Docs
Suppliers

Linking risks & assets

Connect risks, assets, and incidents to a supplier, and read the supplier's manually-maintained risk profile.

The Risk & Assets tab is where a supplier connects to the rest of Tellus: the assets it touches, the risks it carries, and the incidents it has been involved in. It also holds the supplier's risk profile. Managing links requires the supplier:update permission.

  1. On the supplier detail, open the Risk & Assets tab. The Linked assets section has a Link asset button. (The empty state notes that assets can also be linked from the asset's own detail view.)
  2. Click Link asset to open a searchable asset picker listing your company assets (e.g. "HIJACK — application · Active · High").
  3. Select an asset. It links immediately and appears under Linked assets with its type, status, and criticality.

Risk & Assets tab with a linked asset

Asset links are bi-directional: the same relationship can be managed from the asset side. Removing the link is reversible and does not affect the asset itself.

Linking risks and incidents

Suppliers connect to risks through the unified risk-supplier link table, and to incidents through the incident-supplier link. The most common way a supplier-to-risk link is created is by promoting a finding to a risk during a review (see Contacts & findings) — the resulting risk is linked back to the supplier. Risks can also be linked to a supplier from the risk register itself.

The supplier risk profile

Each supplier has a single risk profile: an operational posture snapshot rather than an automatic score. It holds:

  • Inherent score, Residual score, and Review score — each 0–100, and all optional.
  • A criticality weight (defaults to 1.00).
  • Counters for open high-severity findings and linked incidents.
  • The last review, the next review date, and a calculated-at timestamp.
  • An optional manual override with a reason and the user who applied it.

None of the risk-profile scores are calculated automatically. They are entered manually, and in practice are usually left blank. Tellus does not compute a supplier trust score, grade, or rating anywhere in the product. If you have seen a "Trust Score" described elsewhere, that is an unbuilt design proposal, not a current feature.

A per-supplier risk event stream records audit events — review opened/closed/reopened, finding created/updated/promoted, incident linked/unlinked, questionnaire sent/answered, evidence promoted, and manual overrides. These are an audit trail; no scoring engine drives them automatically.

How supplier risk is read

Because there is no single score, gauge a supplier's risk from the signals together: its criticality and status in the header, the linked assets, risks, and incidents on this tab, the open findings count, and the history of reviews. See the register overview for how these signals fit together.

Contacts & findings

Manage supplier contacts that drive portal access and questionnaire delivery, and raise findings during reviews.

The document library

Tellus's company-wide library of uploaded files — what the library holds, why documents and evidence are the same thing, and who can read them.

On this page

Link an assetLinking risks and incidentsThe supplier risk profileHow supplier risk is read