Action Plans: Subsidiary Improvement Jessica The Subsidiary Improvement page in the Security Posture Management application [ Action Plans ➔ Subsidiary Improvement] is a part of Enterprise Analytics. It presents a multi-step improvement plan that projects how much a parent company’s rating could improve if all findings from the indicated risk vectors at a given subsidiary were remediated. Improving the subsidiaries’ risk vector grades in turn raises the parent company’s rating. Subsidiary Improvement can inform decisions for prioritizing issues to fix first and identify the most impactful subsidiaries. Plans are re-run daily. The risk vectors in the plan are reprioritized or dropped from the analysis when findings are remediated, decay, or complete their lifetimes. Plans use aggregate subsidiary data instead of specific findings. This means that score increases are precise estimates, rather than exact improvements. Plans do not account for lifetimes. The rating improves sooner with risk vectors that have a shorter lifetime than those with a longer lifetime. Subsidiary Improvement generates an ideal improvement plan, but there may actually be ties or equally ideal plans that aren't shown. This may account for changes in the plan over time, when one version of the plan becomes better than another. The Security Incidents risk vector cannot be remediated. If the parent company is impacted by this risk vector, the projected security rating at the end of the plan may be less than 800. Interpreting the Plan Prioritizing Risk Vectors Completing a Step Interpreting the Plan Since the impact of a subsidiary’s Patching Cadence findings on the parent cannot always be measured, the rating improvement from the fixes made across all subsidiaries is projected at the parent level. The plan is divided into steps. Each step represents a different risk vector at one of your subsidiaries. The size of each step shows how much it affects the parent's overall security rating. The plan shows the most important fixes first. This means that fixing the issues listed earlier have a bigger impact than fixing those listed later. The light gray band indicates what the parent company's rating could be if the findings from the previous steps are remediated. The blue and dark gray bands indicate the impact on the parent rating if the findings are resolved during a step. Sometimes, a step might include multiple subsidiaries. These subsidiary findings are grouped together so that they have a visible impact (at least 10 points) on the parent rating. The Lock icon indicates that you are not currently subscribed to a subsidiary. Use a My Subsidiary subscription on the company to include it in your plan. Prioritizing Risk VectorsTo prioritize findings within a risk vector, use Risk Remediation or leverage general remediation strategy.Completing a StepTo complete a step, you must remediate all findings associated with the indicated risk vector at the subsidiary. Completing steps out-of-order may not yield the same impact on the parent. Some steps rely on the preceding step to garner the level of impact shown in the plan.Use the Export (.csv) link to download the data as a CSV to share with SPM Subsidiaries for collaboration. March 19, 2026: Security Posture Management rebrand. November 11, 2024: How Patching Cadence is interpreted in the plan. October 23, 2024: Linked to lifetime definition. April 11, 2024: Broken out from the Enterprise Analytics article. Related articles Action Plans: Risk Remediation Enterprise Analytics My Subsidiary Subscriptions Organization: Subsidiaries Marsh McLennan Study: Correlation Between Bitsight Analytics and Cybersecurity Incidents Feedback 0 comments Please sign in to leave a comment.