All Collections
Vendor Management
Vendor Automated Impact Assessment
Vendor Automated Impact Assessment

Automated Impact Analysis helps you determine the impact that your vendor poses to your organization

Jane Baik avatar
Written by Jane Baik
Updated over a week ago

Drata’s Automated Impact Analysis helps you determine the impact that your vendor poses to your organization based on their data accessed or processed, their operational impact, and their access to your environments.

Based on the Impact that a vendor poses to your organization, you can decide the necessary security review actions to conduct.

BEFORE DIVING IN

This feature is only available to customers with TPRM Pro.

Set up impact assessment

On your Vendors page, select the "My vendors" tab, "Add vendor" button, and then "Add a single vendor" button.

On the Add Vendor drawer, go to the Impact assessment section. Select the best fit options for "Data accessed or processed", the "Operational impact", and the "Access to environment" for this vendor.

The following table displays the industry definitions for the Operational Impact scale.

Field Options

Impact

Description

None

1

  • No/negligible effect on processes

  • No/negligible financial loss

  • No/negligible relational harms

Low

2

  • Limited reduction in the effectiveness of processes

  • Minimal to cause financial loss

  • Minimal relational harms

Normal

3

  • Some reduction in the effectiveness of processes

  • Some financial loss

  • Some relational harms

Important

4

  • Loss of ability to perform high-importance process, but not mission essential and core business operations

  • Significant reduction in the effectiveness of primary processes, currently or in the future

  • Measurable financial loss

  • Significant relational impacts

Critical

5

  • Loss of ability to perform mission and core business operations

  • Severe degradation in capability, to an extent and duration that the business is not able to perform primary functions, current or in the future

  • Severe financial loss

  • Servere relational harms

After you complete the selections, there is a recommended impact level which is Drata's recommendation.

This impact level can be changed. If you change the impact level, the field name updates to "Modified Impact level". You can always revert to Drata's recommendation as well.

The following table displays the industry definitions for the Impact Level scale.

The "Unscored" impact level means you did not complete the impact assessment.

Field Options

Impact

Description

Insignificant

1

  • Minimal loss/damage

  • Local media attention quickly remedied

  • Not reportable to regulator

  • Isolated staff dissatisfaction

Minor

2

  • Minor financial loss

  • Local reputational damage

  • Reportable incident to regulator, no follow up

  • General staff morale problems and increase in turnover

Moderate

3

  • Some reduction in the effectiveness of processes.

  • Some financial loss.

  • Some relational harms.

Major

4

  • Significant financial loss

  • National long-term negative media coverage; significant loss of market share

  • Report to regulator requiring major project for corrective action

  • Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice

Critical

5

  • Massive financial loss

  • International long-term negative media coverage; game-changing loss of market share

  • Signification prosecution and fines, litigation including class action

  • Multiple senior leaders leave

Update impact assessment

You can always adjust the assessment or change the impact level for the existing vendors. Go to the vendor's profile and edit the Impact assessment section.

Did this answer your question?