How 3PRM Calculates Unified Risk Scores: A Transparency Report

The Problem with Black-Box Scoring

Every TPRM platform produces a vendor risk score. Few of them explain how they calculate it. You get a number (74, B+, "Medium Risk") and you're expected to present it to the board, use it in risk decisions, and defend it in an audit. But when someone asks "why is this vendor a 74 and not an 82?" the answer is usually some combination of "proprietary methodology" and hand-waving.

This creates two problems. First, scores you can't explain are scores you can't defend. When a vendor pushes back on their rating, or when an auditor asks how you determined a vendor was "acceptable risk," you need to point to specific inputs and specific logic, not a black box. Second, opaque scoring makes it impossible to calibrate the model to your organization's actual risk appetite. What matters most to a healthcare company processing PHI is different from what matters to a fintech handling payment data. A one-size-fits-all model can't account for that.

When we built 3PRM's scoring engine, we made two commitments: every score would be fully decomposable into its component parts, and every weight would be configurable by the organization using the platform.

The Three-Component Model

Every vendor risk score in 3PRM is composed of exactly three components. Each measures a different dimension of vendor risk, and each is calculated independently before being combined into a single unified score.

Unified Risk Score — Default Weights

75%

Assessment Score

How did the vendor perform on your security questionnaire?

15%

External Posture

What does the outside world see about their security?

10%

Document Compliance

Are their certifications, policies, and agreements current?

The formula is straightforward:

Unified Score = (Assessment × W₁) + (External Posture × W₂) + (Document Compliance × W₃)

Where W₁ + W₂ + W₃ = 100%. Default: 75/15/10. Configurable per organization.

All three components produce a score from 0 to 100. The unified score is also 0 to 100, with a corresponding letter grade (A through F) and a risk tier label (Strong, Moderate, Weak, Critical). Let's look at what each component actually measures.

Component 1: Assessment Score (Default 75%)

This is the heaviest-weighted component because it measures what matters most: how the vendor actually responds to your security questions. It's the closest thing to a direct evaluation of their controls, policies, and practices.

The assessment score is derived from the vendor's responses to your chosen questionnaire template. 3PRM ships with 7 standard templates, each designed for a different assessment scenario, and supports custom templates you can build yourself:

Quick Security Review: 33 questions across 10 domains. Streamlined assessment for lower-risk vendors focusing on essential controls. Recommended for T3/Medium tier vendors.
Security Assessment (Standard): 104 questions across 11 domains. Comprehensive review covering access control, data protection, incident response, and more.
HIPAA Compliance: 114 questions across 12 domains. Healthcare-focused assessment covering HIPAA Security Rule requirements, PHI handling, and related controls.
PCI-DSS Assessment: 114 questions across 12 domains. Payment card industry assessment for vendors handling cardholder data.
SOC 2 Readiness: 124 questions across 12 domains. Evaluates vendor readiness across the five Trust Service Criteria.
SIG Lite-Aligned Assessment: 138 questions across 23 domains. Aligned with the Shared Information Gathering (SIG) Lite questionnaire framework for comprehensive coverage.
Breach Inquiry: 25 questions across 2 domains. Targeted assessment to send after a vendor breach, covering incident details, data impact, and response actions.
Custom Templates: Build your own assessments with your own questions and domains, tailored to your organization's specific requirements.

The platform recommends a template based on the vendor's criticality tier and data sensitivity. A T3/Medium vendor gets pointed toward the Quick Security Review, while a T1/Critical vendor handling sensitive data would warrant the full Standard assessment or a framework-specific template.

Each control in the assessment receives a maturity rating, and the assessment score is computed as a weighted average of those ratings. AI-powered analysis can automatically evaluate and grade vendor responses, flagging gaps and generating specific recommendations for each control area.

Why 75% default weight? Because self-reported assessment data, despite its limitations, remains the richest source of information about a vendor's actual security posture. External monitoring can tell you about their perimeter, but only an assessment tells you about their access control policies, their incident response procedures, and their data handling practices.

