compliance?

Compliance is a measure of how many of the security controls that a supplier has implemented align with the requirements that you have applied over that supplier, within your applicable policies.

πŸ’‘To calculate a suppliers compliance you must have tags applied to that supplier. If there are no tags applied the compliance score will automatically sit at 100% as there will be no policies applied over their assessment. If this is the case the platform will display a warning message on the supplier overview page under the "Policies Applied" card on the right hand side of the page.

How is The Compliance Score Calculated on Risk Ledger?

A suppliers compliance score is automatically calculated by looking at the applicable requirements in your policies and comparing them against a suppliers assessment to give you a percentage output as a score.

The Suppliers Overview page gives you a quick snapshot of their overall compliance and highlights which domains are the most and least compliant.

You can view which controls are compliant and which non-compliant in detail by navigating to the "Assessment" tab.

You can filter for all compliant or non-compliant controls by selecting them in the "Filter by..." panel on the right hand side of the page.

To view further context for a control you can expand the control by clicking into it. From there you can see what your policy requires and can take action from there either by starting a discussion with your supplier, requesting remediation, or applying an exemption to the control (see below).

Applying an Exemption to a Non-Compliant Control

πŸ’‘If a supplier marks a control as N/A but your policy requires that control to be in place the platform will still mark that control as non-compliant. This is so that you do not miss any potential security gaps. To accept the N/A response as a compliant, you can apply an exemption to the control.

An exemption makes a non-complaint control compliant. An exemption is a way for you to remove the requirement for a supplier to have a control implemented. You may want to do this if a supplier falls under a requirement that, upon examination, you don't think is relevant to them.

To apply an exemption, please follow the steps below;

  1. Navigate to a suppliers assessment page.

  2. Locate the control that you would like to apply non-compliance against. Please note, you can only apply non-compliant against a control that is compliant.

  3. Click on the control to expand it. To apply non-compliance, click the "Apply Non-Compliance" button.

  4. Enter a reason for applying the non-compliance and click "Apply Non-Compliance".

  5. You can remove the non-compliance by following the above steps for a control on which a non-compliance has been applied and the "Remove" button next to the "Non-Compliance Applied" box.

For non-compliant controls you can request that a supplier remediate the control.

Apply Bulk Exemptions or Non-Compliance:

You can apply exemptions or non-compliance to multiple controls at once by selecting the controls using the tick-box to the left of a control and selecting "Apply to Selected" button on the top right corner of the assessment page.

Did this answer your question?