--- title: "Risk Quantification Updates v10" slug: "risk-quantification-updates-v10" updated: 2025-12-22T12:41:36Z published: 2025-12-22T12:41:36Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.safe.security/llms.txt > Use this file to discover all available pages before exploring further. # Risk Quantification Updates v10 ## Overview SAFE Scoring v10 introduces a simplified, market-aligned FAIR-MAM scoring model for Third-Party Risk Management. This release reduces assessment friction, improves credibility of loss estimates, and aligns SAFE with how the broader TPRM market expects third-party risk to be quantified. The SAFE Scoring v10 model focuses on first-party exposure resulting from third-party failures, rather than attempting to model the vendor’s internal security posture. ## Why? We updated the SAEF TPRM scoring model to: - Reduce onboarding friction - Increase analyst efficiency - Improve explainability to business stakeholders - Align with market expectations for faster and lighter TPRM assessments ## What’s New in SAFE Scoring v10 **New “Analyze Loss Magnitude” Experience** SAFE Scoring v10 introduces a dedicated Analyze Loss Magnitude page that serves as the single place to configure loss inputs. Loss is now modeled across two core business resources: - First-party revenue (dependent on the vendor) - Sensitive PII (including PHI and PCI) processed by the vendor These resources map to three out-of-the-box (OOTB) TPRM risk scenarios: - System Outage Ransomware (No Data Exfiltration) Data Exfiltration This structure ensures consistent, repeatable loss modeling across all third parties. **Removal of the Financial Impact Questionnaire (FIQ)** The legacy Financial Impact Questionnaire (FIQ) has been fully removed in v10 to reduce complexity and improve adoption. **How FIQ Inputs Are Handled in v10** Existing FIQ data is automatically mapped into the new v10 model, including: - Revenue loss per day > Revenue dependency range - Number of data subjects > PII owner ranges - Regulatory applicability > Inferred from headquarters location and industry sector **FIQ Questions That Are Deprecated** The following inputs are no longer required or modeled: - PCI % and PHI % breakdowns - Biometrics, IP, and trade secrets - Contractual coverage details The previous 11-question FIQ is now replaced by two structured questions with parent/child inputs, dramatically simplifying assessments. ## How Loss Is Modeled in SAFE Scoring v10 **Core Loss Inputs (Only 2 Questions)** 1. **Sensitive PII Owners**: This input captures privacy-related exposure using ranges instead of exact values: 1. Number of PII owners (range-based) 2. Tokenization in place (Yes/No) 3. Geographic distribution of data subjects 2. Incident Response (IR) maturity 3. **Revenue Dependency**: This input captures business interruption exposure: 1. Revenue at risk (range or custom value) 2. Percentage of revenue protected by redundancy **First-Party Resiliency (Loss-Only Controls)** SAFE Scoring v10 models only those controls that directly reduce first-party exposure: 1. Tokenization – reduces PII at risk 2. Incident Response maturity – improves accuracy of breach response and legal cost modeling 3. Redundancy – reduces revenue at risk during outages All other impact controls have been removed. ## Expected Impact on Scores and Loss Outputs - Customers may observe changes in modeled loss values when moving from v9 to v10: - System Outage and Ransomware loss values are typically higher - Data Exfiltration loss may increase or decrease depending on: - Prior PCI percentage inputs - PII volume relative to settlement modeling ranges - All v10 models use range-based inputs, with an upper cap of 20M PII records for large-scale scenarios. - There are no backward compatibility issues, and SAFE automatically migrates existing assessments where applicable.