There are different scenarios to how our risk recommendations work. Here we explain them.
As explained in our overall risk analysis article, there are certain certificates and audits that automatically trigger a risk offset. We have implemented these recommendations as a guideline for our users. However, we know that our users know the companies in their global production networks better than we do. Therefore, these recommendations can be changed at all times.
How do recommendations and mitigations interact?
There are two general rules for automatic risk offsets in our risk analysis:
Mitigations done by the user have higher priority than our automatic recommendations.
For our recommendations we treat certificates and audits with the same priority. The key is the risk offset and for that we always consider the highest risk factor.
Now, let's dive into the different scenarios:
Do other companies see the recommendations when I upload a certificate for another company?
Yes. When the certificate triggers a recommendation (check this article for which certificates do so) other users connected to this company can see the certificate in the risk profile of the company you uploaded it for because we treat certifications as public information. However, as soon as you manually adjust the recommendation, only you see the new risk offset.
Do other companies see the recommendations when I upload an audit for another company?
That depends on the privacy status with which you uploaded the audit report:
If it is public, then yes. The audit will show for other users in the risk profile of the company you created audit in.
If it is private, then no.
If you didn't create the audit as public but shared it with certain companies, then it will only show for those companies you shared it with.
What happens when another company removes or changes a certificate and/or audit?
Once a certificate or audit is gone - meaning it is archived, removed or in the case of certificates expired - it will not be considered in the risk profile anymore.
What happens when I or someone else uploads another certificate or audit that has a higher recommendation on a risk factor?
This case has different answers depending on the other existing certificates or audits in the according risk profile:
If there is an existing mitigation, these have priority, and the risk profile will not be changed by the new certificate or audit.
If there is only a recommendation it depends on whether this automatic risk offset is higher or lower than the existing one. If the new one has a higher recommendation, it overwrites the old recommendation. If the old one has the higher recommendation, this one stays in place.
What happens when users upload a new version of an audit or certificate?
In this case, it again depends on if there is already a manual mitigation in place:
If there are manual mitigations, these have priority and will be taken over.
If our recommendations have not been manually adjusted, these will stay in place and are the same anyways.
What happens when a new certificate or audit has the same recommendations than existing certificates or audits?
In this case, our risk analysis considers the certificate or audit that was uploaded first to a company.