How are risk scores calculated after multiple assessments completed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2024 12:50 AM
When there are 2, 3, 4, or more Tiering Assessments or Vendor Risk Assessments – all with different scores – how does the system arrive at just one overall value at the Vendor (Company) level?
For example, Company X
It’s Risk rating is “4 – Low”.
This is derived by the system as a result of two Vendor Risk Assessments, one with a Risk rating of “5 – Very Low” and the other with a Risk rating of “2 – High”. Under these circumstances, how is “4 – Low” arrived at?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2024 03:23 AM
Hi @Nabilah ,
- Questions (metrics)
- Metric Scale Definition
- Categories
- Weights
- Risk Rating Scale
- Business Service Rating Scale
Also, Checkout the other calculations as well : https://docs.servicenow.com/bundle/vancouver-governance-risk-compliance/page/product/grc-vendor-risk...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2024 03:43 AM
Hi Sandeep,
Thanks for your response. So would the overall rating for a vendor be the average sum of all the tiering/ risk assessments? and how would we modify and define our own?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2024 08:08 PM
Hi @Nabilah ,
There is no easy way / no OOTB way for the Analyst to directly override the Risk Score / Ratings.
That said - check out the new enhancement included in VR v20.x.
There is a feature that somewhat aligns here, and allows Remediation Teams to request a reduction in Risk, on their Vulnerable Items or Remediation Tasks:
I hope i have answered your Original question and the follow-up question as well.