Overview

LowerPlane’s vendor risk scoring system automatically calculates a numeric risk score for each vendor based on their data handling practices and other boolean attributes. The score is computed during the intake process and when a vendor is approved, giving reviewers an immediate indication of the vendor’s risk level. The scoring formula is fully configurable per organization, allowing you to tailor it to your specific risk methodology and compliance requirements.

How Scoring Works

The risk scoring formula follows a simple, transparent model: 
Risk Score = sum of (Factor Value x Factor Weight)
Each risk factor is a boolean field on the vendor record. When a factor is true (enabled), its weight is added to the total score. When it is false, it contributes zero.
The scoring model is intentionally additive. Vendors that handle more sensitive data types accumulate a higher score, which maps to a higher risk level. This makes the formula easy to explain to stakeholders and auditors.

Built-in Risk Factors

LowerPlane provides nine built-in boolean fields that can be used as risk factors:
FactorField KeyDescription
Data Processordata_processorProcesses data on your behalf
Data Controllerdata_controllerControls how data is used
Handles PHIhandles_phiProtected Health Information (HIPAA)
Handles PCIhandles_pciPayment Card Data (PCI-DSS)
Handles PIIhandles_piiPersonally Identifiable Information
Handles Confidentialhandles_confidentialConfidential or sensitive data
Handles Financialhandles_financialFinancial records or data
VPN Requiredvpn_requiredRequires VPN connection for access
Access to Sensitive Dataaccess_to_sensitive_dataHas access to sensitive data systems

Custom Risk Factors

In addition to built-in fields, any boolean custom field defined in Vendor Settings > Custom Fields can be used as a risk factor. This allows you to extend the scoring formula with organization-specific criteria. For example, you might create custom boolean fields such as:
  • “Has SOC 2 Report” (with a negative weight to reduce risk)
  • “Stores data in EU” (for GDPR considerations)
  • “Remote access to production” (increases risk)
  • “Subprocessors declared” (reduces risk if present)
Use negative weights for factors that reduce risk. For example, assigning a weight of -3 to “Has SOC 2 Report” means vendors with a current SOC 2 report receive a lower overall risk score.

Configuring Weights

Navigate to Vendors > Settings > Risk Scoring to configure factor weights.
1

Enable Risk Scoring

Toggle the risk scoring feature on. When disabled, intake submissions will not receive automatic risk scores.
2

Assign Weights to Factors

For each built-in and custom boolean field, assign a numeric weight. The weight represents how much that factor contributes to the overall risk score when the field is true.Common weight assignments:
  • High impact factors (Handles PHI, Handles PCI): weight 5-7
  • Medium impact factors (Data Processor, Handles PII): weight 3-4
  • Lower impact factors (VPN Required): weight 1-2
  • Mitigating factors (Has SOC 2 Report): weight -2 to -5
3

Set Risk Thresholds

Define the score ranges that correspond to each risk level. The default thresholds are:
Risk LevelScore Range
Low0 - 6
Medium7 - 15
High16 - 20
Critical21+
4

Save Configuration

Click Save Risk Scoring to apply the formula. All new intake submissions will use the updated scoring configuration.

Score Calculation Example

Consider a vendor with the following profile:
FactorValueWeightContribution
Data ProcessorYes33
Handles PIIYes44
Handles PHIYes66
Handles PCINo50
VPN RequiredYes22
Has SOC 2 Report (custom)Yes-3-3
Total12
With default thresholds, a score of 12 falls in the Medium range (7-15), so this vendor would be classified as medium risk.

When Scoring Is Applied

Risk scores are calculated at two points:
  1. On intake submission — when a vendor or employee submits the intake form, the risk score is computed from the submitted data handling declarations and displayed to reviewers
  2. On vendor approval — when the intake submission is approved and a vendor record is created, the risk score and level are persisted on the vendor record
Changing the scoring formula does not retroactively update existing vendor scores. To recalculate scores for existing vendors, you would need to re-evaluate their intake data.

Scoring vs. Assessment Risk

It is important to distinguish between the two risk evaluation methods:
Intake Risk ScoringAssessment Risk Scoring
MethodBoolean factor weightsDomain-weighted questionnaire
When appliedAt intake submissionDuring formal risk assessment
DepthQuick, surface-level classificationComprehensive, multi-domain evaluation
ConfigurabilityFactor weights and thresholdsTemplate domains, questions, and weights
PurposeTriage and prioritize vendor reviewsDetailed risk evaluation and compliance mapping
Use intake risk scoring as a triage tool to prioritize which vendors need a full risk assessment first. Vendors with higher intake scores should be assessed sooner.

Best Practices

  • Start with default weights and adjust based on your industry and regulatory requirements
  • Assign higher weights to factors related to your primary compliance frameworks (e.g., PHI for HIPAA-regulated organizations)
  • Use negative weights sparingly for genuinely mitigating factors like current certifications
  • Review thresholds quarterly to ensure they align with your evolving risk appetite
  • Document your scoring rationale for auditors — the transparent formula makes this straightforward
Setting all weights to zero or disabling risk scoring means intake submissions will not receive automatic risk classification. Reviewers will need to assess risk manually.