How are risk scores calculated after multiple assessments completed?

Nabilah
Tera Contributor

When there are 2, 3, 4, or more Tiering Assessments or Vendor Risk Assessments – all with different scores – how does the system arrive at just one overall value at the Vendor (Company) level?

 

For example, Company X

It’s Risk rating is “4 – Low”.

This is derived by the system as a result of two Vendor Risk Assessments, one with a Risk rating of “5 – Very Low” and the other with a Risk rating of “2 – High”.  Under these circumstances, how is “4 – Low” arrived at?

3 REPLIES 3

Community Alums
Not applicable

Hi @Nabilah ,

The score calculation mechanism for each external risk assessment uses the platform assessment score calculation engine. The calculations are performed using a series of related equations that are dynamically recalculated. The following user-defined parameters affect the calculated assessment rating:
  • Questions (metrics)
  • Metric Scale Definition
  • Categories
  • Weights
  • Risk Rating Scale
  • Business Service Rating Scale
SandeepDutta_0-1706181770733.png

Also, Checkout the other calculations as well : https://docs.servicenow.com/bundle/vancouver-governance-risk-compliance/page/product/grc-vendor-risk...

 

Hi Sandeep,

 

Thanks for your response. So would the overall rating for a vendor be the average sum of all the tiering/ risk assessments? and how would we modify and define our own? 

Community Alums
Not applicable

Hi @Nabilah ,

There is no easy way / no OOTB way for the Analyst to directly override the Risk Score / Ratings.

That said - check out the new enhancement included in VR v20.x.

There is a feature that somewhat aligns here, and allows Remediation Teams to request a reduction in Risk, on their Vulnerable Items or Remediation Tasks:

I hope i have answered your Original question and the follow-up question as well.