Drata’s Automated Impact Analysis helps you determine the impact that your vendor poses to your organization based on their data accessed or processed, their operational impact, and their access to your environments.

Based on the Impact that a vendor poses to your organization, you can decide the necessary security review actions to conduct.

BEFORE DIVING IN

This feature is only available to customers with TPRM Pro.

Set up impact assessment

On your Vendors page, select the "My vendors" tab, "Add vendor" button, and then "Add a single vendor" button.

On the Add Vendor drawer, go to the Impact assessment section. Select the best fit options for "Data accessed or processed", the "Operational impact", and the "Access to environment" for this vendor.

The following table displays the industry definitions for the Operational Impact scale.

Field Options	Impact	Description
None	1	No/negligible effect on processes No/negligible financial loss No/negligible relational harms
Low	2	Limited reduction in the effectiveness of processes Minimal to cause financial loss Minimal relational harms
Normal	3	Some reduction in the effectiveness of processes Some financial loss Some relational harms
Important	4	Loss of ability to perform high-importance process, but not mission essential and core business operations Significant reduction in the effectiveness of primary processes, currently or in the future Measurable financial loss Significant relational impacts
Critical	5	Loss of ability to perform mission and core business operations Severe degradation in capability, to an extent and duration that the business is not able to perform primary functions, current or in the future Severe financial loss Servere relational harms

After you complete the selections, there is a recommended impact level which is Drata's recommendation.

This impact level can be changed. If you change the impact level, the field name updates to "Modified Impact level". You can always revert to Drata's recommendation as well.

The following table displays the industry definitions for the Impact Level scale.

The "Unscored" impact level means you did not complete the impact assessment.

Field Options	Impact	Description
Insignificant	1	Minimal loss/damage Local media attention quickly remedied Not reportable to regulator Isolated staff dissatisfaction
Minor	2	Minor financial loss Local reputational damage Reportable incident to regulator, no follow up General staff morale problems and increase in turnover
Moderate	3	Some reduction in the effectiveness of processes. Some financial loss. Some relational harms.
Major	4	Significant financial loss National long-term negative media coverage; significant loss of market share Report to regulator requiring major project for corrective action Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice
Critical	5	Massive financial loss International long-term negative media coverage; game-changing loss of market share Signification prosecution and fines, litigation including class action Multiple senior leaders leave

Update impact assessment

You can always adjust the assessment or change the impact level for the existing vendors. Go to the vendor's profile and edit the Impact assessment section.