The Zurich release has arrived! Interested in new features and functionalities? Click here for more

How are risk scores calculated after multiple assessments completed?

Nabilah
Tera Contributor

When there are 2, 3, 4, or more Tiering Assessments or Vendor Risk Assessments – all with different scores – how does the system arrive at just one overall value at the Vendor (Company) level?

 

For example, Company X

It’s Risk rating is “4 – Low”.

This is derived by the system as a result of two Vendor Risk Assessments, one with a Risk rating of “5 – Very Low” and the other with a Risk rating of “2 – High”.  Under these circumstances, how is “4 – Low” arrived at?

3 REPLIES 3

Community Alums
Not applicable

Hi @Nabilah ,

The score calculation mechanism for each external risk assessment uses the platform assessment score calculation engine. The calculations are performed using a series of related equations that are dynamically recalculated. The following user-defined parameters affect the calculated assessment rating:
  • Questions (metrics)
  • Metric Scale Definition
  • Categories
  • Weights
  • Risk Rating Scale
  • Business Service Rating Scale
SandeepDutta_0-1706181770733.png

Also, Checkout the other calculations as well : https://docs.servicenow.com/bundle/vancouver-governance-risk-compliance/page/product/grc-vendor-risk...

 

Hi Sandeep,

 

Thanks for your response. So would the overall rating for a vendor be the average sum of all the tiering/ risk assessments? and how would we modify and define our own? 

Community Alums
Not applicable

Hi @Nabilah ,

There is no easy way / no OOTB way for the Analyst to directly override the Risk Score / Ratings.

That said - check out the new enhancement included in VR v20.x.

There is a feature that somewhat aligns here, and allows Remediation Teams to request a reduction in Risk, on their Vulnerable Items or Remediation Tasks:

I hope i have answered your Original question and the follow-up question as well.