Risk Quantification Updates v10

  • 2 minute(s) read
Prev Next

Overview

SAFE Scoring v10 introduces a simplified, market-aligned FAIR-MAM scoring model for Third-Party Risk Management. This release reduces assessment friction, improves credibility of loss estimates, and aligns SAFE with how the broader TPRM market expects third-party risk to be quantified.

The SAFE Scoring v10  model focuses on first-party exposure resulting from third-party failures, rather than attempting to model the vendor’s internal security posture.

Why?

We updated the SAEF TPRM scoring model to:

  • Reduce onboarding friction

  • Increase analyst efficiency

  • Improve explainability to business stakeholders

  • Align with market expectations for faster and lighter TPRM assessments

What’s New in SAFE Scoring v10

New “Analyze Loss Magnitude” Experience

SAFE Scoring v10 introduces a dedicated Analyze Loss Magnitude page that serves as the single place to configure loss inputs.

Loss is now modeled across two core business resources:

  • First-party revenue (dependent on the vendor)

  • Sensitive PII (including PHI and PCI) processed by the vendor

These resources map to three out-of-the-box (OOTB) TPRM risk scenarios:

  • System Outage

    Ransomware (No Data Exfiltration)

    Data Exfiltration

This structure ensures consistent, repeatable loss modeling across all third parties.

Removal of the Financial Impact Questionnaire (FIQ)

The legacy Financial Impact Questionnaire (FIQ) has been fully removed in v10 to reduce complexity and improve adoption.

How FIQ Inputs Are Handled in v10

Existing FIQ data is automatically mapped into the new v10 model, including:

  • Revenue loss per day > Revenue dependency range

  • Number of data subjects > PII owner ranges

  • Regulatory applicability > Inferred from headquarters location and industry sector

FIQ Questions That Are Deprecated

The following inputs are no longer required or modeled:

  • PCI % and PHI % breakdowns

  • Biometrics, IP, and trade secrets

  • Contractual coverage details

The previous 11-question FIQ is now replaced by two structured questions with parent/child inputs, dramatically simplifying assessments.

How Loss Is Modeled in SAFE Scoring v10

Core Loss Inputs (Only 2 Questions)

  1. Sensitive PII Owners: This input captures privacy-related exposure using ranges instead of exact values:

    1. Number of PII owners (range-based)

    2. Tokenization in place (Yes/No)

    3. Geographic distribution of data subjects

  2. Incident Response (IR) maturity

  3. Revenue Dependency: This input captures business interruption exposure:

    1. Revenue at risk (range or custom value)

    2. Percentage of revenue protected by redundancy

First-Party Resiliency (Loss-Only Controls)

SAFE Scoring v10 models only those controls that directly reduce first-party exposure:

  1. Tokenization – reduces PII at risk

  2. Incident Response maturity – improves accuracy of breach response and legal cost modeling

  3. Redundancy – reduces revenue at risk during outages

All other impact controls have been removed.

Expected Impact on Scores and Loss Outputs

  • Customers may observe changes in modeled loss values when moving from v9 to v10:

    • System Outage and Ransomware loss values are typically higher

    • Data Exfiltration loss may increase or decrease depending on:

      • Prior PCI percentage inputs

      • PII volume relative to settlement modeling ranges

  • All v10 models use range-based inputs, with an upper cap of 20M PII records for large-scale scenarios.

  • There are no backward compatibility issues, and SAFE automatically migrates existing assessments where applicable.