Component 2: External Posture (Default 15%)

External posture is the "what does the outside world see?" check. It's a continuous monitoring score computed from 15 security signals that 3PRM tracks automatically, without requiring any vendor cooperation.

The 15 signals are:

SSL/TLS Configuration: Certificate validity, protocol versions, cipher strength, and configuration best practices.
Security Headers: Presence and configuration of HTTP security headers (CSP, HSTS, X-Frame-Options, etc.).
DNS Security: DNSSEC, SPF, DKIM, and DMARC configuration for email security.
Patching: Detection of known outdated software versions on public-facing infrastructure.
Known CVEs: Active Common Vulnerabilities and Exposures associated with the vendor's exposed services.
Risky Ports: Exposed ports and services that shouldn't be publicly accessible.
Breach History: Known data breaches associated with the vendor, weighted by recency and severity.
Dark Web: Mentions of the vendor's domain, credentials, or data on dark web sources.

Each signal is scored individually and receives a letter grade (A through F). The signals are combined into a weighted composite that becomes the External Posture component. Signal weights reflect their relative severity, so a dark web data leak matters more than a suboptimal HTTP header configuration.

Why only 15% default weight? External monitoring is valuable for catching things vendors won't self-report, like an expired SSL certificate, a newly exposed CVE, or a breach they haven't disclosed yet. But it has inherent limitations. A vendor behind a CDN or WAF may have limited external visibility. A small startup with a simple infrastructure may score differently than an enterprise with a complex perimeter, without that reflecting their actual internal security maturity. External posture is a signal, not the whole story.

Component 3: Document Compliance (Default 10%)

Document compliance measures whether the vendor has provided and maintained the documentation you expect: certifications, policies, agreements, and audit reports. It answers the question: "Are they current on the paperwork?"

The score is based on:

Certification currency: Are their SOC 2, ISO 27001, HITRUST, and other certifications valid and not expired?
Policy coverage: Have they provided requested policies (information security, incident response, business continuity, data protection, etc.)?
Agreement status: Are required agreements in place and approved? This includes DPAs, BAAs, MSAs, and NDAs as applicable to the vendor relationship.
Document recency: When were documents last updated or reviewed?

When a document is uploaded and its review status is updated (approved, rejected, or revision requested), the document compliance score recalculates automatically. Agreement approvals for DPAs, BAAs, MSAs, and NDAs also update relevant vendor flags that feed into the score.

Why only 10% default weight? Having a SOC 2 certificate doesn't mean a vendor is secure. Not having one doesn't mean they're insecure. Document compliance is a hygiene check. It tells you whether the vendor is engaged and responsive, and whether their certifications are current. It matters, but it's the least predictive component of actual security posture.

Why Weights Are Configurable

The 75/15/10 defaults work well as a starting point, but they're defaults, not mandates. Every organization can configure their own weight distribution through the platform's settings.

Here's when you'd want to change them:

Heavy external monitoring focus (e.g., 50/35/15). If you have a large vendor portfolio where comprehensive assessments aren't feasible for every vendor, you might weight external posture more heavily for lower-tier vendors where monitoring data is your primary risk signal.
Document-heavy compliance requirements (e.g., 60/15/25). In regulated industries where auditors specifically ask "does the vendor have a current SOC 2?" and "is the BAA in place?", you might increase the document compliance weight to reflect the regulatory importance of documentation.
Assessment-dominant (e.g., 85/10/5). If your organization conducts thorough assessments and considers monitoring and documentation as supplementary signals, you can weight the assessment score even more heavily.

Weight changes are stored at the organization level and applied retroactively, so all vendor scores recalculate when weights change. This means you can model different weight scenarios to see how your portfolio risk distribution shifts before committing to a change.

