How are risk scores calculated after multiple assessments completed?

Nabilah · ‎01-25-2024

When there are 2, 3, 4, or more Tiering Assessments or Vendor Risk Assessments – all with different scores – how does the system arrive at just one overall value at the Vendor (Company) level?

For example, Company X

It’s Risk rating is “4 – Low”.

This is derived by the system as a result of two Vendor Risk Assessments, one with a Risk rating of “5 – Very Low” and the other with a Risk rating of “2 – High”. Under these circumstances, how is “4 – Low” arrived at?

Community Alums · ‎01-25-2024

Hi @Nabilah ,

The score calculation mechanism for each external risk assessment uses the platform assessment score calculation engine. The calculations are performed using a series of related equations that are dynamically recalculated. The following user-defined parameters affect the calculated assessment rating:

Questions (metrics)
Metric Scale Definition
Categories
Weights
Risk Rating Scale
Business Service Rating Scale

Also, Checkout the other calculations as well : https://docs.servicenow.com/bundle/vancouver-governance-risk-compliance/page/product/grc-vendor-risk...

Nabilah · ‎01-25-2024

Hi Sandeep,

Thanks for your response. So would the overall rating for a vendor be the average sum of all the tiering/ risk assessments? and how would we modify and define our own?

Community Alums · ‎01-29-2024

Hi @Nabilah ,

There is no easy way / no OOTB way for the Analyst to directly override the Risk Score / Ratings.

That said - check out the new enhancement included in VR v20.x.

There is a feature that somewhat aligns here, and allows Remediation Teams to request a reduction in Risk, on their Vulnerable Items or Remediation Tasks:

https://docs.servicenow.com/bundle/vancouver-security-management/page/product/vr-vulnerability-manag...

I hope i have answered your Original question and the follow-up question as well.