Hello GRC Experts,
I have a question about the Qualitative Rating Criteria for Inherent Assessment in the Risk Assessment Methodology. Specifically, I'm referring to the lower rating interval, the Rating (which is the display name for the rating), and the Overridden Score.
My concern is with the Overridden Score. The official ServiceNow GRC implementation training states that:
However, in practice, I find that the system only uses these values when I manually change the final score. If I don’t make any manual changes, it defaults to the score that is automatically calculated, rather than using the overridden score.
So, my question is: how does this work? The training indicates one thing, but my experience suggests something different.
When setting up the RAM we usually set the overridden score to the highest of the bracket it falls in, and the reason for this is the adversity to risk (providing a worst case view), and we still need a value for aggregation.
| Lower Rating interval | Rating | Overridden score |
| 0 | Low | 2 |
| 3 | Medium | 4 |
| 6 | High | 9 |
As an example:
The results from my RAM (taking into account factors, group factors, weighting etc...) is a 3.8
This placed the result in the Medium category based on the rating thresholds.
When the assessor does not agree with the rating provided by the RAM - Risk rating of Medium (Score: 3.8)
and I override it, the system cannot calculate a value and therefore should provide us with the worst case scenario for that interval.
The overridden qualitative rating of Low will need a value, and therefore we provide the overridden value of 2, as this is the maximum we can achieve in the Low interval;
MAX (1x1 = 1 , 2x1 = 2, 1x2 = 2 )
You could very well have set the value to 2.99 so that you do not breach the threshold of 3, but you have to keep the user in mind as they are looking at your risk matrix and intuitively a risk user / risk manager will be very aware of the matrix. (trying to find 2.99 on the risk matrix does not make sense to the user)
You may need to consider other overridden values for more complex RAMs where the calculations aren't as simplistic as a 3x3 pure product
When setting up the RAM we usually provide the highest risk rating to the interval so that we provide the user with a risk averse view if and when a score is overridden.
With a 3x3 risk matrix
and intervals set as per your screenshot;
| Rating Lower Interval | Rating | Overridden Score |
| 0 | Low | 2 |
| 3 | Medium | 6 |
| 6 | High | 9 |
When an assessor complete the section of the RAM (taking into account factors, group factors, weighting, etc...) and the score results in 3.8, then the qualitative rating will be Medium (Score: 3.8)
When the assessor does not agree with the rating and overrides it to Low, then the overridden score of 2 will apply. We basically want to provide the worst case scenario in our risk matrix.
MAX( 1x1=1, 1x2=2, 2x1=2)
The new score will reflect as: Low (Score: 2)
the computed score would still reflect: Medium (Score: 3.8)
and Overridden computed score: True
We could very well have provided the overridden score as 2.99 (below the threshold of 3), but we have to keep the user/reader in mind when we present values. Risk users and risk manager are very familiar with the risk matrix assigned to their methodology, so using the values of 2, 6, 9 provides them with a quick view of where the risk sits on the matrix. Looking up a score of 2.99 does not make sense, to the reader.