Design principle: We intentionally limited the model to three components. It's tempting to add more dimensions (vendor financial health, industry benchmarks, news sentiment), but every additional component dilutes the ones that matter most and makes the score harder to explain. Three components is the right balance between comprehensiveness and clarity. If you can't explain the score to a board member in 30 seconds, the model is too complex.

One Engine, Every Output

One of the most important architectural decisions in our scoring system is that every surface in the platform (the vendor profile, the dashboard widgets, the portfolio summary, and the PDF reports) uses the same scoring engine. This sounds obvious. It wasn't always the case.

During development, we discovered that our in-app scoring pipeline and our PDF report generation pipeline had diverged. They used the same general approach but different implementations, which led to 7 documented discrepancies where a vendor's score displayed differently on the dashboard than it did in a generated report. Some were rounding differences. Some were edge cases where missing data was handled differently. All of them were credibility problems, because a board report that shows a different score than the platform undermines trust in both.

We resolved this by building a shared scoring engine, a single set of pure functions that both the in-app display and the PDF pipeline call. Same inputs, same logic, same output. Every score you see, regardless of where you see it, is computed by the same code path.

This also means that Tria, 3PRM's AI agent, uses the same scoring engine when it retrieves or explains risk scores. When Tria tells you a vendor's unified score is 74, it's reading from the same calculation that powers the dashboard and the PDF report. There's no "AI interpretation" layer that might produce a different number.

What the Score Tells You (and What It Doesn't)

A unified risk score is a decision-support tool, not a decision. Here's what it's designed to do:

Prioritize attention. A score of 42 means "look at this vendor now." A score of 91 means "this one is probably fine, check it on the next review cycle." The score creates triage order.
Track trends. A vendor whose score dropped from 85 to 71 over three months is telling you something, even if 71 is still technically "acceptable." Score trajectories matter as much as point-in-time values.
Communicate to non-technical stakeholders. Boards and executive teams need a number they can understand. "Vendor X is a 74, which is Moderate risk" communicates more clearly than a detailed breakdown of 8 monitoring signals and 47 assessment control ratings.
Enable consistent policy. When your vendor acceptance policy says "no Critical-tier vendors with a unified score below 60 without executive sign-off," you have a clear, defensible threshold that applies uniformly.

What the score does not do is replace judgment. A vendor could score 90 and still pose unacceptable risk if they handle your most sensitive data and you've identified a specific concern that isn't captured in the assessment framework. Conversely, a vendor scoring 65 might be acceptable if they're a low-criticality supplier with no access to sensitive systems. The score informs the decision. Your risk team makes it.

Putting It All Together

Here's a concrete example of how the scoring model works in practice:

Vendor: HealthFit (Healthcare/Benefits, Critical tier)
Assessment Score: 58/100. Completed a HIPAA-aligned assessment. Gaps in incident response documentation and missing evidence for encryption at rest controls.
External Posture: 72/100. SSL/TLS is solid (A), but security headers are weak (D), DNS security is partial (C), and 3 known CVEs were detected on exposed services.
Document Compliance: 45/100. SOC 2 report expired 3 months ago. BAA is in place and approved. No updated information security policy on file.

(58 × 0.75) + (72 × 0.15) + (45 × 0.10) = 43.5 + 10.8 + 4.5 = 58.8 → 59

Unified Score: 59 / 100 | Letter Grade: D | Risk Tier: Weak

This score immediately tells you HealthFit needs attention. But the decomposition tells you where to focus: the assessment gaps (incident response, encryption evidence) are the biggest lever because the assessment component carries 75% of the weight. The expired SOC 2 is also a problem, but fixing documents alone won't materially move the score. The external posture issues (security headers, CVEs) are worth flagging to the vendor but represent a smaller slice of the overall risk picture.

That's the point of transparent scoring. Not just "59 is bad," but "here's exactly why it's 59, and here's what would move it."

See Scoring in Action

Schedule a demo and we'll walk through how unified risk scores work with your actual vendor data.

Schedule a Demo →