# Task 7:Third-Party Risk Acceptance Decision

1. Domain Title & Project Overview


---



* Domain : Legal and Compilance
* Project Overview : This project focuses on evaluating third-party risks and assisting organizations in making informed risk acceptance decisions using AI-driven analysis and structured prompts.

2. Problem Statement & Domain Challenges


---



Organizations rely heavily on third-party vendors, introducing risks related to security, compliance, and operations. Manual risk acceptance decisions are inconsistent, time-consuming, and subjective

3. AI Models / Prompting Techniques Used


---



  *   Large Language Models (LLMS)
  *   Structured Prompt Engineering
  *   Risk Scoring & Reasoning Prompts

4. Features & Capabilities Implemented


---



  *   Automated Risk Summarization
  *   Context-aware Acceptance Recommendations
  *   Risk Justification Generation
  *   Decision Confidence Explanation

5. Data Flow Architecture


---



  *   Input : Vendor risk details
  *   Processing : AI prompt evaluation
  *   Output : Risk acceptance decision + rationale

6. Use Case Sections


---



  Use Case 1:
  *   Description : Analyze third-party risk factors and recommend whether the risk should be accepted, mitigated, or rejected.
  *   Prompt Template : You are a risk analyst. Evaluate the following third-party risk details and recommend whether the risk should be accepted, mitigated, or rejected with justification.



In [None]:
import openai

client = openai.OpenAI(
    api_key="sk-QK5vbrlNoAVpUMqaeWzMDw",     # paste your API key
    base_url="https://apidev.navigatelabsai.com/"
)

In [None]:
def run_llm(prompt):
    """
    Sends a prompt to the LLM and returns the response.
    """
    response = client.chat.completions.create(
        model="gpt-4.1-nano",
        messages=[
            {"role": "system", "content": "You are an expert in Governance, Risk, and Compliance."},
            {"role": "user", "content": prompt}
        ],
        temperature=0.3
    )

    return response.choices[0].message.content


In [None]:
#Prompt for generating output
prompt_uc1 = """
You are a third-party risk analyst.
Vendor has moderate security gaps, ISO 27001 certified,
handles customer PII, and is business critical.
Determine whether the risk should be accepted, mitigated, or rejected with reasoning.
"""


In [None]:
#Generates the Output based on the given prompt
output = run_llm(prompt_uc1)
print(output)


Sample Input & Output
 * Input:
A third-party SaaS vendor that is ISO 27001 certified, has moderate security gaps identified in the latest assessment, handles customer PII, and provides a business‑critical service.

 * Output:
A textual recommendation labelled with one of the terms accept/mitigate/reject. Here it generates a recommendation labelled mitigate, explaining that the vendor’s business criticality and handling of PII increase impact, while moderate gaps require a remediation plan and enhanced controls before the residual risk can be considered acceptable.



Use Case 2:
  * Description : Identify conditions under which a vendor risk can be accepted with compensating controls.
  * Prompt Template : Analyze the following third-party risk details and recommend conditional acceptance measures, including required mitigation controls and timelines.


In [None]:
from openai import OpenAI
from IPython.display import Audio, display

client = OpenAI(
    api_key="sk-QK5vbrlNoAVpUMqaeWzMDw",  # paste your key
    base_url="https://apidev.navigatelabsai.com"
)

In [None]:


def play_tts(text):
    """
    Converts given text into speech and plays it in Colab
    """
    audio_bytes = b""
    with client.audio.speech.with_streaming_response.create(
        model="gpt-4o-mini-tts",
        voice="alloy",
        input=text
    ) as response:
        for chunk in response.iter_bytes():
            audio_bytes += chunk

    display(Audio(audio_bytes, autoplay=True))


In [None]:
text_uc2 = """
Risk acceptance is subject to implementation of multi-factor authentication
and timely patch management.

The vendor must comply with remediation timelines
to reduce residual risk exposure.
"""

play_tts(text_uc2)


Based on the provided third-party risk details—specifically the absence of Multi-Factor Authentication (MFA) and delayed patch management—I recommend implementing conditional acceptance measures that mitigate these vulnerabilities while allowing continued engagement with the vendor under strict oversight. Below are detailed mitigation controls, recommended actions, and suggested timelines:

**1. Immediate Risk Mitigation Measures**

- **Enhanced Monitoring and Logging**
  - **Action:** Implement continuous monitoring of the vendor’s access and activity logs.
  - **Purpose:** Detect suspicious or unauthorized activities promptly.
  - **Timeline:** Within 30 days.

- **Restricted Access Controls**
  - **Action:** Limit the vendor’s access privileges to only essential systems and data.
  - **Purpose:** Reduce the attack surface until MFA is implemented.
  - **Timeline:** Immediate, with review every 30 days.

- **Compensating Authentication Measures**
  - **Action:** Require the vendor to

Sample Input & Output

* Input:
A short risk decision note stating that risk acceptance depends on deploying multi‑factor authentication and timely patch management, and that the vendor must meet defined remediation timelines to reduce residual risk exposure.
​

* Output:
An audio clip generated by the text‑to‑speech function that clearly narrates the provided risk acceptance conditions, including the requirements for multi‑factor authentication, patch management, and adherence to remediation timelines

Use Case 3:
  * Description : Generate a concise risk acceptance summary suitable for executive or board review.
  * Prompt Template : Summarize the third-party risk assessment in an executive-friendly format, highlighting key risks, justification for acceptance, and residual risk.


In [None]:
import openai
import base64
from PIL import Image
import io
from IPython.display import display

client = openai.OpenAI(
    api_key="sk-QK5vbrlNoAVpUMqaeWzMDw", # paste your key
    base_url="https://apidev.navigatelabsai.com"
)


In [None]:
response = client.images.generate(
    model="gpt-image-1-mini",
    prompt="""
A professional executive dashboard showing third-party risk acceptance.
Includes charts labeled Security Risk, Compliance Status, Residual Risk,
and a highlighted section titled 'Executive Risk Justification'.
Corporate legal and compliance theme, clean UI, realistic infographic style.
""",
    size="1024x1024"
)

image_base64 = response.data[0].b64_json
image_bytes = base64.b64decode(image_base64)
image = Image.open(io.BytesIO(image_bytes))
display(image)


Sample Input & Output

* Input:
A detailed natural‑language prompt describing a professional executive dashboard for third‑party risk acceptance, requesting an image with charts for Security Risk, Compliance Status, Residual Risk, and a highlighted “Executive Risk Justification” section in a clean, corporate compliance style.
​

* Output:
A 1024x1024 infographic‑style image that visually resembles an executive risk dashboard, featuring clearly labeled charts for security and compliance metrics and a prominent “Executive Risk Justification” panel suitable for presentation to senior stakeholders

7. Summary

---



This notebook can be reused for different vendors by updating the input risk parameters.



---
